BLYNK
HOME       📲 GETTING STARTED       📗 DOCS       ❓HELP CENTER       👉 SKETCH BUILDER

Local Blynk server accessible from the Internet: How to secure?

Hi,
I’ve just installed my local Blynk server (as a Docker container) at my hosted server.
I see that a “local Blynk server” is recommended for better security. But it is true only for servers hosted in the private LAN (not accessible from the Internet). But I need it being accessible from the Internet (Android app, devices from several locations).
So I definitely need to secure it. Is there any best practices or something like this?

My ideas:

  1. Remove default administrator
    I’ve connected with the App, added a user.
    Changed his “isSuperAdmin” property to True.
    Deleted admin@blynk.cc
    Changed default name and password (so in case of this user will be deleted a “default” admin created automatically will have “non default” email and password)

  2. I publish only 9443 port
    Non-ssl HTTP API and WebSockets 8080 and MQTT 8440 are not published (until I do not need in them).
    I guess it is enough also for my ESP8266 (did not tried yet, prefer to secure my server before starting to actually use it)
    At the same I’ve seen that 8080 is a must for the local Blynk server… Not sure…

  3. Bruit-force?
    How to configure fail2ban or something like this to block IPs after 2-3 unsuccessful connections?
    Both for admin (https://…:9443) and from the App.
    Multiple tries to present incorrect Auth Token?

  4. Block the possibility to Create new accounts.
    Only one account with several projects is enough for me.

  5. Is it OK to use administrator account also for projects?
    As it is a very bad practice to work under root I guess it is better to use an administrator account created on the Step#1 only for https://…:9443
    I’ve created another account (isSuperAdmin=false) for projects (non-privileged user for the App)
    Is there any sense?

  6. Is it possible to stop the https://…:9443/admin and keep only App and devices connections to this port?
    Administrative access is needed quite rare and I’d like to start it manually only when needed.

Any comments and suggestions are highly appreciated.

…just don’t expose it…have a look at zerotier. You can use a free plan, a docker on your central system and IOS/Android App…deploy it, add your local and zerotier network in your firewall/routes and use the blynk app along with your local blynk server just like you do from your local network, when zerotier is up and running.

…works for me like a charm.

I see a zerotier package for OpenWRT. Probably it can allow to connect IoT devices from multiple locations… Interesting idea.
Thank you!

Yes, there is.
But the setup there is not like 1,2,3,finish.
I tried it on my g.li slate when I got it last year but did only partly succeed. I could not get the local firewall of the openWRT side to route between zerotier network, I could ping its zerotier interface from my other nodes, though. mybe a problem with the openWRT firmware of the g.li, which was in early state back then.
Android/IOS/Windows/Linux however work like expected…just add routes of your “edge networks” in zerotier central, too.

Different scenarios are possible…
I’ll try. Thank you.

@hominidae Does this zerotier only help you access your control panel on local server or can you manipulate your projects on the server via the blynk app? Also does this require a static public IP?

Yes, I can use the Blynk App and run/create/maintain projects on my server from anywhere. As long as the IP of the server is used in the app config (name resolution is tricky inside zerotier network) and the zerotier client (VPN) is up/connected all is fine.

What zerotier does is offering you to create a private IP-network (ipv4, ipv6), accessible from anywhere.
All devices will connect to the cloud based zerotier server with a client, so the local device IP is not of relevance. All that is needed is internet access and the zerotier client.
I am using this, by defining routes to my local network(s), using the respective zerotier-interface of the device as gateway. This way I can not only connect to devices that have joined the zerotier network, but also to all my devices behind them (if they are a gateway). It is only routing/firewall configuration knowledge that needs to be applied.

Would you be willing to step me through it I have just enough network/firewall experience that I think it would be possible.
What address do I put here?

I installed ZeroTier, created a network and joined it with the PC that is running the server.

congrats!
Did you get the app and connection working as well?

I am not getting the Blynk app connected.

OK, what you are saying is, that the PC running Blynk server is also running zerotier client?

Then you need to:

  • configure blynk app locally (via WLAN) to connect to your local Blynk server. Use the IP of your server, not the dns-name (i.e. 192.168.0.55)
  • confirm on your PC running Blynk and zerotier, that - when zerotier is connected - there is an IP route pointing to the zerotier network (i.e 10.147.18.0/24) with gateway being the local zerotier interface
  • install zerotier app on your mobile and connect / go online
  • in zerotier central. do…

…confirm that your PC running the zerotier client is successfully connected (state ONLINE) and authorized (auth checkbox).
…note down the IP of that PC inside the zerotier network
…create a route to your local network (192.168.0.0/24) with gateway being the zerotier IP of your PC
…confirm that your mobile zerotier is connected (online and authorized)
…launch the Blynk app and connect :wink:

Edit: …oh, and make sure that the zerotier IP of your PC is/stays fixed (re-add it under managed IP, manually in the settings in zt-central)

Thanks a bunch the layout is making more sense! Create a network with your computer and phone, then you are running locally everywhere… Will work on it the next week and see if I can get it going…

yep…you can also try in parallel with a second client, like a laptop. Setup in Win is super easy.
Just don’t test from inside your own, home network (use a mobile connection).
The best thing is, that you locally don’t have to run a service and expose anything in order to connect clients or even complete sites…just maintaining routing tables.

good luck…let us know how it will work for you.

Ok, how exactly is this done? In ZeroTier central or in my router…

…in zt-central.

Edit: and if your local PC running zt-client and PC running Blynk server are not the same, you also need to configure a route to the zt-network with the local IP of the ZT-PC as gateway inside your router

So obviously that is here

So (via) is my server address. Where do I find the address for destination?

nope…it is the other way around.
Destination is the destination network (192.168.168.0/24) and via is the zt-ip of the PC running the zt-client…you find it on the same page, further down in the members section…managed IPs column.

Remember, in zt-central you are confuguirung the zt-network.
Destination routes point/are outside of that network and gateways (via) are the devices (zt-IIP) that act as gateway.
This declares traffic from zt to outside.

In order to have a bi-directional connection, outside networks need a route into zt.
like destination: 10.11.12.0/24 and gateway(via) the local ip oif the host running zt-client (192.168.168.1) …this need to be applied in the local router, managing 192.168.168.0/24

Edit: this is how it looks on my zt-central routing page:

Obviusly I am connecting two sites via zt, one with multiple networks, like 192.168.[0|10|20|30|40].0/24 via 10.x.x.25 and one with 192.168.8.0/24 via 10.x.x.254

@hominidae Guess I’m dumber than I thought :stuck_out_tongue_winking_eye:
Before we go further… if I understand it doesn’t make any difference if my public ip is changing every second. This will work as long as the ZT clients are running.

I guess I should try giving you a bit of a map and see if you can tell me where to input each.

Fake ips of course.:slightly_smiling_face:

PC running server - 192.168.2.99
Default gate way (router) 192.168.2.1

Blynk app 192.168.2.99:9443

ZT
PC server (running ZT) managed ip 172.26.48.3
PC server (running ZT) physical ip 196.188.230.51
Iphone managed ip 172.26.151.68
Iphone physical ip (unknown)
So what routes do I need to add in this example?

Side question what is 0/24 part mean does all my local ips need to be in that range?

OK, lets first confirm that blynk app can connect to blynk server locally (i.e. via WLAN) just fine?

Now, the physical/external IP of the PC running ZT does not count…
What is its local IP and - if not the same as PC running Blynk server - can these PCs reach (like ping) each other via their local IPs?

Oh, and …0/24 part is refering to the complete (all IPs in it) network of that range…24 being the netmask (24 or 255,255,255,0)

Edit2: …need to go and I’ll be offline for a couple days.

Try this:

add a managed route in ZT-> 192.168.2.0/24 via 172.26.48.3
This is all that is needed if pc running ZT and PC running Blynk have the same local IP (192.168.2.99)

If your PC running ZT has a different IP in the same local network (like 192.168.2.100), add a route in your local router like this -> 172.26.48.0/24 via 192.168.2.100

If your PC running ZT is in a different local netork from the PC running Blynk server (ie. with IP 192.168.99.100), add a managed route to this net in ZT central as well -> 192.168.99.0/24 via 172.26.48.3 and change/create the local route in your router like this: 172.26.48.0/24 via 192.168.99.100

…this should do it.