OpenTherm Gateway Secure remote access

This Forum is about the Opentherm gateway (OTGW) from Schelte

Moderator: hvxl

Post Reply
NvBgm
Starting Member
Starting Member
Posts: 2
Joined: Mon Feb 06, 2012 1:02 pm
Contact:

OpenTherm Gateway Secure remote access

Post by NvBgm »

Hello, I am a new user of the OTGW-usb that is connected on my Remeha Calenta and works perfect for me.
I just have one question about the remote acces of the otmonitor program.
I am running the OTM programm on a raspberry that is connected to my house network.
Now i would like to connect it from my smarth fhone via the internet.
I could open a port on my router but that is not a secure idee i think.
Also read the artikel on the OTGW site ( http://otgw.tclcode.com/secure.html )

So i would like to make up a encrypted connection.
Thats not easy (for me at least) :-) so i hope to get some answerds on my questions.

First is it possible to make the server/client certificate on my desktop with windows 10 and copy this to the raspberry in the auth folder ??
And seccond how to setup the client certificate on my smart fhone ?

(Sorry for my poor englisch but i hope you can read and understand it)

Nico
hvxl
Senior Member
Senior Member
Posts: 1965
Joined: Sat Jun 05, 2010 11:59 am
Contact:

Re: OpenTherm Gateway Secure remote access

Post by hvxl »

OTMonitor works with certificate files in the standard format. So you can make them anywhere you like. Just make sure they are called server.key, server.crt, and CA.crt when you put them in the auth directory. Those are the only three needed by OTMonitor.

How to install a client certificate on your phone depends on the OS. You can search the web for instructions for your particular OS.
Schelte
gda01
Starting Member
Starting Member
Posts: 6
Joined: Sun Oct 02, 2016 10:38 am

Re: OpenTherm Gateway Secure remote access

Post by gda01 »

Last month (Sep 2016) I installed the Opentherm gateway. (heater: Vaillant hrPRO; thermostat: Honeywell Chronoterm Touch Modulation; Raspberry 2B, OT monitor 4.3, OT gateway 4.2.5). I created a custom page to set the Override setpoint via my android smartphone.

To have a secure access, with Openssl I created a CA and a server certificate. (OTmonitor can create certificates using 1024 bit keys. Current browsers find that not secure enough.) In my router I configured a port forwarding. With this configuration I have https access to the OTmonitor. For authentication I need to enter a username-password. This all is working fine.

My issue is, I have not yet succeeded in getting a client certificate working.

With the Openssl tooling I created a client certificate, signed with my CA. I succeeded in adding the client certificate with a Dbus command into the OTmonitor auth.db. I checked this with SqlightBrowser.

When I configure OTmonitor to require client certificate authentication, and try to access OTmonitor with my client certificate, I get the response 'forbidden:'.

So apparently OTmonitor does not recognize my certificate, or deems it invalid. In the tcl code I see a set of validations done on the certificate, as expiration date and check against auth.db. However my understanding of tcl is insufficient to understand the other validations.

What points should I should take care of in creating a client certificate with Openssl that will be accepted bij OTmonitor?
Post Reply

Return to “Opentherm Gateway Forum”