• The forum software that supports hummy.tv has been upgraded to XenForo 2.0!

    This is a major upgrade which changes the look and feel of the forum somewhat but brings a host of improvements too. Please bear with us as we continue to tweak things and report any issues or suggestions in Site/Forum Issues.

WebIF - can it be accessed from the WAN?

OP
OP
makem
#4
Yes, I was aware that port forwarding would be needed. My question was raised to ask whether today it was practical. I will await SSL. I appreciate my requirements are not those of the majority. Thank you for bearing with me.
 

af123

Administrator
Staff member
#5
The latest version of the webif now supports running with SSL - there's a new toggle on the settings screen under general options and if you change it to yes then it will enable HTTPS alongside the standard HTTP.

If you want to change the port number or add another, then you can edit /mod/etc/mongoose.conf. Just be sure to put an s after the port number to indicate SSL.

If you want to change the key length or certificate fields, look at the /mod/sbin/mongoose_mkcert script or place your own certificate and unprotected private key in /mod/etc/mongoose.cert.
 

af123

Administrator
Staff member
#8
It's using HTTP authentication so your browser is sending the credentials along with every request rather than using cookies and creating a server side session. Closing the browser is sufficient unless you have told it to remember the password.
 
#9
I think setting up a VPN would answer this use case too as your remote machine would be seen as being on your home network via a secure tunnel. Then just access with your home ip address for the humax (e.g 192.168.x.x).
 
OP
OP
makem
#10
It's using HTTP authentication so your browser is sending the credentials along with every request rather than using cookies and creating a server side session. Closing the browser is sufficient unless you have told it to remember the password.
In our case a password is not requested.
 
OP
OP
makem
#11
#13
Hi makem,
Regarding the VPN suggestion. Its not exactly SSH. SSH sets up a tunnel onto a machine allowing you to run command prompt commands from that shell window.

A VPN usually involves some small setup on your home networks router to allow something like a PPTP VPN, hard to advise as each router is slightly different. You then run a client on your remote machine (I mention PPTP because windows comes with the client by default). The client establishes a connection to your home router and from that point on your machine behaves exactly as though your internet connection was established from within your home network. You will have full access to your home networks devices by using their local ip addresses for example 192.168.x.x. This means no port forwarding would be needed. All encryption and authentication is handled by the VPN making it look like you were a device on the local network. Also you would not need to open your humax or any ports up to the dark world of the internet as it would see itself as being accessed from its local network :)
 
OP
OP
makem
#14
Hi makem,
Regarding the VPN suggestion. Its not exactly SSH. SSH sets up a tunnel onto a machine allowing you to run command prompt commands from that shell window.

A VPN usually involves some small setup on your home networks router to allow something like a PPTP VPN, hard to advise as each router is slightly different. You then run a client on your remote machine (I mention PPTP because windows comes with the client by default). The client establishes a connection to your home router and from that point on your machine behaves exactly as though your internet connection was established from within your home network. You will have full access to your home networks devices by using their local ip addresses for example 192.168.x.x. This means no port forwarding would be needed. All encryption and authentication is handled by the VPN making it look like you were a device on the local network. Also you would not need to open your humax or any ports up to the dark world of the internet as it would see itself as being accessed from its local network :)
Would a VPN setup be more secure than SSH? I also gather that SSH can but used over VPN. I travel in Asia, China in particular. I use a Netgear WGT624 v3 router and I would feel more secure using one or both of the above. Are you able to point me to a guide?
 

Black Hole

May contain traces of nut
#15
I think you might need to be careful. I hear China is touchy about uncensored Internet access, and sending encrypted traffic or using a VPN might be seen as a means to bypass the censorship system and have the authorities down on you. I may be wrong, but I think you need to be sure what the situation is.
 
OP
OP
makem
#16
I think you might need to be careful. I hear China is touchy about uncensored Internet access, and sending encrypted traffic or using a VPN might be seen as a means to bypass the censorship system and have the authorities down on you. I may be wrong, but I think you need to be sure what the situation is.
Yes, that is true but I can seek advice locally. I also travel in Malaysia and Singapore this year so it would be helpful there. Later, on the other side of the world hopefully. In fact wherever I travel it would be an advantage.

Accessing UK banking is encrypted? I have never had a problem there (yet!)
 
#18
Ah, good point Black Hole I hadnt thought about that. However after some digging for what is legal I found http://www.streetarticles.com/cyber-law/vpn-in-china-is-it-legal. Seems it isnt illegal and a use such as communicating with a home network wouldnt pose any problems. However it seems its best to use something other than PPTP and L2TP as they are disabled for one reason or another.

With regards to security you can indeed use SSH to achieve your VPN. There are many guides online, simply search for "VPN" and "SSH" for example http://bodhizazen.net/Tutorials/VPN-Over-SSH
 
OP
OP
makem
#19
Ah, good point Black Hole I hadnt thought about that. However after some digging for what is legal I found http://www.streetarticles.com/cyber-law/vpn-in-china-is-it-legal. Seems it isnt illegal and a use such as communicating with a home network wouldnt pose any problems. However it seems its best to use something other than PPTP and L2TP as they are disabled for one reason or another.

With regards to security you can indeed use SSH to achieve your VPN. There are many guides online, simply search for "VPN" and "SSH" for example http://bodhizazen.net/Tutorials/VPN-Over-SSH
From the web page you suggest I gather this:

Disadvantages :
  1. As of yet I do not know of a windows client which will use this protocol.
This means I cannot use a VPN over SSH if I am using windoz?

You say PPTP and L2TP are disabled, can you suggest an alternative protocol for me to research? You will have gathered I don't have my foot on the first rung yet.
 
#20
You don't need a full VPN to access your Humax remotely - you only need to forward the ports that are of interest, typically 23 (telnet) and 80 (http). I wouldn't bother trying to forward 21(ftp) due to the slow speeds you would get.

This is best done using PuTTY. You need to port forward from your router to the ssh service (22) on the Humax and then set up a tunnel under the PuTTY SSH settings. First, get SSH working remotely, then add a local tunnel to 127.0.0.1, from port 80 to port 80 and save the config. Close your PuTTY session and restart it and then point your browser to http://127.0.0.1 and you should see the WebIF. It's surprisingly straightforward once you have done it a couple of times. You don't need to bother with SSL either because the SSH session is already encrypted. If you want to do the same with telnet, then make sure that the ports are 23 at either end of the tunnel and then telnet to 127.0.0.1 (windows systems don't normally have telnet open so that should be fine).

What you are doing with this setup is you are telling your computer to echo the service that is at the other end and to make it appear like it is actually running on your machine.

Once you are happy with the basics of SSH, you should do 2 more things:
1) Change the port to something that isn't guessable, because hackers go looking for open SSH services
2) Disable keyboard authentication and use keys instead, even if a hacker or 'bot finds the port, they're not going to get in unless they are really lucky (the odds of winning the UK and euro lotteries on the same week are probably more likely)
 
Top