How to Make an ESP32 AsyncWebserver accessible from outside my local network using dynamic DNS

Using Arduino Programming Questions
#1

Hi everybody,

I did not only a 5 minute google-search but more like a 50 minutes research to find a tutorial about how to access a ESP32 which is connected to my local WiFinetwork from outside this network.

I have found things like using "fixed IP-adress" with ESP8266
small democodes that make use of dynDNS-services but the code seems to be arbitrary.

What I have so far is that Im using the ESP-Dash-library

and elegantOTA

and I want to go on using these libraries
I have found information on how to setup a dynDNS-service in my WLAN-Router Fritzbox 7490

What I haven't found yet is information about how to connect my ESP32 to the dynDNS-functionality of my WLAN-router and if it is even possible to use it in combination with ESP-Dash and elegantOTA. Which make use of these libraries

#include <WiFi.h>
  #include <AsyncTCP.h>
  #include <ESPAsyncWebServer.h>

So If somebody could point me to information about how reaching a wlan-device connected to my local WLAN-router running an ESPAsyncWebServer is done I would be very thankful.

best regards Stefan

#2

if your esp32 is connected to your router and the router establishs the connectivity to the www, you would need a dyndns on your router - not on the esp - and a port forwarding rule in the router to forward incoming requests from a specific incomming port to the (internal) IP of the esp (and if needed to a specific port on the esp).

Or I missunderstood your problem…

#3

Yes, what the world sees is the router, it is the one holding an Internet address, this needs to be ‘exposed ’. Then when a request comes in based possibly on port, the router needs to forward that request to the ESP and then bridge the answer back to the requester.

The ESP does not need to know what’s going on, only the router.

Opening ports opens also security risks, so make sure you understand what you do to your router to not expose your whole internal network to the world.

#4

Hi J-M-L and noiasca,

deleted the screenshots for security reasons

thank you for answering so quick.
Your explanations is "above my head".

If you happen to know a tutorial that explains the real basics behind it I'm willing to read. If you would like to explain in more details this is highly appreciated.
So maybe I add some pictures to show what I have done so far and maybe you can give hints what is aditionally needed. In my Fritzbox 7490
there are two entries for port sharing

I guess I have to add a nother port-sharing for the ESP32

four years ago I did play around a little bit with an ESP8266 and created an acount at acedns

I configured the dynDNS-configuration of my fritzbox 7490

If I use my smartphone with WLAN deactivated and mobile data activated trying to access mywozitemp.acedns.org nothing yet happends. So I must be missing something. But I have no idea what.

What have I have to do additionally to make it work?
best regards Stefan

#5

You should be able to break into two stages so you can test it with out configuring DynDNS

  1. Discover your current external IP address (incidentaly,in the OLD forum you had only to look at one of your own posts to do this)

  2. Go into Portfreigeben and redirect port 80 to the IP address that your ESP has got from the router.

  3. From your smart phone (no wlan) , enter the url http://< your external IP address > and you should land on your ESP

NOTE ALL THE SECURITY WARNINGS !

#6

Hi 6v6gt,

deleted the screenshots for security reasons

thank you very much for answering.

I managed to access the ESP32 from mobile data on my smartphone through the external IP-adress.
If I understand right the dyndns is there to not have to write down the daily changing IP-adress. So what do I have to do additionally to get access through the constant URL provided by acedns?

I guess I made one step forward
I added a Freigabe for the ESP32

If I click on neue Freigabe (new sharing)
I see this window popping up
I have no idea what to enter here

Your description sounds like there should be somewhere an entry naming the IP-adress of my ESP32 (192.168.178.165) and somehow related "type in portnumber"

And if so How must I type into my smartphone to use that port?
Do I have to specifiy this portnumber in my ESP32-program too?

From these questions you can see. Totally newbee to this stuff. I highly apreciate if you like to explain it yourself. If somebody knows a link where I can read it myself
some tutorial "dynDNS and portforwarding for real dummies would be good too.

best regards Stefan

#7

Under Freigabe anlegen, what option do you have under Anwendung (something like ESP…) if so, choose it.
Protokoll is HTTP
Port an Gerät is 80 bis 80
Port extern is 80

What you give into your smartphone browser is simply, as in the previous post, http://< your external IP address >

This all assumes that you have not changed the default port on the ESP web server

#8

Hi 6v6gt,

deleted the screenshots for security reasons

wow I got it working. Accessing the ESP32 works.
For testing it I activated completely access = exposed host.

I have no idea how dangerous this is.
Do I understand right that my ESP32 is exposed fully to the internet but all other devices are still secure?
An ESP32 running an asyncwebserver is not the same as a computer with a full blown operating system like windows 10.

Is my assuming right that with the ESP32 having not an operating system that all hackers could do is elegantOTA with some nonsense software?

If is it more dangerous?

So how can I reduce the exposition to the bare minimum still provides show me the small website of the ESP32's asyncwebserver?

If I specifiy some special kind of port in my ESP32-code will elegantOTA still work?
What changes do I have to make in the fritzbox to use this different port?

From these questions you can coclude total newbee to this stuff. No idea how it internally really works

best regards Stefan

#9

I don’t know elegantOTA. If it uses another port (ie not port 80) then you’ll have to redirect that as well.
As for the security risks, the ESP would be a great entry point to your network for a hacker, especially if he could upload any special tools he liked to it via OTA. Also, your ESP knows your WLAN credentials, which could be useful for an attack.
I don’t even allow my IOT devices to contact internet servers (except for NTP time servers and one very specific web server). They can’t even talk to each other, at least not over the WLAN.
I don’t know Friz!Box but maybe you can specify some firewall rules for that connection with your ESP, although I would be surprised if it is so full featured. I don’t allow any internet traffic to bypass the ISP router (so I can’t do what you are doing) and I have a second router to screen off the IOT devices using a special guest VLAN.

You can now progress on with the DynDNS if you wish. It could be convenient depending on how often your external DNS address changes.

#10

as already mentioned, the risk for your LAN comes with OTA on a device exposed to www.
You should take measures like password protection, restrict to local OTA sources only or something else. Think about if you really need OTA over www.

Now as it is working: I wouldn’t forward port 80 directly. Use a high port and forward it to 80 of the ESP. I’m aware of, that security by obscurity is no security and a portscan of an exposed IP can be done in seconds, but port 80 on a public IP is just so obviously, so don’t be surprised if you get uninvited guests on Port 80.

edit:
check your settings, I’m not familiar with Fritzbox but this doesn’t sound great

“Selbständige Portfreigabe für dieses Gerät erlauben”

“Dieses Gerät komplet für den Internetzugriff über … freigeben”

only allow the neede port (incoming to 80).
don’t allow modifications by the devcie.
don’t expose the esp32 like a DMZ device. That’s not necessary for “webserver” on a ESP

#11

Also, I forgot to add that if you use port 80 (or more specifically HTTP) instead of HTTPS, any password security on your ESP has little value because the passwords are transmitted over the network in plain text.

#12

Hi noiasca and 6v,

Does this mean that a very versatile hacker could use a small device like an ESP32
that has no operationg system. Would be able first to upload some hacker-software on the ESP32 and then start exploring my local network for more serious actions?

So are the usual Arduino / ESP-libraries able of using httpS ?

best regards Stefan

#13

As long as you can’t proof it wrong - take it as yes :wink:
If blackhat knows your IP, guesses the port, can write an esp32 program, can do an OTA upload, you have opened him/her a backdoor and access to all tools he/she needs in your network.

an ESP32 should be able to handle https as server (but I have never done that before)

#14

When my Linux box was exposed to the internet, it received daily attacks. Most of them assumed that they were dealing with Windows or PHP, but I figured eventually someone would find a weakness so I closed the firewall.

With an Arduino, the attacker is far less likely to know how to hack their way in, but the risk exists. With Linux, there’s plenty of logging going on. In the case of the ESP, you may not even know that hackers are active.

There are safer ways to communicate from outside. Blynk is one, because the connection to their servers is initiated by the ESP.

If you just want to view data from outside there are plenty of IoT options. You can stand up your own tiny cloud based server and have the ESP initiate contact with it to pass data and get instructions. Last time I looked, you can get free or very cheap plans if your usage is low enough.

Or you can learn enough about networking to create a DMZ and fence your ESP off from the rest of your home network, but it’s hard to be certain you’ve got everything locked down hard enough. As the Infosec folks say “Bad guys need to get lucky once; we have to stay lucky all the time”.

#15

For a few euros per month you can get real internet hosting with your own domain and a time shared server with PHP mySQL etc. That’s my primary on line presence, my devices post or fetch from there but there is no inbound connection allowed into my production home network.

For toying around I have a second fiber link. it is totally disconnected from my home network (not even the same broadband operator) and I can mess with the computers attached to this including security risky stuff, honeypots and other fun stuff to play with. I would not take any unnecessary risk with my personal network

#16

No you did not or, at least, not completely. But fortunately for you, the non-routable 192.168.x.x address would be uninteresting to hackers. The forum keeps a visible edit history which can be seen by clicking on the “red pencil” edit icon, so nothing (normally) can be completely deleted.

#17

You possibly can try to use my UPnP_Generic combined with DDNS_Generic library for your purpose. You just use UPnP Port Mappings to port-forward.

You will need a free DDNS service, such as DuckDNS, No-IP, etc.

Check

  1. Why do we need this UPnP_Generic library
  2. SimpleServerESP32 example
#18

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.