19

I received some good answers in the question What do I need to create my own personal cloud for IoT devices? and one of the things that I understood from there is that I need to "expose" my HUB or GATEWAY to the external internet. The proposed solution for that is port forwarding.

I created this as a separate question because it would be difficult to properly to follow-up just with comments on all the answers, someone could get kind of lost. Also, this information may be useful for somebody with a similar question.

I don't like the idea of having to go to my router configuration and configure the port forwarding because that means that I have to configure a device that in spite of being part of the IoT infrastructure, is not one of "my" devices. It has to be as less disruptive of the already existing home network as possible. Also, I've had instances where I don't know the admin password of a particular router and it has been really difficult to get it.

I'm sure that there is a way around that even if that means having a more powerful IoT HUB maybe running Linux, I just don't know what that could be. It is OK to have a bit more complex HUB if that "alternate" way allows avoiding that port forwarding configuration.

I say that I'm sure there is a way thinking about how applications like team viewer don't need to configure port forwarding.

So the question is, does anyone know a way of "exposing" an IoT embedded device to the external internet in order to access it from anywhere in the world that does not involve port forwarding?

Community
  • 1
m4l490n
  • 575
  • 4
  • 10

6 Answers6

10

If you can't port forward your router, you might have to resort to hole punching:

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

The NAT on your router means that clients outside of your network can't connect to open ports of devices inside your network, but it doesn't restrict devices in your network from connecting to a 'broker'. Using a little bit of indirection, you can establish a direct connection between two devices without actually opening any ports - this is essentially what services like Skype and Hamachi do.

Of course, this does require an external server to co-ordinate the connection, and you would probably want to trust the server that was performing the hole punching.

Peer-to-Peer Communication Across Network Address Translators by Bryan Ford, Pyda Srisuresh and Dan Kegel is an interesting read for more information on the mechanisms of hole punching and how reliable it is.

Aurora0001
  • 18,520
  • 13
  • 55
  • 169
7

In the IoT world where devices has low resources to handle unwanted traffic from external connections and of course the need to handle any port forwarding and firewall issues with routers has led to the following approach that you can see in a lot of IoT back end solutions:

Devices will not accept any unsolicited network information. All connections and routes will be established by the device in an outbound-only fashion. So the device will open an outbound connections, so no firewall/router tweaks will be needed and it will keep the channel open as long as it needs to be.

A nice article: “Service Assisted Communication” for Connected Devices about the communication problems and solutions in the IoT world.

Bence Kaulics
  • 7,843
  • 8
  • 42
  • 90
shachar
  • 234
  • 1
  • 2
3

Try Port Knocking. You still have to port forward, but the port is only open after you send a secret combination(you pick) of pings. Then you can close the port with another secret combo of pings. It can run on embedded linux, such as wifi router with OpenWrt.

Helmar
  • 8,450
  • 6
  • 36
  • 84
GusGorman402
  • 489
  • 2
  • 4
3

While I cannot recommend that you allow any IoT device to be reachable from the public internet, you can achieve this natively using IPv6.

If your ISP and local network are configured for IPv6, and your IoT devices support it, they can automatically obtain an IPv6 address that is routable from anywhere on the internet (IPv6 removes the need for NAT and port forwarding). You would just need to make sure that any stateful firewalls (your router) are configured to allow the traffic to each device. Some may allow this (insecurely) by default.

multithr3at3d
  • 231
  • 1
  • 4
2

Setup a VPN server at home, then connect to it from anywhere. I think this would be much more secure than exposing any type of IoT device to the open Internet.

Maurice
  • 121
  • 2
2

Take a look at this ssh! noports I wrote it for to be able to get to my home office/IoT widgets without having to open up ports to the Interwebs..

Colin Constable
  • 21
  • 1