Blynk server online

Kamil_Struzek · November 26, 2019, 5:37pm

I want run server online . I have already installed and now I don’t know how this server open to the world safely.Can you give me instructions step by step ? (I have rpi zero W and router tenda) I have readed something about Host DMZ.

khoih · November 26, 2019, 8:16pm

It’s better to use port forwarding which is discussed many times in this forum. The most recent one:

Kamil_Struzek · November 27, 2019, 5:49pm

Now on pc I can login to admin console,but On blynk application I can’t.I haven’t done anything yet.Is it normal?

khoih · November 28, 2019, 1:34am

So it’s good that you can log into the Blynk local server (or just server) admin page. This is a good start, as you already knew your local IP address of the server. But there are still many things to do. You can patiently follow step by step.

Try to use your phone Blynk APP to create an account, then log into the server to verify. You have to use the local IP address (for example: 192.168.0.105) of the server and port 9443 and the Custom Server settings in the APP.
If you can log into the server and create an account, you can move to next step.
Make your local server IP address static by going to the Tenda router, setting the Static IP Address Lease list, using your server MAC address and local IP you want for the server, say 192.168.0 105
To find out your RPi MAC address, you can either
a) see in router’s DHCP Server list ( xx.xx.xx.xx.xx with 192.168.0.105) or
b) use ifconfig command in RPi Zero W SSH terminal.

pi@raspberrypi-02:~ $ ifconfig
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.105  netmask 255.255.255.0  broadcast 192.168.0.255
        ...
        ether b8:27:eb:44:bd:7a  txqueuelen 1000  (Ethernet)
        ...

If OK, go the next step

Port forward the ports 9443/8080/443 to your server @ 192.168.0.105. You can use DMZ Host temporarily just to test as this practice is not safe. I believe all these 2 settings are done in Virtual Servers menu of Tenda. Then testing by

a. Find out your global IP Address by either looking in your System Status menu of the Tenda or go to [ https://whatismyipaddress.com/ip-lookup ]. It will be something else, for example 206.a.b.c. If you get this global IP Address from the router such as 192.168.x.x, 10.10.x.x, or 172.16.x.x to 172.31.x.x, your ISP is using Double NAT and you have no way to access you server from outside network. If OK, go to next step

b. Check if your ports (forwarded in step 3) are opened by going to http://www.portchecktool.com/
If OK, go to next step

c. Point your Browser to you global server IP, port 9443:
For example : https://206.a.b.c:9443/admin

If this step is OK, you’ve almost finished.

Read the note and follow the steps posted above

to have DDNS. Then finish your configurations.

I think this is the maximum I can help you with. The rest is in your hands. Good luck.

Kamil_Struzek · November 28, 2019, 6:51pm

I think, I have twice NAT.I made port forwarding,and I can connect in local to rpi,blynk server and blynk client(on android), but when I using cellular data I can’t connect. ifconfig

khoih · November 28, 2019, 7:00pm

Not so soon with your conclusion of Double NAT. Whatever you saw in ifconfig is just the local IP address. You have to follow step 3.a to know.
You’ve made lot of good moves so far. Keep going.

Kamil_Struzek · December 3, 2019, 4:09pm

Must I install docker ?
OK I used DMZ Host,and i checked ports.

I don’t know how to fix it.

khoih · December 3, 2019, 4:49pm

You don’t need Docker to solve this issue.

Connection Refused means you have the port 9443 opened (thanks to DMZ Host), but no application is actually running @ that DMZ host to accept the incoming connection. The DMZ Host will send a TCP RST packets back to the source to tell that Connection refused.

So, you have to check:

Your DMZ host was actually set to be your local server RPi IP Address, say @ 192.168.0.105, same as in ifconfig?
Did you make local server RPi local IP address static so that every time RPi restarts, its local IP Address is always the same (say 192.168.0.105), and it’s really the DMZ host? Use ifconfig to check again. You make local IP address static by following step 2 of previous post:


Make your local server IP address static by going to the Tenda router, setting the Static IP Address Lease list, using your server MAC address and local IP you want for the server, say 192.168.0 105
To find out your RPi MAC address, you can either
a) see in router’s DHCP Server list ( xx.xx.xx.xx.xx with 192.168.0.105) or
b) use ifconfig command in RPi Zero W SSH terminal.

How did you connect to your local Blynk Server using your app? Which address and port? Are you sure you used port 9443 and the same local IP Address as the DMZ Host?
You can also check server.properties file to be sure the ports are set correctly:

#http, plain web sockets and plain hardware port
http.port=8080

#secured https, web sockets and app port
https.port=9443

Kamil_Struzek · December 4, 2019, 12:43pm

1.YES
2. YES
3.I used my public adress and port 9443
4.everything is ok!
I scanned my public ip and:

khoih · December 4, 2019, 5:11pm

I tried to check and saw the ports 9443 / 8080 of your WAN (public) IP Address (94.232.156.xxx) are still not open.

Assuming the steps you’ve done are correct, there are some other possibilities such as

Your Tenda router is not working correctly (not forwarding ports, etc.). Can you change the router to test.
Your ISP (in some parts of the world) blocks the ports

You can do some more research about this old issue at

How to setup my Blynk local server so that I can use it from out side my local network

Good luck.

Kamil_Struzek · December 6, 2019, 7:47pm

OK I got along with my ISP and now I have server, but I don’t know why certificate not generating.

I used Automatic Let’s Encrypt certificates generation.
I have registered a domain on duckdns from a public address
Now I can’t enter to admin api.

khoih · December 7, 2019, 4:23pm

Now I can’t enter to admin api.

You have to forward port as you did in previous post

You have to remove DMZ host. Using port forwarding is enough. If you still use unsafe DMZ Host, you don’t need to make your server using SSL.

You have done many things correctly and your Blynk Local Server is up and running now.
Jesteś bardzo dobry
The SSL Certificate is much more complicated, you have to research previous posts in this forum. If you still have issue, I suggest you open a new topic.

Some place to start your research:

Automatic Let's Encrypt certificates generation
Latest Blynk server has super cool feature - automatic Let's Encrypt certificates generation. However, it has few requirements:

Add server.host property in server.properties file. For example :

  server.host=myhost.com
IP is not supported, this is the limitation of Let's Encrypt. Also have in mind that myhost.com should be resolved by public DNS severs.

Add contact.email property in server.properties. For example :

  contact.email=test@gmail.com
You need to start server on port 80 (requires root or admin rights) or make port forwarding to default Blynk HTTP port - 8080.

That's it! Run server as regular and certificates will be generated automatically.



Manual Let's Encrypt SSL/TLS Certificates
First install certbot on your server (machine where you going to run Blynk Server)

  wget https://dl.eff.org/certbot-auto
  chmod a+x certbot-auto
Generate and verify certificates (your server should be connected to internet and have open 80/443 ports)

  ./certbot-auto certonly --agree-tos --email YOUR_EMAIL --standalone -d YOUR_HOST
For example

    ./certbot-auto certonly --agree-tos --email pupkin@blynk.cc --standalone -d blynk.cc
Then add to your server.properties file (in folder with server.jar)

  server.ssl.cert=/etc/letsencrypt/live/YOUR_HOST/fullchain.pem
  server.ssl.key=/etc/letsencrypt/live/YOUR_HOST/privkey.pem
  server.ssl.key.pass=
Generate own SSL certificates
Generate self-signed certificate and key

  openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout server.key -out server.crt
Convert server.key to PKCS#8 private key file in PEM format

  openssl pkcs8 -topk8 -inform PEM -outform PEM -in server.key -out server.pem
If you connect hardware with USB script you have to provide an option '-s' pointing to "common name" (hostname) you did specified during certificate generation.

As an output you'll retrieve server.crt and server.pem files that you need to provide for server.ssl properties.

Kamil_Struzek · December 7, 2019, 5:10pm

so if I use port forwarding, is this the secure way?

khoih · December 7, 2019, 6:38pm

For your home purpose / application, IMHO, I think the port forwarding, instead of DMZ Host, is good enough. Certainly, if you can make SSL working, why not using it.

The reasons we use SSL are:

Quote

#SSL Encrypts Sensitive Information

The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves.

In addition to encryption, a proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to an imposter trying to steal your information. Why is this important? The nature of the Internet means that your customers will often be sending information through several computers. Any of these computers could pretend to be your website and trick your users into sending them personal information.  It is only possible to avoid this by getting an SSL Certificate from a trusted SSL provider.

#SSL Provides Authentication

Why are SSL providers important? Trusted SSL providers will only issue an SSL certificate to a verified company that has gone through several identity checks. Certain types of SSL certificates, like EV SSL Certificates, require more validation than others. How do you know if an SSL provider is trusted? You can use our SSL Wizard to compare SSL providers that are included in most web browsers. Web browser manufactures verify that SSL providers are following specific practices and have been audited by a third-party using a standard such as WebTrust.

#SSL Provides Trust
Web browsers give visual cues, such as a lock icon or a green bar, to make sure visitors know when their connection is secured. This means that they will trust your website more when they see these cues and will be more likely to buy from you. SSL providers will also give you a trust seal that instills more trust in your customers.