Announcement

Collapse
No announcement yet.

I want to drop myhs entirely. Where do I start ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • I want to drop myhs entirely. Where do I start ?

    Hi. i want to drop MYHS entirely.

    I have a couple of web service on my server that i would like to have access outside home ex: Node red , Homeseer, jeedom, openhab, home assistant, deconz etc. All on a linux x64 machine


    I do not want to setup a vpn. But would like to do the dns proxy etc thing. I do not know where to start.

    nothing is using port :80 or 443.

  • #2
    For the best experience, you should ensure you have a static IP from your ISP. Also purchase a personal domain and some DNS hosting. And buy yourself a wildcard SSL certificate for the same domain, it'll make things a lot easier on the client end without having to import custom certificates or CAs into your phone.
    You should also be using a decent firewall solution like pfsense.

    You add a public DNS record for your HomeSeer end point that points to your public static IP. And you ensure the web server is running https using thecertificate, so that your log in credentials aren't sent over the wire in plain. Host the service on 443 to avoid firewall traversal issues when your on other people's networks.
    Mirror the topology on your internal LAN with your home DNS server (which is likely also the pfsense router)

    In HS mobile you specify your custom HomeSeer URL ( HS.smith.net as an example) port 443 and to use https. The mirrored settings between your home LAN and the public DNS records means there's no change in experience when you connect/disconnect from your home wifi.

    To take it further, use a reverse proxy module in pfsense like HAProxy or nginx. You can host several web services on the same IPort combination, and the reverse proxy will route them accordingly based on the URL requested, this is call Server Name Indication or SNI. So for instance you could access your blue iris interface on the same IPort, but using the URL bi.smith.net

    Add the pfblocker module to pfsense to block access to your 443 port to clients in other countries, namely China.

    This is all in relation to HS mobile and the HS web interface. This cannot replace myhs for connecting smart assistants like Alexa or Google, those skills rely on myhs until HST update them to allow specifying a custom endpoint.

    If you want cloud free voice control, your options are the HS Speaker client, or the Mycroft digital assistant.

    You can build a Mycroft yourself using an RPi and a seeed studio microphone, or wait for their MKII device launching later this year.

    Mycroft will rely on the cloud for STT and TTS, but the intent processing happens on-device and using the HomeSeer skill for Mycroft (it's buried on GitHub and you'll have to change a few lines) it can control your HomeSeer directly.

    Excuse spelling, on mobile.

    Comment


    • #3
      Originally posted by MattL0 View Post

      I do not want to setup a vpn.
      Hi Matt, out of curiosity, why don’t you want to use a VPN?

      Cheers
      Al
      HS 3.0.0.548: 1990 Devices 1172 Events
      Z-Wave 3.0.1.262: 126 Nodes on one Z-Net

      Comment


      • #4
        Take a look at WebHookRelay. They also offer a tunnel. Easy to setup, SSL provided and cheap.

        https://webhookrelay.com/

        Comment


        • #5
          Originally posted by sparkman View Post

          Hi Matt, out of curiosity, why don’t you want to use a VPN?

          Cheers
          Al
          hi sparkman ,

          -Because i want to communicate via some services directly to my place. Not only my phones?
          - I do not want my phones to always think it is always in my home network. I have a presence scripts on my openwrt that act on wifi presence , and it is really reliable!
          - it may have some delay depending on what vpn i use?
          - I also want to have access to the files on my server, with any device i have on hand.



          Maybe my assumptions are wrong ?

          Comment


          • #6
            Originally posted by simplextech View Post
            Take a look at WebHookRelay. They also offer a tunnel. Easy to setup, SSL provided and cheap.

            https://webhookrelay.com/
            thank ! will take a look.


            nb: I just tried the ssl, etc, certificate route yesterday night . But didn't get it right. I think i have to read more before implementing this

            Comment


            • #7
              Originally posted by Fellhahn View Post
              For the best experience, you should ensure you have a static IP from your ISP. Also purchase a personal domain and some DNS hosting. And buy yourself a wildcard SSL certificate for the same domain, it'll make things a lot easier on the client end without having to import custom certificates or CAs into your phone.
              You should also be using a decent firewall solution like pfsense.

              You add a public DNS record for your HomeSeer end point that points to your public static IP. And you ensure the web server is running https using thecertificate, so that your log in credentials aren't sent over the wire in plain. Host the service on 443 to avoid firewall traversal issues when your on other people's networks.
              Mirror the topology on your internal LAN with your home DNS server (which is likely also the pfsense router)

              In HS mobile you specify your custom HomeSeer URL ( HS.smith.net as an example) port 443 and to use https. The mirrored settings between your home LAN and the public DNS records means there's no change in experience when you connect/disconnect from your home wifi.

              To take it further, use a reverse proxy module in pfsense like HAProxy or nginx. You can host several web services on the same IPort combination, and the reverse proxy will route them accordingly based on the URL requested, this is call Server Name Indication or SNI. So for instance you could access your blue iris interface on the same IPort, but using the URL bi.smith.net

              Add the pfblocker module to pfsense to block access to your 443 port to clients in other countries, namely China.

              This is all in relation to HS mobile and the HS web interface. This cannot replace myhs for connecting smart assistants like Alexa or Google, those skills rely on myhs until HST update them to allow specifying a custom endpoint.

              If you want cloud free voice control, your options are the HS Speaker client, or the Mycroft digital assistant.

              You can build a Mycroft yourself using an RPi and a seeed studio microphone, or wait for their MKII device launching later this year.

              Mycroft will rely on the cloud for STT and TTS, but the intent processing happens on-device and using the HomeSeer skill for Mycroft (it's buried on GitHub and you'll have to change a few lines) it can control your HomeSeer directly.

              Excuse spelling, on mobile.
              Thanks !!

              Comment


              • #8
                Originally posted by MattL0 View Post

                hi sparkman ,

                -Because i want to communicate via some services directly to my place. Not only my phones?
                - I do not want my phones to always think it is always in my home network. I have a presence scripts on my openwrt that act on wifi presence , and it is really reliable!
                - it may have some delay depending on what vpn i use?
                - I also want to have access to the files on my server, with any device i have on hand.



                Maybe my assumptions are wrong ?
                My router/firewall assigns a different ip address to my phone if I connect over wifi versus when I connect over an ssl vpn. No real delay as the connection is direct from your device to your firewall. You can access files on servers as well over the vpn. I use vpn from our phones and also laptops. As to the services in your first item in the list, really depends on what they are, but you’d likely need to do something different for those.
                HS 3.0.0.548: 1990 Devices 1172 Events
                Z-Wave 3.0.1.262: 126 Nodes on one Z-Net

                Comment


                • #9
                  Originally posted by sparkman View Post

                  My router/firewall assigns a different ip address to my phone if I connect over wifi versus when I connect over an ssl vpn. No real delay as the connection is direct from your device to your firewall. You can access files on servers as well over the vpn. I use vpn from our phones and also laptops. As to the services in your first item in the list, really depends on what they are, but you’d likely need to do something different for those.
                  -is the process of switchingfrom wifi to ssl vpn automatic?

                  - can i access my files via the computer I want ? or i have to register the device?

                  - And can I send webhook calls from device/service outside of the vpn to my place? (maybe https://webhookrelay.com/ is a compromise thanks simplextech )



                  vpn is easier to implement. But if i can't get the two last lines... maybe i could just setup a mix of the two?

                  1. I mean vpn for access outside my place.
                  2. And one domain with ssl certificate for outside services to access hs4

                  Comment


                  • #10
                    Originally posted by Fellhahn View Post
                    For the best experience, you should ensure you have a static IP from your ISP. Also purchase a personal domain and some DNS hosting. And buy yourself a wildcard SSL certificate for the same domain, it'll make things a lot easier on the client end without having to import custom certificates or CAs into your phone.
                    You should also be using a decent firewall solution like pfsense.

                    You add a public DNS record for your HomeSeer end point that points to your public static IP. And you ensure the web server is running https using thecertificate, so that your log in credentials aren't sent over the wire in plain. Host the service on 443 to avoid firewall traversal issues when your on other people's networks.
                    Mirror the topology on your internal LAN with your home DNS server (which is likely also the pfsense router)

                    In HS mobile you specify your custom HomeSeer URL ( HS.smith.net as an example) port 443 and to use https. The mirrored settings between your home LAN and the public DNS records means there's no change in experience when you connect/disconnect from your home wifi.

                    To take it further, use a reverse proxy module in pfsense like HAProxy or nginx. You can host several web services on the same IPort combination, and the reverse proxy will route them accordingly based on the URL requested, this is call Server Name Indication or SNI. So for instance you could access your blue iris interface on the same IPort, but using the URL bi.smith.net

                    Add the pfblocker module to pfsense to block access to your 443 port to clients in other countries, namely China.

                    This is all in relation to HS mobile and the HS web interface. This cannot replace myhs for connecting smart assistants like Alexa or Google, those skills rely on myhs until HST update them to allow specifying a custom endpoint.

                    If you want cloud free voice control, your options are the HS Speaker client, or the Mycroft digital assistant.

                    You can build a Mycroft yourself using an RPi and a seeed studio microphone, or wait for their MKII device launching later this year.

                    Mycroft will rely on the cloud for STT and TTS, but the intent processing happens on-device and using the HomeSeer skill for Mycroft (it's buried on GitHub and you'll have to change a few lines) it can control your HomeSeer directly.

                    Excuse spelling, on mobile.

                    I have re again your post , after a night of sleep. i'm starting to get the logic thanks. And now i get what nginx etc do.. I thought it was mandatory ....so maybe i can't start slow ... and implement reverse proxies at the end.


                    Last... need to get a firewall . but for now maybe my router will do the job? Linksys WRT3200 on openwrt 19.7.1


                    edit: this is me now actualizing myself on the topic haha--- see picture
                    Attached Files

                    Comment

                    Working...
                    X