Port forwarding needed to track phone?

Hi guys,

So i just started with HA (Hassbian on RPi). Got nearly everthing working: zones, IOS app, Known-devices etc etc.

The problem is i want to make it so that for example lights get triggerd by people leaving or coming home.

I have the HA IOS app and NMAP working, im using consider_home to prevent Nmap changing my status to not home.

Is there a way to track my phone without exposing my Pi + HA to the internet? I dont want to change or control stuff when im on the go. Ill do that when i get back home.

I also dont want a cloudservice were my data is stored on a server somewere.

thanks in advance

You might try the ping device tracker.

MQTT or owntracks component

I use owntracks -> mosquitto MQTT broker. I run 2 instances of mosquitto, one open (internal only) and 1 locked down (external) and they have a bridge connecting the external one to the internal one. Owntracks publishes to the external moquitto which forwards to the internal one. The external mosquitto requires a security certificate which must be put on the phone by hand so it’s pretty good security wise and not that hard to set up.

@keithh666
Isnt that for local network? I need to put up phones IP wich is a internal IPadres.

@tmjpugh does that work? I thought you needed to open ports for that.

@TD22057 like this?

1000×534 74.1 KB

The problem is my knowledge with security is not good, so i can follow a tutorial but then it stops.

I do exactly the same. That diagram is a perfect explanation.

My external MQTT is on my webhost VPS, here is their guide to setting it up securely

NO
MQTT you may use external server. In this configuration open Port not needed.
You can use your own AWS instance or something OR I think there are some brokers available for free

So no portforwarding? But then i need to host stuf on a VPS?

@VGE Yes - that’s how I did it. There is a port forward, but I have it set at a very high port number so most of the dump scanners never ping it. That forwards to the secure mosquitto broker. I found instructions on the web for generating the certificate files, set up two different mosquitto config files and .service files (to start automatically). Owntracks docs have some of that info but not all. If you want to proceed down that path, let me know and I’ll post a detailed write up somewhere (I have some notes, but nothing you could follow). The cert instructions can be found here and the owntracks instructions are here. There is already an HA write up here.

Awesome! Something i dont get but maby you know the awnser: When i open a port do i expose all of the Rasberry to the web or is it just the component mosquitto?

When you open a port, you are exposing ONLY that port for ONLY that service that is running on that port.

Ok so for example if i didnt change the username and password of the PI when installing Hassbian:

UN: Pi
PW: Raspberry

I installed HA and gave it a secure password: Thisisasecurepassword1234!

I open the port for HA or Mosquitto -> a hacker or someone lands on the HA frontend -> without knowing my HA or Mosquitto PW he cannot acces my pi?

Only my traffic wouldnt be secure so he could listen to it, that needs to be fixed ofcourse but just to understand the portforwarding.

Correct.

The only caveat is that there are no vulnerabilities in the ‘web frontend’ that they can exploit. This is rare, and not a very likely scenario, but know that it is possible to exist at some point.

If you are forwarding a port (let’s say port 8123) to your pi, and your Home Assistant is listening on 8123, the only thing they will see is the service on port 8123. They cannot see SSH on that port, because that port is not listening for SSH connections.

Exactly so if im running an older version or a newer version that has a unknown (know to the badguy) exploit, he could acces my HA and from there could enter my pi -> netwerk etc etc.

Zo why woud someone use a service like Mosquitto instead of the HA ios app? Or why would you use 2 mosquitto servers like the example above?

Just so that if the 1e mosquitto server gets compromised you stil need to go trough a second one?

well, not everyone uses or likes iOS. I have all Android devices, so the iOS app is worthless to me.

2 MQTT servers would be used so that ONE of them is public facing, and there is a bridge to your internal. On your internal network, on YOUR firewall, you would basically only allow MQTT traffic from your external MQTT server to your internal MQTT server. You would never have to technically open a port to the world.

Not really. You most likely aren’t going to get anywhere from the public mqtt server. That’s not really how it works.

If you have bluetooth enabled on your iOS device, then another option simple option is to use the Bluetooth Tracker.

How do you connect from your VPS MQTT broker to your local broker?

It’s not “movie hacking” - both servers are on the same machine so you don’t go through one to get to the other. The reason to have 2 mosquitto processes running is that the external one is locked down and requires login and a certificate before it will allow any connection. The internal one is open and allows anyone to connect which makes everything much simpler to configure and use internally. It’s unlikely someone can “hack” a certificate protected mosquitto server and most likely if there is some flaw, they could read your location and that’s it (i.e. subscribe to your messages). It’s also the minimum you need to expose to the internet to get the job done which is always the best policy.

This is a fairly good layout

I didn’t even notice that in the diagram. I see ‘external’ and just assume an external server. That is how I set mine up.