Remote access problem

[Bullseye]

:(For the last couple of days I can no longer access my system from my iphone app (both system and app are 2.4)

Now I try to access thru my.control4.com when I try web navigator get this message: "Bringing controller online...please wait about 30s and refresh" but never seems to do anything.

I receive text mesages from the system, also Tunein is working but Rhapsody is awful. Plays 1 song then stops or takes forever to play the next one. Don't know if it is related??

Thanks for your help!!

[thecodeman]

What's your internet connection and speed? Router brand/model?

[Bullseye]

I have 5mbps Dsl. My router was a cisco ea4500, but on the weekend doing some troubleshooting on the issue it died. right now I am using the isp provided Thomson tg782. This weekend i wil get a new router, what is recomended?

Everything worked fine for a couple of weeks then, the problem began.

[ichbinbose]

depends on how large your C4 system is, how many other IP devices will be on the network and what other requirements you have are. If all you need is a simple router that can be DIY look at the netgear WDNR4500

[Cyknight]

Meh look at the Asus RT-N66U, the netgear actually requires (potentially) to do a few extra steps in regards to the very remote access you have.

[qVAMPIREp]

I have the same problem as Bullseye. Remote access worked on my iPad Sunday morning and has been steadily deteriorating. At this point I can no longer access my system remotely via iPad or from the Internet site which sucks since I am on holidays.

[CFUG]

Now I try to access thru my.control4.com when I try web navigator get this message: "Bringing controller online...please wait about 30s and refresh" but never seems to do anything!!

And it won't until you re-select Web Navigator. This is the so-called "refresh"

[qVAMPIREp]

Now I try to access thru my.control4.com when I try web navigator get this message: "Bringing controller online...please wait about 30s and refresh" but never seems to do anything!!

And it won't until you re-select Web Navigator. This is the so-called "refresh"

That makes no difference on my system. It just brings me back to the same screen.

[pstuart]

Go to any navigator in the house and do a service check-in, should update any IP address changes and reset the "heartbeat" for the openVPN connection. This *might* only work for 24 hours.

My suggestion, get a good VPN solution, c4's implementation is fraught with all kinds of issues, including the inability to set a customer password or security key, essentially leaving everyone vulnerable to a shared key leak from control4 employees / contractors or a Man in the middle intercept...

Anyway, its a lot better than port forwarding

[thegreatheed]

My suggestion, get a good VPN solution, c4's implementation is fraught with all kinds of issues, including the inability to set a customer password or security key, essentially leaving everyone vulnerable to a shared key leak from control4 employees / contractors or a Man in the middle intercept...

WTF are you talking about? Control4's implementation of remote access REQUIRES the customers email/password. There's no "inability to set a customer password". Furthermore the remote access for the mobile apps is as secure from man in the middle intercepts as your bank app on your iphone. It uses the same bank grade encryption.

[pstuart]

No, all openvpn connections are between C4 and the controller and then C4 and the iOS / Android app.

You are VPN'ing to C4's servers and they are then passing the connection to your controller via an OpenVPN tunnel.

The C4 and home controller connection uses a stock certificate with a standard password across all controllers, there is no user name and password here.

The C4 and iOS vpn via 4sight uses the username and password plus a standard certificate to connect.

Anyone gaining access to the shared and private keys between C4 and the controllers would able to gain access to any C4 controller, regardless of your 4sight username and password.

MIM attacks are far easier if I can capture the certificate, which sits, in the open on all controllers, even ones available on ebay upgraded to the latest software, which I hope changes the keys each version... Still, I'd need the C4 side certificate, which would harder to acquire.

Technically the whole 4sight access anywhere is a Man in the Middle solution, where C4's servers are the middleware.

Still, it is better than port forwarding. Until I can set my own certificate on the openVPN connection to C4 on my controllers, I will not consider C4's solution using 4sight and C4 servers secure and still recommend installing your own vpn.

Eliminate C4 in the middle and go directly to your house.

[RyanE]

Eliminate C4 in the middle and go directly to your house.

I'm not an expert on VPNs in general or specifically Control4's remote access VPN infrastructure, but I believe this is for the most part correct.

Other than I wouldn't really term Control4 a 'man in the middle', as that's typically a term used for an unauthorized person coming between 'Alice' and 'Bob'...

Excellent summary, and while creating your own VPN is always an option, it's not really an option for those who don't have quite a bit of network experience, or at least those who don't want to read up enough to setup their own VPN.

Thanks.

RyanE

[Cyknight]

Also, there is certainly the ability to enter a NON_STOCK SSL password to your system, individual to your installation, using ComposerPro.

[pstuart]

Ryan,

Thanks, I agree, this was a HUGE step forward for C4 to stop people from port forwarding by at least offering an out of the box solution.

However, there are still security risks in opening a back door into your home network and the C4 master controller COULD be used as a vector of attack. However, now it becomes much harder, either have to compromise the stock certificate on both ends (C4 and controller, but controller is easy, since all controllers use the same cert, might as well consider this side compromised) or exploit a known zero day exploit in openVPN that due to slow (albeit faster) upgrade windows and when busybox would upgrade the openVPN install...

To my knowledge, no known exploits exist to compromise openVPN installs that are up to date. I have not looked at the busybox / linux files on 2.4 to know if they are the latest (or close) but hopefully they are.

However, the risk, albeit small, still exists that if someone were to get their hands on the C4 openVPN certificate AND the controller certificate they COULD gain access to ANY C4 system, regardless of version, since openVPN was used for all the dealers to remotely connect. Granted, the new "feature" (or bug) that requires the controller to check in, means that this potential path of attack is so minimal, its hardly worth worrying about...

Bottom line, rolling your own VPN is the best (if you know what you are doing, or paying someone who does) otherwise, I'd consider openVPN to be as secure as I trust the people who have access to the certs at C4.

[pstuart]

Also, there is certainly the ability to enter a NON_STOCK SSL password to your system, individual to your installation, using ComposerPro.

yes, but this has nothing to do with the openVPN connection, unfortunately. This just changes the root password, which should be the first thing anyone does when they get a new controller, touchscreen, or anything else running SSH, since the default root password is well known.

[Cyknight]

Also' date=' there is certainly the ability to enter a NON_STOCK SSL password to your system, individual to your installation, using ComposerPro.[/quote']

yes, but this has nothing to do with the openVPN connection, unfortunately. This just changes the root password, which should be the first thing anyone does when they get a new controller, touchscreen, or anything else running SSH, since the default root password is well known.

True and true.

[Bullseye]

Back to the initial topic.

Is Control4 accepting the remote access is having problems or my problem is isolated??. I have heard other users have the same problem which lead me to believe theres something happening on C4 side.

Any timeframe for a fix? Is there anything I can do??

Thanks again.

[Cyknight]

I don't speak for C4 of course, but as you mentioned, it's not a completely isolated incident. From what I've heard so far, problem is that there seem to be several reasons it's occurring. In many cases it's a router issue, in some other rarer cases it seems to be ISP problems or cell provider.

There may be more and as far as I know (and again I don't speak for C4) it's being looked at to try and find a common denominator.

[Bullseye]

I don't speak for C4 of course, but as you mentioned, it's not a completely isolated incident. From what I've heard so far, problem is that there seem to be several reasons it's occurring. In many cases it's a router issue, in some other rarer cases it seems to be ISP problems or cell provider.

There may be more and as far as I know (and again I don't speak for C4) it's being looked at to try and find a common denominator.

Thanks for your answer.

But I wonder, why it worked for some weeks and then stopped working. C4 must have made "some" changes on their end that afects "some" of the users and "some" of their equipments.

Wonder when it will be fixed???

Thanks again for the info

[pstuart]

Go into a touchscreen or flash interface via a controller video out, or via flash on the pc and do a service check in and see if it is successful. This will update the IP and "wake up" the openVPN tunnel.

This should then allow the iOS app to work correctly.

[Bullseye]

Go into a touchscreen or flash interface via a controller video out, or via flash on the pc and do a service check in and see if it is successful. This will update the IP and "wake up" the openVPN tunnel.

This should then allow the iOS app to work correctly.

Thanks for the suggestion, but I tried and it didnt work. The check in was succesfull but when I try to connect remotely still get the message "unable to connect............"

I'll keep waitin for C4

Thanks again!!!

[Godzilla]

have u tried deleting the app and re-installing?

i know this doesnt help your my.control4 web nav, but just a suggestion

[cdw5510]

Hey guys, not sure if I saw an answer to why this is happening. C4 made a port modification. It is now 5021 versus 5020. Make sure you are forwarding the 5021 port now. This changed in the new IOS app...

[pstuart]

DO NOT PORT FORWARD!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Send me your IP and I'll show you why, just have a good backup of your project.

[Cyknight]

LOL send me your IP.....

But I agree, port forwarding is a BAD BAD BAD BAD BAD idea.