Ngrok Tunnel: A more secure but simple to use alternative to port forwarding

switching those you don't need your import anymore...

The plugin is now available via the plugin manager.: Ngrok Tunnel

Many thanks to @jneilliii and @foosel for their tips and advice.

2 Likes

Not trying to be rude but a serious question as to why this would be easier than Spaghetti Detective or Astroprint. Those take a minute or two to set up. Unless you are printing remotely a lot those services are free and dead simple. It seems like static IP for the OctoPrint instance, configuration changes to the router are trivial now with most apps on your phone.
I feel like I'm missing something here so please don't take my comment the wrong way.

You are missing that - contrary to alternatives - this behaves precisely like a port forward, just more secure (thanks to https & basic authentication terminated outside of your network). You get access to your frontend just like you would at home. All your plugins. Themes. Everything. You don't have to rely on a custom 3d printing cloud service to implement something specific available on your OctoPrint instance for you to use it remotely, you literally access the same service you would in your home, just through a secured tunnel.

3 Likes

On top of what @foosel said about being able to access the standard frontend, you can also use just about any other app or application that uses the OctoPrint API, whether it is your favorite phone app or eg Cura to send prints to your OctoPrint instance, no matter what network you are connected to.

1 Like

One more benefit of this secure tunnel that I have not mentioned sofar is that the password authentication on the tunnel does not happen on your network, but at the ngrok end of the tunnel. If an attacker tries to guess your password by making thousands of password guesses per second, they will not get anywhere near your local network (unless you have an easy to guess username/password, but that is your responsibility). They will not be bogging down your raspberry pi, or even your router. And you can always close the tunnel and no attacker will continue to hammer your router to get in.

To oversimplify, you get almost all of the security and flexibility of a password-secured VPN solution() with something that is easier to set up than port forwarding. (: no key-based authentication unfortunately).

Finally, @jel111, thanks for your question; I did not consider it rude at all. It is not immediately obvious how this plugin is different from other solutions, and questions make it easier to explain.

1 Like

I would also like to add to the discussion that this solution I'm pretty sure is just as easy as setting up any of those other "crippled" remote access solutions. The setup was extremely easy and I could see this being beneficial to users that want remote access but don't have the know-how or hardware capability of setting up a VPN solution, or responsibly configuring a port forwarding solution on their home router.

2 Likes

Hey there. ngrok is working perfectly for me, except one thing. When i start my Printer, the tunnel wont create automatic. And because my octopi gets a different IP everytime i start it, i have do go in my Router-setting, find the IP, log into Octoprint and activate ngrok. I activated the setting "Create a tunnel when OctoPrint starts".

Please tell me a bit more about your setup. Is your OctoPrint instance (re)started when you start your printer?

The 0.1.x versions of the plugin do no take into account the granular access permissions that were introduced with OctoPrint 1.4. I'm working on a version that does, but before I do an official release, I would like to get some feedback on the implementation.

Please install the current development version via OctoPrint Settings -> Plugin Manager -> Get more -> ... from URL with the following url: https://github.com/fieldOfView/OctoPrint-ngrok/archive/devel.zip

This version implements the following restrictions:

  • the tunnel address can be seen by users with the Ngrok Tunnel Plugin: View permission, which is by default granted to all users in the Users group (the default group)
  • the tunnel can be started and stopped by users with the Ngrok Tunnel Plugin: Control permission, which is by default granted to all users in the Admins group
  • the tunnel settings can be accessed by users with the default Settings Admin permission.
1 Like

Version 0.2.0 including the changes mentioned above is now available.

Hi. Yeah, I start my printer and my Raspberry. I will install the new version, maybe it helps. :slight_smile:

@20pyro00, the same thing is reported here: https://github.com/fieldOfView/OctoPrint-ngrok/issues/12
I will investigate. It is unlikely this is fixed in version 0.2.0, but I'll get it fixed in the next minor update.

@20pyro00, it would help if you could share your octoprint.log

Ok i installed the new version, but still no auto-tunnel :frowning_face:
Here is the Log: octoprint.log (63.0 KB)
Is it possible to code it, so the tunnel will be created 20s after the server started? Maybe then it is fully connected to the Wifi.

It seems you have the same issue as reported on github. It is not just the ngrok plugin failing; in your case the pushover plugin also complains about the network being unreachable.

That would delay the tunnel creation for everybody, by an arbitrary period. I'll try to implement an automatic "retry" instead.

That is interesting to hear, but later when a Print is finished, pushover works.

That sounds good :smiley:

@20pyro00, could you try installing the current development version via OctoPrint Settings -> Plugin Manager -> Get more -> ... from URL with the following url: https://github.com/fieldOfView/OctoPrint-ngrok/archive/devel.zip? It adds a retry after 20 seconds if the first attempt does not work.

Hi @fieldOfView , i got the dev-version installed and restarted my printer severel times new. Now everytime a tunnel is created. Thank you :slightly_smiling_face:

1 Like

Hi again. I have the same problem. Today i started the printer and later i wanted to see how far my print was. But there was no tunnel. I have no idea why. Could you programm it so we can change the delay-number? Thanks :smiley: