Local Blynk server accessible from the Internet: How to secure?

Yes the app and server connect great over WLAN.

PC used for server is running ZT so no other connectivity there.

Added the managed route 192.168.2.0/24 via 172.26.48.3.
Both devices say “online”. If it was a firewall issue it would not say online, right?

Still doesn’t work. I guess I’ll have to give it up. Maybe it doesn’t work right on Iphone…

It definitely should work.
In zt central, both PC and iPhone are authorized (auth checkbox)?
…and PC still has that same zt-IP??
As a last resort, try and ping both zt-IPs from a terminal on the server PC…if this doesn’t work, disable ipv6 on the iPhone zt client.

Yes Auth check boxes are checked.

This is the only settings I have on the phone.

Where do I find the IPv6 settings?

So ya if I try just typing ping 172.26.151.68 (iphone managed ip) the very first time it said destination host not available then after that just timed out…

K. I have been doing some more messing around. I wonder if it was working all along… it is just our cell data is so slow that it gives “ttl expired” pings on data. On WiFi the ping to my server (from within my server) is less than 1ms the ping to my phone is ranges from 13-130ms. I will try from a better data spot tomorrow and see how it goes.

Ipv6 is a global setting in the app, not in the network, at least here on android version.

Ok, so at least the connection is working if iphone can be ping-ed.
As a last resort, also try and enable default route option in iphone zt-network. It will actually block internet access for other apps on your phone but blynk app will not be affected and it might change behaviour of firewall on iPhone…at least for a test.
And yes, a good, decent mobile connection is required, although blynk is not that hungry …remember, you are tunneling ip inside a virtual ethernet tunnel, created over up…lots of layers…G3 is mandatory, I would guess.

@hominidae, It looks I understand how to connect several devices with installed ZT clients.
Could you please clarify if the same approach can be used to connect 2 networks having ZT client only on routers?
I mean:
Site 1: Laptop, Smartphones, NAS, printer, camera. Default gateway for them is a WiFi router with ZT-client
Site 2: Laptop, Smartphones. Default gateway for them is a WiFi router with ZT-client

Can Laptop (without ZT-client) from the Site 2 access NAS, printer, camera at the Site 1?

Normally in order to achieve that I need to establish an IPSEC VPN tunnel between routers. But I can’t because both of them are behind Hide NAT.
Probably ZT can allow Router1 and Router2 to connect each other and establish an IPSEC VPN tunnel?
Or ZT is enough (no need in extra VPN on top of ZT)?

Yes, that’s the way I use it (although not with a ZT-client on router but in a docker, in a separate vlan, on my NAS)
When connected to ZT, use the ZT-network(s) as transfer nets, by adjusting your local routing paths. That is all what is needed.

As ZT-connection/tunnel is initiated from your local site to zt-central, you do not need an IPSEC-VPN. All you need to do is make sure, that your client is really connected and authenticated to zt-central and your zt-network(s).

As said earlier, I did not succeed in getting it to work on openWRT, but using a “real” PC/docker for zt-client and then adjusting routes in my local routers does work fine for a site-2-site scenario. IMHO the flaw is in openWRT at this point in time (although I did not test/verify it since the last 6 montha).

OK. Docker is good as well.

there are pre-manufactured NAS packages on github.
I am using a “raw” docker, where the docker engine is running on my x86 “homebrew” NAS (unraid is the OS here). I am seperating the different networks in vlans, so i can make sure, that my router does take care of all the routing and no host in between)…ZT has its own vlan locally.

Blynk server is also a docker on that NAS, but in a different network (vlan)

Blynk on NAS as well???
It looks like your NAS is very powerful :slight_smile:
I supposed to use an old laptop for dockers with Blynk, ZT, ioBroker…
But I’m still not sure if I’ll have to run ioBroker in the container in Bridge mode to properly intercept multicasts from Zigbee devices (if it might affect also ZT installation).

Well, yes…headroom is not very expensive in terms of energy, when choosing a cpu that can idle low.
I am running a I3-8100 (quad core 3.7gHz with 8GB RAM, 2x1TB 2.5" data storage and 2x128GB SSDs cache/docker/VM store, plus a quad NIC (5 NICs in total).
Dockers for Blynk, mqtt, ZT, pihole, nore-red, portainer which are active 24x7…my main router is a mikrotik CHR in a VM on that NAS as well, with the QUAD NIC in passthrough)…very compact and idling at 10-12W…my real NAS is a bit larger with 24 disks, but sleeps until it is needed (saving energy).

Multicasts is something I don’t use accross networks…don’t know if there is a way to do it properly that way…I’d aim for a multi homed install…VLANs should work on the same NIC as well, when the bandwidth is not needed/requirement is low.
…by creating VLANs on the host, then assigning multiple IPs to the docker, creating a multi-homed docker image, i mean.

Interesting.
BTW, VLANs and individual logical interface per container - nice idea! Should be very convenient.

yes, setting one interface in bridge mode should not affect the other vlan based interfaces, although being on the same physical NIC.

K. I got off WiFi to a better network and it still didn’t work.

Well, then I am out of my wits here.
Can you test the network setup with another client, like a laptop? If your settings are correct, you should be able to ping the server from it and reach the web based blynk admin service. You can also try with an android based phone and blynk app.

What’s the type of WAN connection on the local server site? Are you running a double NAT setup and/or wireless uplink by any chance?

How to connect esp to server

@Benoben you’ve posted in two existing topics, and created a new topic of your own.

All this achieves is for forum members to have a partial understanding of what it is that you are trying to achieve, and for you to receive out of context and irrelevant answers because ups are asking one-line questions rather than taking the time to explain full what your setup is, and what it is that you are trying to achieve.

I’d suggest that you go back to the topic you created explain in dei what it is that you are trying to achieve, and have one conversation, in one location, about how best to achieve that.

Pete.