Blocked access from alternate subnets
After purchasing the Rainmachine I've tried to access the machine via my own openVPN, but the VPN lies on a different subnet than the WIFI but the firewall routes everything correctly and I can access another device on the WIFI subnet so I know it's working. The Rainmachine on the other hand is not accessible, it appears it's been hardcoded to reject connections from outside it's subnet.
Is there a way to change this?
-
From the app, you can try and use Direct Access to see if this helps.
RainMachine App > Menu Icon (3 horizontal lines) > Network Settings > Direct Access
Here you can add the IP address of your unit (Local IP) in your case.
You can also rely on remote access by setting up an email and password under remote access.
Wrench > System > Remote Access
Then you can add it on your app as well:
RainMachine App > Menu Icon (3 horizontal lines) > Remote Access
Let me know if you still have trouble.
-
It sees the machine if I'm locally connected but still rejects the connection as it's being forced through the VPN. It doesn't respond to any connection attempt other than a direct connection from the same subnet. Of course using the remote access works but I consider this a bug in that I shouldn't have to bounce access off the cloud if I've got my own VPN.
In fact I don't generally trust systems like this because it grants external access to my internal network by punching a hole through my firewall. But none of that is the point, there appears to be a firewall running on the internal Linux install that's force rejecting connections from RFC1918 addresses that don't correspond with the configured subnet. I'd like to disable this netfilter rule but I don't know that I'll have root if I SSH into the box. I've been using Linux for years so I'm pretty familiar with how this all works.
-
Hi Trent,
You can access RainMachine thru ssh if you enable it from Settings > System. The actual authentication step depends on the device model.
For HD12/16 family: https://support.rainmachine.com/hc/en-us/articles/228652648-How-to-SSH-on-Touch-HD-2nd-generation-devices
For Mini8: you can login with root user password rainmachine after enabling ssh.
The RainMachine shouldn't reject connections from outside it's private network, I think you are referring to the connections on https port 8080 (for API calls) ? You can try to access
https://RAINMACHINE_IP:8080/apiVer to check if it works.
The only thing that won't work across subnets is the discovery protocol used by mobile devices which is UDP broadcast. If the mobile app doesn't see the broadcast it will revert to cloud connection when it's enabled.
-
I'm using a mini8, The thing I couldn't figure out was how to login as root. Are you just using key based authentication like discussed in the 2nd Gen device (the article I didn't look at because I don't have a HD12) or is it some other authentication method such as a default root password?
Although the rain machine shouldn't reject alternate subnets (something I agree with), I can guarantee it most certainly is. My VPN address space is 192.168.95.X and my WIFI is on 10.95.X.X and the rain machine will not respond to web connections from the VPN even though the connections will successfully route. It appears there is a default netfilter rule to block RFC1918 addresses outside the configured subnet, these are common, especially in the OpenWRT distribution so I'm not surprised it's there, just frustrated by it.
-
Trent,
Also try and disable "Local Discovery"
This is under RainMachine App > Menu Icon (3 horizontal lines) > Network Settings > Local Discovery
To SSH, you will first need to upload your key to the RainMachineInstructions:
-
Brandon, it doesn't say in the attached article if this procedure works for the Mini8 which is older hardware. Is this confirmation that this same procedure works for the mini8?
I'm not sure what turning off local discovery on the app would do other than force all connections to bounce off the cloud as a remote connection through the proxy. I can see the device fine, but if I'm routing my traffic through the VPN the Mini8 won't respond to web requests....
After typing that I realized that I'd only tried to use the Android app to access the rain machine, not use the web browser on my phone. In fact I can access the device directly over the web port, it's the application that's not connecting. Turning off discovery by the description forces remote use (via the RM proxy) just like I suspected and is the way I would prefer not to use it. My prefered mode of access pushes the connection through my VPN and not through a proxy someone else controls.
Even when I go to network settings and configure direct access at the device IP which does route over the VPN and is accessible via a web browser (thank you for posting this as I hadn't even realized I hadn't tried direct web access) the app doesn't pull up the device, unless I use the remote access through the RM proxy. So this isn't a firewall rule, it's something in the android application refusing the connection.
-
Hi Trent,
For Mini-8 accessing thru ssh is as simple as enabling ssh and then connecting with ssh root@ip with password rainmachine.
When you configured direct access did you set the port ? You will need to enter a URL like: https://RM_IP:8080/. If that's so then we'll look at the Android app and try to replicate using 2 different networks with direct access, but that's something we actually use and it's working for general case (router port forwarding).
-
I have exactly the same issue here. I have a subnet for my IoT thingies that I access through my own OpenVPN server. From outside the subnet, I am unable to access the Mini-8 via the iOS app, but CAN access it from outside via the web interface. I am running the latest RM firmware. Enabling or disabling Bonjour discovery does not help, since I am not accessing from the same subnet, and do not wish to use the cloud-based solution.
I 100% agree with Trent that this is the preferred method to gain remote access, and I would love to see you post a solution.
Please sign in to leave a comment.
Comments
11 comments