I thought I'd create a topic for safe ways of remotely accessing your OctoPrint installation when you're not at home.

Remote into a workstation at home

You might not know this, but many computers have the ability to allow you to remote-control them, even from outside of your network. The following describes how I've just setup my laptop (I'm here in a coffee shop) to remote back into a Mac Mini computer at home. I then merely access OctoPrint from that remote-control session.

OSX "Back to My Mac"

1. On the host computer, log in as the same user as the laptop and with the same iCloud account
   a. System -> Preferences -> iCloud -> enable Back to My Mac
   b. System -> Preferences -> Sharing -> Back to My Mac
   c. Optionally, change the sharing name for your host to make this easier
2. On the laptop computer, make sure that you're logged in as the same user above and with the same iCloud account
   a. System -> Preferences -> iCloud -> enable Back to My Mac
3. On your router, go into the Advanced area and make sure that UPnP is turned on. Alternately, turn on NAT-PMP if this isn't an option.

Test things first before going remote

• Open Finder
• Look for your host computer's name to show up on the left

• Click the hostname there
• Click the Share Screen... button
• Connect using the same user that's shared between the two computers
• When finished, click the red dot in the upper-left corner to close the session

Test it remotely

Now that you've verified that it works locally, take your laptop to a coffee shop. Connect to their wi-fi network (or use your phone's wi-fi hotspot feature). Open Finder and repeat as above. You may need to wait a full three minutes for the earlier information to refresh.

Screen Shot 2018-08-29 at 1.46.13 PM.png785×699 163 KB

Setup a Reverse-Proxy

A reverse-proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself.

Although I won't be providing the detailed instructions for doing so, I personally created a reverse-proxy server (on a Raspberry Pi Zero W) single-board computer and it sits at the same UPC which powers my printer. This is part of a set of Alexa intents associated with a common J.A.R.V.I.S. skill plus Amazon Lambda function.

Here, the octo-proxy is responsible for safely proxying the inbound Internet requests over to the specified printer. It authenticates the session so it's not like the "naked" port-forwarding that's dangerous. It does use port-forwarding at the forward, but this goes to a proxy tcp port instead of the more popular ones.

  ┌──────┐   ┌─────┐   ┌───┐   ┌────┐   ┌─────┐   ┌─────────┐
  │ Echo │ ⇄ │ ASK │ ⇄ │ ƛ │ ⇄ │ FW │ ⇄ │ o-p │ ⇄ │ printer │
  └──────┘   └─────┘   └───┘   └────┘   └─────┘   └─────────┘

Setup a VPN

A virtual private network extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Although my current Netgear C3000 router does not support VPN endpoints nor allow VPN pass-through, I have created numerous VPNs in the past.

What it is

A VPN allows you remotely to "be" on your home network. Your network communications go through the Internet securely and arrive on your home network. From your remote computer, you would then enter http://octopi.local in your browser and this traffic would be routed to your home network. In some cases, you might need to issue a static IP address to your printer for this to be optimal.

Setup Overview

The basic approach is to create an endpoint on your Internet router (higher-end models have this feature) or to create an endpoint on a dedicated server (like PiVPN on a Raspberry Pi). Note that your router needs to support VPN pass-through for this second option to work.

The next step would be to create a profile on your workstation which points to the endpoint. Minimally, you need the information from the first step for identification and credentialing plus the public IP address of your router.

Please don't port-forward 80/443/5000 from your OctoPrint installation through your router. There are many features of OctoPrint which just aren't Internet-safe like this.

Current estimates of exposed port 5000 alone for OctoPrint installations is over 3,000. It would be a shame if OctoPrint got negative publicity because a user decided to open up their printer to the world.

I´ll tell a little bit more about my VPN setup. At home I´ve kept the service provider router and installed my own behind it, creating a DMZ but I won´t give details on this, just the VPN that should be easier to configure.

My router is an Asus that I´ve bought 2 years ago. I like their routers, because has a good performance and has a lot of features. I won´t talk about other features. I believe that every recent Asus routers includes VPN server and client, even the simpler ones. I´ve installed at my dad´s house an old router that I bought in 2012 and replaced with this one, and already had VPN server. The older models, have PPTP VPN, and the newer ones have PPTP and OpenVPN. On these routers are possible to change firmware to include new features.

Don´t matter the brand of your router. What matters is if it has a VPN server feature. Configuring any of that should be similar.

Let´s talk about the VPN.

VPN means "Virtual Private Network". Basically, it extends your private network to a remote location. This is possible, because it creates a tunnel protectec by chryptographic algorithms and all your comunication flows inside this tunnel, mantaining your data safe. There are a few different VPN configurations based on different protocols, but I´m talking about the 2 of them present in my router, PPTP and OpenVPN.

PPTP means Point-to-Point Tunnel Protocol. It creates a virtual interface that can be accessed through an internet connection using an user/password combination. It has some age already and it´s not the safest VPN protocol, but it´s surely better than nothing, and it´s still acceptable for home use. In Microsoft´s implementation, that is the the one used by asus, authentication method is based on MS-CHAP and MS-CHAPv2, and uses Microsoft Point-to-Point Encryption (MPPE). It creates a cryptographic tunnel between both endpoints, so data traffic between your remote device and home should be protected, as you are inside your private network.

MPPE-128 can give you a certain level of security, but it´s obsolete. Some mobile vendors, like Apple doesn´t allow their devices to connect to a PPTP VPN natively anymore. I believe that this is because in 2012 an MS-CHAPv2 key was broken with a brute force attack after 23 hours. So, it´s not impenetrable, but who would spend lots of hours to break in a home network? Maybe some crazy guys, who knows.

To create a VPN based on this protocol, all you have to do is define the authentication (MS-CHAPv2), encryption (MPPE-128) and a user/password combination. Then, you should use any PPTP client to connect. Windows offers a native one. I don´t know about other devices, but for shure there are lots of apps to connecto to PPTP.

OpenVPN is a VPN based on open source, that works in a different way than PPTP on these routers. I´ll not detail all the features, only the ones that addresses our purpose here.

Basically, you define a series of rules, chose between an RSA 1024 or 2048 encryption, create users and passwords, create a certificate and an encription key and then you export these settings to a file. With this file plus the user/password combination you can access your entire home network, and so your octoprint device from anywhere in the world.

After that, you install OpenVPN Client software on your device you intend to access your network from, import this file, add the user and password and connect to your home network.

For both methods to work, you need to have a static IP or use a Dynamic DNS (DDNS) service.

Another use for your home VPN is to protect sensitive data when you are in a public hotspot. You can connect to your VPN before access sensitive information.

Thanks, @Johnnie_Walker. To your description, I'll add the following:

• Your outer-most router needs to support VPN pass-through for this to work; obviously it does. (My particular Netgear router does not, btw.) Update: Looks like it's still possible—see next post.
• If your outer-most router ever gets issued a different IP address, it's necessary to go in and update the VPN configuration in most cases or... as you've indicated, use some DNS trickery.
• To elaborate on your final point: If you're in a coffee shop and you worry that Starbucks Corporation is sniffing all your packets (or some other scenario), then remotely connecting to your home VPN, remoting into your workstation at home you may then from your computer at home do a browser session and be in safer territory.

Tks man. I just didn't elaborate about my first router, because wanted to focus on VPN itself. I have DDNS on outer router (that is a D-LINK from the service provider) and a port forward rule to get VPN to work at the inner router. It doesn't have a VPN pass-thru function, but works this way.

Also related:

my university does not allow outside contact to an internal device (rasp pi3b+ and printer). Their VPN limits only to specific apps.

I am currently getting ready to try astroprint-cloud as a work around... Anyone else used this approach?

https://www.astroprint.com/astroprint-compatible-printers etc...

I think that there is a plugin to access Octoprint from a cloud. Octoprint Anywhere I guess.

AH, got it:

Yeah, one of the easiest middle-man approaches for tunneling connection between hardened networks and the internet I think. I'm glad AstroPrint created a plugin, as they're own OS was originally a fork of OctoPrint. Glad to see them give back.

So, is port forwarding for the purpose of setting up a PiVPN okay? and PiVPN should allow me to use my Octoprint instance as if I was accessing it on the WLAN, but securely from the outside
?

Raw port-forwarding (without an ACL) opens you up for problems. Presumably OpenVPN/PiVPN incorporates something similar to what is described on one of the threads here: you do open a port-forward but you combine that with a short list of those who are allowed in.

By setting up a VPN on the RPi, I will then be able to access my octoprint web interface from anywhere in the world with an internet connection?.... I guess I have just been assuming this was the case and have never really asked this question.

That's what VPNs do. In this case, you'd be dedicating something like a $5 Raspberry Pi Zero W with PiVPN and it sits on your local network to be that endpoint.

From your favorite cafe-that-isn't-Starbucks, I'm not sure what happens but it may require you to create the other end of the VPN endpoint on, say, your MacBook.

System Preferences -> Network -> + -> Interface: VPN -> more info

You'll end up with an icon in your menu bar at the top for connecting/disconnecting to your VPN. The PiVPN and OpenVPN documentation should have the information for this side of things, however.

Once connected, you might or might not have name resolution broadcasting over this network. It might work, though. If it doesn't, you might have to either use the local IP address of your printer or you'd need to create an entry in your Mac's /private/etc/hosts file for your printer.

Thank you for all your patient replies. I am a total noob at networking, but will ask questions (even if trivial) and try to learn it until I have a complete understanding.

It's okay. At one time, all VPNs were hardware boxes of some kind at about $80+ each. Now, a lot of this is available as software on one or both ends of the conversation.