LOGIC MACHINE REMOTE MANAGEMENT

[Hyxion14]

Hello, is there any way to connect to the logic machine home page to access the apps without having to redirect the http port on the local router?

That is, if as an integrator (installer) I want to access the logic machine page to change a script or to see the status of KNX objects, how can I do it without redirecting port 80 (http)?

Thank you very much.

[admin]

The only solution for now is to use a router with VPN support. This solution is more secure than port forwarding. Next firmware will have support for VPN client but for this you will need your own VPN server. We will provide a tutorial on how to run it yourself by using a cheap virtual server.

[Hyxion14]

I have a Mikrotik router with a VPN server on my network, that would not be a problem, but the ideal would be to have a VPN client in the LM.

The VPN solution is something I have thought of, but I think it is very intrusive to the customer. Think that connecting via VPN to the installation gives me access to the client's network and I think that is not entirely legal.

So I am asking for some way to ONLY access the LM without doing port forwarding.

Thank you.

[edgars]

you can try this firmware for LM5 Lite Power with OpenVPN precompiled.
Here is the instruction to make LM <---> Mikrotik OpenVPN connection.

[Hyxion14]

Awesome thanks.

I am going to try.

[AlexLV]

Hi Edgars,

may be you have firmware for LM5p2-RDE?? Also interesting to test VPN and I also have Mikrotik

BR,

Alex

[Hyxion14]

you can try this firmware for LM5 Lite Power with OpenVPN precompiled.
Here is the instruction to make LM <---> Mikrotik OpenVPN connection.

Hi Edgar, I am trying to configure the OpenVPN connection, but it gives me an error.

He tells me he is missing </CA>

My configuration file would look something like this:

client
dev tun
proto tcp
remote miip.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
<CA>
----- BEGIN CERTIFICATE -----

my certificate

----- END CERTIFICATE -----
<cert>
----- BEGIN CERTIFICATE -----

my certificate

----- END CERTIFICATE -----
<key>
----- BEGIN ENCRYPTED PRIVATE KEY -----

my key

----- END ENCRYPTED PRIVATE KEY -----

I have removed the certificates for security.

[admin]

Please send your configuration file via PM

[Hyxion14]

Ok, I just sent it to you.

Thank you.

[admin]

You need to close the tags properly:

Code:

<ca>
----- BEGIN CERTIFICATE -----

my certificate

----- END CERTIFICATE -----
</ca>
<cert>
----- BEGIN CERTIFICATE -----

my certificate

----- END CERTIFICATE -----
</cert>
<key>
----- BEGIN ENCRYPTED PRIVATE KEY -----

my key

----- END ENCRYPTED PRIVATE KEY -----
</key>

Also remove auth-user-pass and specify username/password in client configuration form.

[Hyxion14]

Ok,

Now, in the OpenVPN status page:

It tells me that there is an error:

Wed Apr 15 16:50:38 2020 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

[admin]

The problem is that your private key has a password set. This will not work, try creating new config where key does not have a password.

[Hyxion14]

Have you removed auth-user-pass and specified username/password directly in the config? Does your server require username/password? If it still does not work send username/password via PM.

Have you removed auth-user-pass and specified username/password directly in the config?

yes

Does your server require username/password?

yes

If it still does not work send username/password via PM.

Ok

[admin]

I've updated my post, the issue is of different sort.

[Hyxion14]

The problem is that your private key has a password set. This will not work, try creating new config where key does not have a password.

But I follow the instrucction of this link:

https://openrb.com/lm5-openvpn-tunnel-to...ik-router/

How can I create the key without password.

Thanks

[admin]

This line is incorrect:

Code:

export-certificate client-certificate export-passphrase=12345678

It should be:

Code:

export-certificate client-certificate export-passphrase=""

[Hyxion14]

This line is incorrect:

Code:

export-certificate client-certificate export-passphrase=12345678

It should be:

Code:

export-certificate client-certificate export-passphrase=""

Ok,

but if you do that, Mikrotik does NOT generate the client.key, it only generates two certificate files, the ca.crt and the client.crt, but it does not generate the .key and when it does not generate it, LM fail because it says that it you must specify a .crt and a .key

[admin]

Then an extra step is required to remove the passphrase.
1. Download OpenSSL for Windows here: https://indy.fulgan.com/SSL/ (openssl-1.0.2u-x64_86-win64.zip)
2. Place your key (cert_export_client-certificate.key) in the same directory as openssl.exe
3. Open cmd and go to openssl directory
4. Run this command: openssl.exe rsa -in cert_export_client-certificate.key -out out.key
5. Enter passphrase
6. Use the key from out.key in your OpenVPN config

[admin]

Unfortunately this looks like a common Mikrotik issue with OpenVPN server. This might be due to older server version on Mikrotik or something else.

[Hyxion14]

Impossible to connect LM with mikrotik, I have been trying to see the problem for two days and I have not succeeded.

It gives me error in TLS negotiation.

Fri Apr 17 13:53:49 2020 SIGUSR1 [soft, tls-error] received, process restarting
Fri Apr 17 13:53:49 2020 TLS Error: TLS handshake failed
Fri Apr 17 13:53:49 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network

I don't know what to try.

In the mikrotik LOG there are no errors.