How to allow family to access OUTSIDE of home network?

Started by Jingo, December 30, 2016, 04:48:57 PM

Previous topic - Next topic

Jingo

So, I've just tried to access IMA while at work (via work computer on their network and via my phone using mobile data to ensure the work firewall wasn't blocking access) and cannot connect to my machine using direct IP address to my home computer where the IMA services are running.  My firewall is off at home so that should not be preventing access.  I looked at the help and FAQ... and don't see what else I need to setup on my home PC/network to allow outside access to the port.   Do I need to allow access via my router as well?  I checked all the documentation but don't see anything related to port forwarding, or other routine needs from outside the network....


Also, this statement in the FAQ might be a bit misleading... since one of the main points of IMA is the ability to share your DB with friends/family/coworkers who are NOT located in your network...

If you are trying from a mobile phone or tablet: Make sure you are connecting via your Wi-Fi (WLAN) home network. If you instead use the mobile network, you are basically trying to connect from 'the Internet' – and Windows firewall will block access. This is important.[b] You don't want computers from the Internet being able to reach your PC[/b].

But - in the usage scenarios - you mention this which seems to contradict:


On The Road
[b]Access your IMatch database remotely[/b]. Present photos while visiting friends, relatives or clients. Lookup information while at work or on-location.

Client Access
Present and distribute your images and other files to your clients. [b]Allow clients to browse selected areas of your database from anywhere via a web browser[/b].



Thx for the help Mario...




thrinn

QuoteDo I need to allow access via my router as well?
Your router should indeed block access to your network (and your devices therein) from the outside. Changing this is not recommended at all.
Mario has commented on this also in https://www.photools.com/community/index.php?topic=6258.msg43241#msg43241.
Thorsten
Win 10 / 64, IMatch 2018, IMA

Jingo

I'll have to read up on the Apache solution then... guess I thought this would work a bit more easily "out of the box" for outside the network... all you need is a browser and IP address and off you go!  Kinda like Calibre-server... it is configured on my system, runs as a service and my ebooks are available from any device (inside AND outside the network) via a webaddress:port.  username/password protects access...

I use to have programs configured in my router to allow access via port forwarding and password protection.... VPN access is fine for me (I typically use Teamviewer to access my home PC).. but not my 70 year old father.  For him, I just want to provide a weblink, click and go!

Mario

Turning off the firewall is a very bad idea. For security reasons, your router is blocking all unexpected access from the Internet. Hopefully.

You cannot just access a PC running at your home from the Internet.
You need to know the public IP address of your home network (which is not the IP address you probably determined while being at home)  it does not start with 192.168....
You then need to open the 8080 or 443 port in your router, allowing incoming traffic. And the same in your firewall, for public networks.

This is not recommended for security reasons. Not without additional security measures. Remember. The bad boys are out there, just waiting for another computer to include in their bot nets, doing illegal stuff.

The best way to access private computers from the Internet (including access to IMWS) is to use a virtual private network (VPN). This way you can safely allow selected and known computers access to your home network.

See the deployment scenarios in the IMatch Anywhere help for more info. And google for VPN in combination with your router name and Windows version to learn how to setup a VPN.

Don't just disable your firewall and open your router. This is very insecure and dangerous.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

Mario

Quoteor outside the network... all you need is a browser and IP address and off you go!  Kinda like Calibre-server... it is configured on my system, runs as a service and my ebooks are available from any device (inside AND outside the network) via a webaddress:port.  username/password protects access...

This sounds very dangerous. Just a plain password, and a web server open to the Internet? Without any additional security measures? This is basically an invitation to bots to break in and take over your system. And you would probably not even recognize it for a long time...

If you know the public IP of your home network and you configure your firewall to allow IMWS to accept connections from the Internet, this is how it will work - out of the box. You can access IMWS and the built-in web server from anywhere.

But such a configuration is insecure. This has nothing to do with IMWS. You just don't open home networks to the Internet without additional security measures.  Users without any know-how about Internet security are the reason why the bot nets become bigger and bigger, because they make it so easy for the bad boys to take over their systems.

At least use a VPN. This will also work with your Calibre software. And IMWS. But it will also keep your home network safe.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

Jingo

Thx Mario... I will review the VPN options and see how to set that up...

Foto-Pit

First my thanks to Mario for the great IMA I wishfully waited for!
Installation was easy and it runs on all of my devices inside of the same WLAN.

Since some time for the access to my home network from outside I'm using OpenVPN clients (on IPhone, IPad and Windows-PC) together with the OpenVPN Server integrated in my ASUS Wireless Router RT-AC68U.

Please notice, that I'm really not an network expert, except the creation of the OpenVPN channel was really easy for me. But that is nearly all I know about networking!!

The problem now is, that I cannot reach the IMatch WebService, which is running on a Windows7-PC, over the OpenVPN channel. When I try, the following message is shown:
[img_1222.png]

What is the next step to solve the problem?


Mario

IMatch WebViewer is unable to read the configuration file. And it needs this to know where to find IMWS.

The config.json file is part of IMatch WebViewer and I don't see how it could fail to load it - except the file is missing or something on your system is blocking access. Reading this file is basically the first thing IMatch WebViewer is doing. It needs the info in this file to know where to find IMatch WebServices, which panels to show in the Navigator etc.

If IMatch WebViewer works in your local network, the file exists and is valid.

Mobile browsers usually don't have any debugging or diagnosis tools. If you can run your VPN on a normal PC, press <F12> to open the debugging tools of your browser. The "console" and "Net(work)" tabs may contain useful data, e.g. why IMatch WebViewer cannot load the config.json file.

Are you using IMWS also as the web server or do you run IMatch WebViewer on a separate web server?
How have you configured the imwsURL parameter int he config.json? Does it point to the public address of your IMatch WebServices?
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

pajaro

Quote from: Foto-Pit on January 01, 2017, 05:14:08 PM

The problem now is, that I cannot reach the IMatch WebService, which is running on a Windows7-PC, over the OpenVPN channel. When I try, the following message is shown:
[img_1222.png]

What is the next step to solve the problem?

I am not sure if this can be of any help, as I am not a network expert, but I was getting this message when I was trying to access IMWS from my Linux computer which did not have properly set firewall rules. Could this be related to firewall settings?

mastodon

I have absolutely the same problem. If I use my android phone (Samsung S5 Mini) via WIFI to use IMatch WebViewer, it works great. The two devices are in the same network, so.
But if I want to use IMatch WebViewer via mobile internet, I get the same message as above from Mycomputer (as in http://Mycomputer:8081/imatchviewer/), so it could resolve the domain name:
"ERROR: Cannot read configuration file imatch/config/config.json

null"

But only one time. After that it says ERR_NAME_NOT_RESOLVED, so like at the second time it could not resolve the domain name.

I have tried it with the proper IP address (that works via WIFI), but than I got  ERR_CONNECTION_TIMED_OUT.

I cancelled the firewall COMODO, but it does not changed anything.

Does anybody any solution for that?

Mario

When you use the mobile network, you are trying to reach your computer from the Internet.
And the Windows firewall (for very good reasons!!!) blocks access from the Internet to your computer. Otherwise every malicious piece of software, bots etc. would try to break into your PC and do bad things.

Also, a name like "http://Mycomputer:8081" has no meaning on the Internet. Such a name can only be resolved in your local network.
On the internet you either need a proper domain name, a dynamic DNS service or you need to access your PC via its IP address.

DO NOT open your firewall to the Internet unless you know very precisely what you are doing.
You can give others access to your PC via a virtual private network (which is basically a safe and encrypted tunnel through the Internet). In this case only users who have the password etc. can access your PC, via a safe tunnel.

If you don't know about all this, there is a good chance that you SHOULD NOT open your PC from the Internet. Running a server which is accessible from the Internet is a complex and potentially dangerous task. I have written about this in the IMWS documentation.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

mastodon

#11
Thanks, this is where I got stuck. I cancelled my firewall temporarily, just to see if that is the problem.
I like to reach my database and pictures from anywhere over the internet. That is what IMA for, isn't it?

So, I have to make a VPN connection to my PC OR a dynamic DNS for my PC to make it safely accessible from the internet?
I would like to choose the DDNS solution, because it does not need anything to be set up on the client side. No-ip (Dynamic DNS Update Client (DUC) for Windows) looks good (Plus I will add user authentification). I know, that is not your profile or task, but might you know anything about this? Is it a feasible solution?

Mario

QuoteThat is what IMA for, isn't it?

No. IMWS is not a hardened web server with all kinds of protection, filters and whatnot.
As explained in detail in the help, I highly recommend to make it only accessible from outside home/corporate networks via SSH tunnel or via a dedicated and hardened proxy server.

If you don't use a tunnel, your PC is accessible from the Internet without any kind of protection. This is really not advisable.
Bots will find it and since IMWS has no protection features they may break into your PC, stealing your data or make it explode. Just for fun. Most likely your PC will be abused to send SPAM emails, mine Bitcounts and whatnot. The Internet is not a friendly place.

To make this clear: This is not an IMatch Anywhere problem. Everybody who opens a server to the Internet takes risks. A lot of experience, tools and know-how is required to do this safely. Use a tunnel. Or a hardened web server (Apache, IIS, nginx) as a reverse proxy to hide IMWS from the Internet. This is indicated in the documentation and we discussed this here in the community on several occasions.
-- Mario
IMatch Developer
Forum Administrator
http://www.photools.com  -  Contact & Support - Follow me on 𝕏 - Like photools.com on Facebook

mastodon

OK, understood. I will use VPN! Thanks for your quick and clear response! :)

mastodon

I am using IMatch Anywhere outside my home network. I let made a VPN server in my WDR 3600 router with the LEDE firmware. My PC got a fix IP address. After that I installed OpenVPN app on my Samsung S5 Mini, get the key for this client, and wow! Don't forget to change your settings in config.json: "imwsUrl": "http://YOUR-PC-NAME:PORT" ---> "imwsUrl": "http://YOUR-IP-ADDRESS:PORT".
Now, I will install OpenVPN for the PC, that will be another client.

Jingo

Unfortunately - most routers do not offer the VPN options... especially if you are renting from a cable company like Comcast or Verizon...  and setting up a private router behind the cable modem can be a difficult process.  As such, I've decided to forego opening up via VPN and just using remote access (Teamviwer) when I need to remotely view the system... a bit less convenient.. but quick and easy in the end.

mastodon

Yes, most routers do not offer the VPN options... but this is what custom firmwares are for! Just get a cheap rooter like WDR 3600 (but read this), install a custom firmware, and let VPN go. I got help, but I did not took hours with Teamviewer, so its affordable to make it.
I don't use Teamviewer, because granddads and grandmas are on the client side, and they can use only the browser. This way they only have to activate the VPN and after than simple use IMatch Anywhere. If one make business, have to use a better, faster router.

Jingo

For the 3-4 times per year family may want to view photos on my system - TV works great... double-click an icon, enter 4 digit code and voila - even grandma and grandpa can handle!  I was hopeful my verizon quantum router allowed for VPN but alas... it does not and since I would typically be the only one accessing things remotely - again, TV fits the bill - even from my android phone.