iPhone 3g remote access and Apple Extreme router

[C4Newbie]

Has anyone configured port forwarding on the Apple Airport Extreme so that you can access ControlUI over 3G? I read the article on C4Central but i'm looking for details on how to do it on the Airport and if anyone's done it successully. I also hear that certain states / ISP's make it more difficult?

[EagleMoon]

I don't specifically remember the article on C4Central, but wasn't it about making the C4 connection over VPN?

Regardless, I'm pretty certain you don't want to do it via port forwarding even if that's possible. That would expose your home controller to the Internet and my limited knowledge of it says there's almost no security on it today.

You need to do it either via 4Sight or over a VPN tunnel. Apple Airports do not support VPN as the server -- my Time Capsule does not -- I wish they did. There are lots of other routers that do, but I don't think anything works as well with Apple iChat and "Back to my Mac" as the Airport.

FYI, I don't think ISPs deliberately make it difficult to do this, but there are certain network configurations that will do it. If your ISP is assigning you an IP address from the "private" range (192.168.x.x, 10.x.x.x, 172.16.x.x-172.31.x.x), you can expect difficulty.

To be clear, I'm not referring to the addresses you use on your internal network. I mean the external WAN address of your router that your ISP assigns.

[C4RVA]

I would suggest not opening ports to the internet without a secure VPN. If you forward ports to your controller anyone on the internet can talk to it. Control4's controllers are not meant to be open directly to the internet. There is no authentication process or any security. Home controllers are essentially computers that anyone could talk to with simple software. The risk may not be that great since they generally don't control anything too important, but I'm not sure what damage could be done through those open ports.

You need to consider putting a VPN router in place that is compatible with iphones. To set up a VPN for the iphone is beyond the scope of a forum post. I'm working on writing one up and maybe Dan at C4DIY.com will post it....

EDIT: In response to your other question: Most ISPs supply a dynamic public IP address or a public IP address that periodically changes. (Both comcast and Verizon fios do in VA) It is unlikely you would have what is called a private IP address. You can check your IP address you have from your provider easily by plugging your modem ( NOT YOUR ROUTER) directly into your computer and looking at the network settings. Who is your ISP provider ?

[ILoveC4]

You need to consider putting a VPN router in place that is compatible with iphones. To set up a VPN for the iphone is beyond the scope of a forum post. I'm working on writing one up and maybe Dan at C4DIY.com will post it....

I'd love to C4RVA. Shoot it over to me via email and I'll get it online.

[EagleMoon]

It is unlikely you would have what is called a private IP address.

That is correct, private addresses would be rare in normal situations (DSL and cable). I left off lots of details in my original answer.

You find private addresses in hotels typically. Many years ago I had DirecPC (now HughesNet, I think) -- it was private address space. And a coworker last year had private address from his fixed wireless ISP. In fact, my first fixed wireless provider at my Colorado house would have given me a private address had I not requested a public, static IP.

[mcosta]

Remote access and VPN connections used to require a a static public IP address, Many of the routers/firewalls availible today at the big box stores can provide you with a router/firewall that will let you vpn in with out a static public ip address. Most internet providers will provide you with a static ip address for a small fee $5 - 20 a month if that is the route you want to go. I will be setting up Cisco router $70.00 in the next few days to do this using a a vpn with a DHCP provided public address for remote access from my iphone. I will post the steps taken.

[dgbrown]

^ to the previous posters point , register for a FREE Dyndns hostname and you can VPN to yourname.homier.net address. Your router will need to support dynamic DNS.

[henniae]

^ to the previous posters point , register for a FREE Dyndns hostname and you can VPN to yourname.homier.net address. Your router will need to support dynamic DNS.

Are you sure that will work?

[EagleMoon]

Are you sure that will work?

Yes, it can work. I have a dynamic, public IP address at my house in Dallas. I VPN into it all the time using my dyndns.org domain name.

That works because most inexpensive routers can automatically update the DNS records anytime their WAN IP address changes. Lots of DNS services provide dynamic registrations like this. DynDNS is possibly the oldest and best known. Static IP addresses are generally not necessary.

I also VPN into the Colorado house in the same way using a different DynDNS name even though my address there is static. So far I haven't needed my own domain name for anything.

[C4Newbie]

So are you guys saying it's not safe to do what is suggested in this article? http://c4central.com/?p=50

[EagleMoon]

Without confirmation from Control4 I would say no, not safe. Especially not the port 80 piece, even though the web server it runs is supposed to be simple and secure (aren't they all? :/ )

It's possible that the controller will reject any connection on those ports that's not from a properly authenticated Control4 app (preferably encrypted).

But I'd be surprised.

[srhamy]

Since the OP is referencing an Apple airport extreme, I am guessing that there are Macs in use. I found a possible solution. I wish I could confirm that it is working, but I haven't had time to play with it....Nevertheless.....Native OSX VPN Server without buying OSX Server...

http://tinyapps.org/docs/os_x_vpn_server.html

Looks like ports need to be forwarded. Maybe someone can comment on the security of approaching it this way..

[C4RVA]

Dynamic DNS does work with the VPN tunnel for the iphone. The control UI app for the iphone, however, will not resolve hostnames and requires an IP address.

SO,

When you VPN into a network you get an IP address on that network (IE your home network) than can then connect to the HC controller.

Example:

IPHONE( connected 3g, with cellular IP xxx.xxx.xxx.xxx) goes to <<<< >>>> INTERNET <<<< >>>> HOME ( your modem with PUBLIC IP, YYY.YYY.YYY.YYY) <<<<< >>>> ROUTER (with VPN solution with WAN of YYY.YYY.YYY.YYY and PRIVATE IPS zzz.zzz.zzz.zzz)

once that connection is made or tunneled (IE Virtual Private Tunnel )

the connection looks like this to the iphone

IPHONE (Cellular IP xxx.xxx.xxx.xxx, VPN IP zzz.zzz.zzz.zzz) <<<< VPN TUNNEL ( over internet) >>>> ROUTER (HOME NETWORK) <<<>>> HC 300 (or other C4 stuff)

The iphone can use Dynamic DNS services to figure out the IP address of your HOME modem. That way no static IP address is needed and your network is ( arguably) safer.

I hope that makes sense, still need some coffee this morning.

[C4RVA]

Since the OP is referencing an Apple airport extreme, I am guessing that there are Macs in use. I found a possible solution. I wish I could confirm that it is working, but I haven't had time to play with it....Nevertheless.....Native OSX VPN Server without buying OSX Server...

http://tinyapps.org/docs/os_x_vpn_server.html

Looks like ports need to be forwarded. Maybe someone can comment on the security of approaching it this way..

While this will probably work, there are some risks and other considerations:

1) Your Mac running the VPN server must be on any time you want to use the VPN connection, or for that matter the C4 iphone app.

- Using a router solution enables you to have a connection without running a full blow computer all the time saving energy.

- I personally don't have a desktop, and my Mac rarely stays home. :-)

2) Your Mac will have to be assigned a static IP address on the LAN side of your network. Not too complicated on a mac.

- Not a big deal, but it can upset some older routers that want only dynamic IPs on the LAN side.

3) You have a direct VPN tunnel into a machine with other (likely) important data.

- This is my biggest issue. When you create a VPN to a machine that does other things ( email, personal stuff, ect) you are depending on that machine to stay secure. Again, not a huge issue on the mac, but in this scenario you also are depending on whoever wrote the server software.

4) I didn't read that deep on the software you suggested, but iphones are picky about the types of VPN servers they will connect into. I would imagine running natively on a mac it would be okay though,

So its a solution. Maybe not ideal, but it will likely work.

For the OP, I would suggest moving the apple extreme and putting it behind a good router with VPN. You can still use the apple extreme as a wireless AP. Look at sonicwall routers

[AK1]

I use iVPN on an iMac in my home as a VPN server. I chose the L2TP VPN instead of PPTP - more secure and not all routers can forward PPTP ports whereas L2TP only needs 2 UDP ports forwarded.

It has been working perfectly for months.

I have been using a commercial version of iVPN from http://macserve.org.uk/projects/ivpn/

I am very disappointed on a separate note that my mobile carrier Fido in Canada just started blocking VPN traffic. So now I have to resort to far less secure forwarding of port 5020 to my HC-1000 in order to keep using the C4 iPhone app I love from anywhere I have cell phone service.

Since the OP is referencing an Apple airport extreme' date=' I am guessing that there are Macs in use. I found a possible solution. I wish I could confirm that it is working, but I haven't had time to play with it....Nevertheless.....Native OSX VPN Server without buying OSX Server...

http://tinyapps.org/docs/os_x_vpn_server.html

Looks like ports need to be forwarded. Maybe someone can comment on the security of approaching it this way..[/quote']

While this will probably work, there are some risks and other considerations:

1) Your Mac running the VPN server must be on any time you want to use the VPN connection, or for that matter the C4 iphone app.

- Using a router solution enables you to have a connection without running a full blow computer all the time saving energy.

- I personally don't have a desktop, and my Mac rarely stays home. :-)

2) Your Mac will have to be assigned a static IP address on the LAN side of your network. Not too complicated on a mac.

- Not a big deal, but it can upset some older routers that want only dynamic IPs on the LAN side.

3) You have a direct VPN tunnel into a machine with other (likely) important data.

- This is my biggest issue. When you create a VPN to a machine that does other things ( email, personal stuff, ect) you are depending on that machine to stay secure. Again, not a huge issue on the mac, but in this scenario you also are depending on whoever wrote the server software.

4) I didn't read that deep on the software you suggested, but iphones are picky about the types of VPN servers they will connect into. I would imagine running natively on a mac it would be okay though,

So its a solution. Maybe not ideal, but it will likely work.

For the OP, I would suggest moving the apple extreme and putting it behind a good router with VPN. You can still use the apple extreme as a wireless AP. Look at sonicwall routers

[AK1]

Dynamic DNS does work with the VPN tunnel for the iphone. The control UI app for the iphone, however, will not resolve hostnames and requires an IP address....<SNIP>

I am quite disappointed in this very obvious oversight. It would be trivial to have the developers support a hostname as well as an IP address. This means we can use Dynamic DNS and not have to check our IP address each time we connect. PLEASE, add this feature in the next release.

[DonFromCanada]

Dynamic DNS does work with the VPN tunnel for the iphone. The control UI app for the iphone' date=' however, will not resolve hostnames and requires an IP address....<SNIP>[/quote']

I am quite disappointed in this very obvious oversight. It would be trivial to have the developers support a hostname as well as an IP address. This means we can use Dynamic DNS and not have to check our IP address each time we connect. PLEASE, add this feature in the next release.

Sorry just trying to clarify this topic... Do you mean the Control4 app on the iphone does not support DNS names, or that the VPN UI built into the iphone doe snot support DNS names?

Don

[thecodeman]

Dynamic DNS does work with the VPN tunnel for the iphone. The control UI app for the iphone' date=' however, will not resolve hostnames and requires an IP address....<SNIP>[/quote']

I am quite disappointed in this very obvious oversight. It would be trivial to have the developers support a hostname as well as an IP address. This means we can use Dynamic DNS and not have to check our IP address each time we connect. PLEASE, add this feature in the next release.

Sorry just trying to clarify this topic... Do you mean the Control4 app on the iphone does not support DNS names, or that the VPN UI built into the iphone doe snot support DNS names?

Don

The app on the iphone.

[AK1]

It is the C4 app that only takes an IP address whereas the iPhone VPN dialogue takes either IP address or hostname. It is a bizarre omission by the C4 iPhone app developer. I contacted them about this and they say they don't intend to change this.

Regards..

I am quite disappointed in this very obvious oversight. It would be trivial to have the developers support a hostname as well as an IP address. This means we can use Dynamic DNS and not have to check our IP address each time we connect. PLEASE' date=' add this feature in the next release.[/quote']

Sorry just trying to clarify this topic... Do you mean the Control4 app on the iphone does not support DNS names, or that the VPN UI built into the iphone doe snot support DNS names?

Don

The app on the iphone.

[DonFromCanada]

It is the C4 app that only takes an IP address whereas the iPhone VPN dialogue takes either IP address or hostname. It is a bizarre omission by the C4 iPhone app developer. I contacted them about this and they say they don't intend to change this.

Regards..

Sorry just trying to clarify this topic... Do you mean the Control4 app on the iphone does not support DNS names' date=' or that the VPN UI built into the iphone doe snot support DNS names?

Don[/quote']

The app on the iphone.

Sounds like we need a big ole push from the whole community to C4 to fix this oversight... if we all complain, then they will get the message.

[ILoveC4]

C4 didn't develop the app, it is a company called ControlUI.

[DonFromCanada]

C4 didn't develop the app, it is a company called ControlUI.

Interesting... The controlUI guy is based out of MA, and Control4 itself is based out of UT? I suspected that they were affiliated somehow due to the tight integration between the control4 licensing model and the controlUI product.

Looks separate on the surface though... wonder how much of a cut he gets?

[piratemonkey]

Hey guys.....I'd like to get going with VPN at my home so I can run my iPhone app and control my system away from home via wifi or 3G

I understand I need to introduce a new router in place of my apple time capsule

What router would you suggest to handle this VPN?

I'd like to avoid being dependent on an existing computer so hoping this can be done via a router only securely?

TY!!

[ILoveC4]

Wrvs4400n

[piratemonkey]

Wrvs4400n

Great, thx Dan!!

Are there any special steps to take for the iPhone app & C4 communication or is it straight forward?

Reason I ask, I'm having a non C4 friend set me up with the VPN tunnel so not sure if he needs to know anything other than standard configuration.