iPhone 3g remote access and Apple Extreme router

[pharmdsmith]

Wrvs4400n

I'm not super router savvy, but I had someone look into this and they couldn't get the VPN to work with the iPhone. This is the router I have at my house and I just open the ports to allow the app access without VPN. If someone can get the VPN to work I'm all ears.

[piratemonkey]

Wrvs4400n

I'm not super router savvy' date=' but I had someone look into this and they couldn't get the VPN to work with the iPhone. This is the router I have at my house and I just open the ports to allow the app access without VPN. If someone can get the VPN to work I'm all ears.[/quote']

When opening the ports for access are you able to access with either 3G or wifi outside your network range?

Is there a security risk doing it this way or does this router solve that security issue?

Thx!!

[ILoveC4]

I don't know anything about the iPhone, I just know that is a great router that has VPN support.

[pharmdsmith]

Yes you can access it over 3g by portforwarding. The only thing that won't work is the cameras. If you VPN then the cameras should work.

*edit* to add: Yes, this is unsecure, so there is technically a security risk.

[thecodeman]

Yes you can access it over 3g by portforwarding. The only thing that won't work is the cameras. If you VPN then the cameras should work.

*edit* to add: Yes, this is unsecure, so there is technically a security risk.

Couldn't you port forward the cameras as well if your router supports it? I know the Cisco RVS042 does not but I believe the RVS4000/WRVS4400N do, as an example.

[AK1]

I believe this router like many similar Cisco / Linksys models requires you to use their horrid QuickVPN software (I believe Windows only and no iPhone) client.

This is why my VPN solution uses an IMac running iVPN. There is bound to be an equivalent Windows program if you have a spare Windows machine lying around.

Wrvs4400n

[pstuart]

pfsense running PPTP VPN to iphone.

Do not port forward C4 5020 beyond your lan. There is zero authentication, meaning anyone can issue a simple command and download your entire project as a nice, neat XML file. From there the possibilities are endless.

[AK1]

Correct. VPN is essential. Ingredients:

1) Router with VPN server OR Mac / PC running VPN server software and static IP address. Setup L2TP or PPTP VPN (LT2P preferred - better security)

2) Use dyndns.org (free service) with your ISP's dynamic IP address (no need to pay extra for static address from ISP). Virtually every router on the planet supports dyndns or equivalent

3) Connect from your iPhone / iPod Touch over 3G or WiFi from anywhere

pfsense running PPTP VPN to iphone.

Do not port forward C4 5020 beyond your lan. There is zero authentication, meaning anyone can issue a simple command and download your entire project as a nice, neat XML file. From there the possibilities are endless.

[thecodeman]

4) wait for Control4 to offer it natively & securely with 4sight and have less "tech" overhead. Sure, you have to wait, but it depends on how dirty you want to get your hands

[AK1]

OR

5) Just do it. It's really not that hard, particularly with some support from this forum.

4) wait for Control4 to offer it natively & securely with 4sight and have less "tech" overhead. Sure, you have to wait, but it depends on how dirty you want to get your hands

[avittech]

The Cisco Linksys RV series routers have PPTP vpn built in. It works perfect with the iphone. It is not the most secure VPN but it is much better than forwarding your ports to the internet.

This can be used with your current wireless router set up to be a Wireless Access Point.

If you run windows you can also set up an incoming VPN server for now cost, it is built in.

If you use Sonicwall you can set up a L2TP VPN server in the router to use wiht the iPhone which is more secure than PPTP.

[jmb]

Most of my equipment is netgear, anyone known if PROSAFE® WIRELESS-N VPN FIREWALL

SRXN3205 would work as well as the recommended cisco wrsv4400n?

[drspringer]

So are you guys saying it's not safe to do what is suggested in this article? http://c4central.com/?p=50

I did that and it works great. Now there's no need for redundant apps to see my cameras.

[pstuart]

Wow, just read this thread and I am stunned at all the inaccuracies in it.

Let me state, once more for the record. Do NOT port forward any ports to any Control4 devices from your external internet connection.

Control4 devices are NOT secure, the root password is commonly known and easily available.

Also, since most of these port forward instructions say to forward 5020 which is the port in which all activity to the project is managed (5021 is the ssl port, if/when they add encryption in the apps), anyone with access to your main controller on 5020 can issue simple commands to do anything, including downloading your entire project, which is in plain text. To deleting your project or even corrupting it, to disarming your security system, to turning all your lights on, etc. It is not hard to do, and a simple port scan on 5020 will reveal this vulnerability.

There is no authentication to the project over 5020 and there should be. There are no users defined in Control4 system interfaces and hopefully that will change. Anyone can change anything, there simply is no security at all on your home network, therefore port forwarding this access, allows anyone, anywhere with an internet connection to send / receive information from your master controller.

Do NOT port forward or even worse, do not make your master controller publicly accessible.

As to resolving host names, ip's, etc. that is all in how you set up the vpn.

VPN's can be built into your firewall, can be separate appliances behind a firewall or even run on a computer. Keep in mind, running a vpn on a computer exposes that computer and could also be compromised.

Lastly, for the OP, the airport extreme is not a firewall, it is just a NAT (network address translation) it takes a public ip and routes traffic to private wired and wireless traffic. I would never use it as a firewall.

Bottom line is, the ONLY safe and secure method to access Control4 remotely is either their myhome web app via control4.com (which uses a built in VPN connection, FYI) or via your own VPN.

[chesterwilson]

^ Awesome post. It's ridiculous enough to port forward port 80, but just as dumb to expose your entire Control4 system.

It's just as ridiculous that C4 hasn't implemented a Iphone/VPN solution through their 4sight product. It's long overdue and definitely a reason to spend $100 a year on 4sight.

[tebery]

It's just as ridiculous that C4 hasn't implemented a Iphone/VPN solution through their 4sight product. It's long overdue and definitely a reason to spend $100 a year on 4sight.

Amen!

[thecodeman]

Yeah that post should be updated. It was a neat trick back in the day but there are more secure options as posted.

[chesterwilson]

Yeah that post should be updated. It was a neat trick back in the day but there are more secure options as posted.

It would be really unfortunate if a dealer was doing this. It would even be more unfortunate if someone were to actually get hurt by this. I'm sure C4 doesn't support this but the fact they haven't given there dealers a tool to work around this is really bad.

[RyanE]

There are options available to setup secure VPNs with the proper hardware, that in some ways would be preferable to Control4 doing it, i.e. the VPN is direct to the home, vs. through Control4's infrastructure, which adds hops.

The fact that Control4 doesn't yet support it natively via 4Sight is not a good reason for doing it in the easiest, most insecure way possible.

RyanE

[chesterwilson]

There are options available to setup secure VPNs with the proper hardware, that in some ways would be preferable to Control4 doing it, i.e. the VPN is direct to the home, vs. through Control4's infrastructure, which adds hops.

The fact that Control4 doesn't yet support it natively via 4Sight is not a good reason for doing it in the easiest, most insecure way possible.

RyanE

You mean not the routers listed on your approved hardware list, because I just bought one 6 months ago from that list and I found out the hard way that I can't get it to do VPN (and yes after the MyHome product).

[thecodeman]

You mean not the routers listed on your approved hardware list, because I just bought one 6 months ago from that list and I found out the hard way that I can't get it to do VPN (and yes after the MyHome product).

2 on the list *do* support VPN - a Cisco RV042 & Pakedge model RB-KIT 50b. Most routers on the list are "consumer grade".

[pstuart]

Chester, you bring up a valid point. One that I haven't talked much about...

The myhome web application is using an install of OpenVPN client on the controller that connects to a VPN endpoint at control4. Why they chose to do it this way, I have no idea. But it is a major security risk and practically no easy way to block it. This is the back door into your system that could be used to access your entire network (or at least the segment the control4 device is on).

Had they don't it in reverse, the problem would have been solved. They could easily turn the controller into a OpenVPN server, using PNP to open firewall ports, or require OpenVPN traffic to route to your controller.

Then add a external vpn client to the iOS / Android myhome app and it would connect securely and encrypt the traffic to the controller.

They would also still need to create a user administration, otherwise anyone could connect. Thus why they did the client connecting back home method.

Anyway, fundamentally, control4 products are inherently insecure and should NEVER be exposed to the internet directly or via port forwarding.

[RyanE]

The reason it was done that way (with OpenVPN connecting outward) is because it does not require any network setup beyond setting up the Control4 gear.

A Control4 installation is *not* inherently insecure. It *does* depend on having the network setup correctly for security, and if you don't want the Control4 system to connect over the VPN for web access / dealer access, *TURN IT OFF*.

If you change the master password on the system, only allow SSH connections, and secure your network, the Control4 system is fairly secure.

If it can be made secure enough to install in 4000+ suites at the Aria hotel in Las Vegas, it is secure enough to install at your home.

RyanE

[pstuart]

I agree, Control4 can be locked down. But out of the box it isn't. It isn't unique, but there are risks.

Thanks for bringing up the master "root" password issue as well. Given that this is common knowledge and easily found by any dealer or via internet search, it *should* be mandatory for the dealer to change, IMO.

I also thought that you broke legacy connections if you enabled SSH only, ie port 5021? I know early on when I did this, it broke my iOS connection as well as a few other issues.

It is all about network security, and very few people ever put the needed focus on securing their network and always lean to making it easy.

Let's face it, I hate having to carry keys around, but no way am I leaving my house unlocked, or my doors open when I'm not at home.

A good VPN is like having a good key and lock on your network access.

Good discussion, thanks!

[R_Willis]

You mean not the routers listed on your approved hardware list' date=' because I just bought one 6 months ago from that list and I found out the hard way that I can't get it to do VPN (and yes after the MyHome product).[/quote']

2 on the list *do* support VPN - a Cisco RV042 & Pakedge model RB-KIT 50b. Most routers on the list are "consumer grade".

So, there are only "2" confirmed/C4 listed routers that support VPN and 3g access with iphone/android via myHOME?