Printoid for OctoPrint

If you want to reach your OctoPrint server from “outside” of your network (for example, from another network, or from the 3G/4G), then you can’t only use the local IP of your server.

“LAN IP address” in Printoid stands for “Local Area Network IP address”. That means, you can reach the device located at this IP address only locally (when the client – Printoid, installed on your device – is connected to the same network as your server – OctoPrint, installed on a Raspberry Pi for example)

Please note that Printoid can’t do anything to automatize this configuration (you have to follow the steps described in the following tutorial).

IMPORTANT NOTE

Using a VPN is not the most convenient way to reach your OctoPrint server from the Internet, but this is the most secured way to achieve that.

I really recommend this solution rather that opening a public port on your router to the Internet.

Please note that Printoid is not an application to configure your VPN on your device. Please use a third party application dedicated to this.

Virtual Private Networks are a great way to gain access to your OctoPrint instance. There are many options available (PiVPN, OpenVPN), and some home routers even have a VPN server built in. The major advantage to using a tunnel into your network, is that your OctoPrint instance is not available to the internet in general. Without access to your VPN, the printer can not be accessed from outside. (source)

Gaston Dombiak (the developer of the OctoPod app for iOS) has made a great tutorial to explain you how to configure that:

Setup OpenVPN for remote access →

Here are some other good links that are talking about VPN servers:

• How to set up your own VPN server
• PiVPN
• OpenVPN

OctoEverywhere is a plugin for OctoPrint that allows you to access securely your server over the Internet, from any web browser or any third-party app.

This solution has many advantages:

• No network configuration to do on your side
• Secured access to your network over the Internet
• Transparent integration in Printoid, everything works flawlessly in the app
• Easy to setup

IMPORTANT NOTE

The developer of Printoid is not the developer of OctoEverywhere. I do not develop and maintain this service at all.
Please also note that I do not earn anything if you use this service, as a user of Printoid.
Please finally note that I can’t offer you any discount for the OctoEverywhere service, since this is not my service at all.

Configure OctoEverywhere with Printoid →

IMPORTANT NOTE

This solution works well, and Printoid is made to accept such kind of configuration. Printoid has fields “WAN IP” and “WAN PORT” in the OctoPrint profile’s parameters.

But please do not open a public port on your router without thinking about security. Otherwise it can leads to huge lacks of security.

Do port forwarding at your own risk, and take into consideration that it will expose your network / your OctoPrint server / your 3D printer on the Internet and it can be an important lack of security.

Everything is well explained by Gina here.

HOW THE LOCAL NETWORK WORKS

I will start to explain you how your network works locally, I mean, how you are able to access your OctoPrint server when your device is connected to the same network.

Here is a diagram to exposes your current situation on your local network:

DIAGRAM 1: Printoid is connecting locally to your server (using its LAN IP address)

1. Your device (the Raspberry Pi) is represented by its local IP on your local network. For example 192.168.1.20. This IP identify your device on your local network only. This device has its own ports (for example port 80, port 22, port 21, port 5000…). Each device has the same range of port (device 1 has its own port 80, device 2 has its own port 80…)

2. Your devices are not represented by their local IP over the Internet. Because only, and only your router knows them.

3. Your router is represented over the Internet by its public IP (WAN IP). For example 82.24.543.539

4. Your router also have its own public ports (for example 80, 21, 22…). These ports are not relative at all to your devices (your Raspberry Pi for example) but only relative to your router. So, do not confuse the port 80 local of your Raspberry Pi and the public port 80 of your router.

5. Now, if you want to reach a device (your Raspberry Pi) from the Internet, you must ask for your router the access to this device. Because your router is, for the moment, the only one who knows your device, we want to configure something like that: “Hello router, please, give me an access to the device identified by 192.168.1.20 on its port 80, so I can reach the server which is running on this port on this device!”

There are many solutions to reach your OctoPrint server from the “outside”. I will list them in the following tutorial.

WHY YOU SHOULD PORT-FORWARD FOR DISTANT ACCESS

To achieve that, you have to configure a port forwarding. You must assign a public port (for example 1990) to the device with the IP 192.168.1.20 (the Raspberry Pi in this example) to its port 80. So, when you request your router by using its public IP and the port 1990 (for example 82.24.543.539:1990) then the router will understand that 1990 is bound to 192.168.1.20:80.

Finally, at the end of this tutorial, here will be the situation of your network configuration:

DIAGRAM 2: Printoid is connecting remotely to your server (using its WAN IP address and a public port)

(1990 is a random port value, it can takes any other value – don’t focus on this value)

FIND YOUR PUBLIC IP (WAN IP ADDRESS)

You can’t use the local IP address of your Raspberry Pi from the outside of your local network (for example 192.168.1.XX or 10.0.2.XX).

You shall use the public IP address of your router over the Internet to access your Raspberry Pi.

Here is a link that will show you this information: http://wanip.info/. Of course, you have to click on this link only when you are connected to your local network (so on the same router as your Raspberry). Otherwise you’ll get the public IP of your network operator hardware, but not yours.

This IP adress is called WAN IP in all the Printoid’s settings.

ENABLE THE BASIC AUTHENTICATION

For the security of your Raspberry, and in general of all your local network, I advice you to install a proxy acting as a reverse proxy on your Raspberry Pi, and configure it to enable at least the basic authentication (per-user authentication).

WARNING: If you have installed OctoPi instead of Raspbian+OctoPrint, then haproxy is already pre-installed and its configuration is preloaded. Do not override the configuration file with the following if you just want to enable the basic authentication (per-user authentication). Simply complete your file with the following lines colored in green.

The basic authentication from the reverse proxy is different than the user authentication in your OctoPrint web interface. This one will protect each request sent to OctoPrint with a mandatory authentication (user + password) otherwise the connection will be aborted.

You can install haproxy on your Raspberry Pi, with the command sudo apt-get install haproxy.

Haproxy will let your enabling the connection using per-user authentication, but it will also make both of your OctoPrint server and video streaming accessible on the same port 80 (please see the diagram 2 at the top of this page)

Once installed, you have to edit the file /etc/haproxy/haproxy.cfg:

sudo nano /etc/haproxy/haproxy.cfg

with the following code:

global
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        log 127.0.0.1 local0 debug

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option redispatch
        option http-server-close
        option forwardfor
        maxconn 2000
        timeout connect 5s
        timeout client  15min
        timeout server  15min

frontend public
        bind :::80 v4v6
        use_backend webcam if { path_beg /webcam/ }
        default_backend octoprint

backend octoprint
        reqrep ^([^\ :]*)\ /(.*)     \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl AuthOkay http_auth(L1)
        http-request auth realm octoprint if !AuthOkay

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080

userlist L1
        group G1
        user USERNAME insecure-password PASSWORD groups G1

Don’t forget to replace USERNAME and PASSWORD by the values of your choice. You can, if you want, insert as many users as you want, in as many groups as you want. An advanced configuration let you define different access privileges per user (or per group)

The user & password values will be requested by Printoid, in the OctoPrint profile setup (click on the ‘extended settings’ button at the bottom of the list)

FORWARD PUBLIC PORT ON YOUR ROUTER

Once you know your public IP (WAN) and the access to your server is at least protected by basic authentication, you can make your OctoPrint & mjpeg-streamer server instances accessible over the Internet.

I could not be more precise in the following informations since this configuration only depends on your router model.

The following informations are really important. You NEED to follow them in the given order or it will never work as expected.

1. Find how to access to the web interface of your router. In general, most of the manufacturers let this interface accessible from the IP 192.168.1.1
2. Log-in in the interface (most of time you should use admin/admin or admin/first chars of the default WPA key, by default)
3. Find the local IP of your Raspberry Pi in the connected devices and define it as a static IP (static DHCP lease)
4. Then, find the “port forwarding” setup page (this is also called NAT/PAT on some routers, most of time in the ‘advanced’ settings)
5. In this screen, add a new port forward option:

Explanations: you want to make accessible your Raspberry from the ‘outside’ of your network (so, over the Internet). That’s why you need to forward the address LAN_IP:80 to the address PUBLIC_IP:YOUR_CHOSEN_PORT (please see the diagram 2 at the top of this tutorial).

Important: your Raspberry LAN IP should be a static IP. This is mandatory because if the local IP of your Raspberry Pi changes, your port forwarding rule will be broken.

Please note that YOUR_CHOSEN_PORT can be the value of your choice. But please, respect the following:

• Don’t forward the port 80 to 80 (yes it is tempting, but really really not a good practice)
• Don’t forward to an already used port (such as 53, already used for the DNS service)
• 0, 1, 2, 3… are not correct port values
• So, please select a value between 1000 and 10 000 (your birth year for example)
• Sometimes the user ports range is indicated in the router interface. For example, the “FREE” network provider allows to use ports starting from 10 000 only.

In the diagram 2 at the top of this page, you can see that:

• The external port value 1990 was chosen (that was my personal choice – you can choose another value)
• The OctoPrint server is still accessible locally from the port 5000 (in addition to the port 80 if you have installed haproxy)
• The MJPEG server (video streaming ) is still accessible locally from the port 8080 (in addition to the port 80 if you have installed haproxy)
• To summarize, both of the OctoPrint & MJPEG server are accessible locally from the port 80 (if you have installed haproxy), but now also externally from the port 1990.

Here is an example:

Here is another example:

Some routers let you defining ranges for ports to forward. Since we only want to forward one public port to one local port, then please apply the following:

MAKE ONLY DISTANT ACCESS PROTECTED BY BASIC AUTH

Please note that this step is:

• Optional. Do not follow this step if you are not concerned.
• For the advanced users only.
• Only for those who have installed plugins that don’t support the basic authentication in LAN

The main goal of this part is to request the authentication only when OctoPrint is reached over the Internet, and not when reached locally.

I will not copy the whole haproxy.cfg file again, so you only have to apply the changes in green.

frontend public
        bind :::80 v4v6
        use_backend webcam if { path_beg /webcam/ }
        use_backend octoprint_unsecure if { hdr_beg(host) -i 192.168 }
        default_backend octoprint
        
backend octoprint
        reqrep ^([^\ :]*)\ /(.*)     \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl AuthOkay http_auth(L1)
        http-request auth realm octoprint if !AuthOkay

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080

backend octoprint_unsecure 
        reqrep ^([^\ :]*)\ /(.*) \1\ /\2
        option forwardfor
        server octoprint1 127.0.0.1:5000
        acl needs_scheme req.hdr_cnt(X-Scheme) eq 0
        reqadd X-Scheme:\ https if needs_scheme { ssl_fc }
        reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }

userlist L1
        group G1
        user USERNAME insecure-password PASSWORD groups G1

Read more information on the following link:

• OctoPrint Wiki – How to enable HTTP authentication on haproxy

PROVIDE THE SETTINGS TO PRINTOID

Printoid is made to be compatible with such kind of configuration.

Enter in “Distant IP or DNS (WAN)” the WAN IP (from step 1) and in “(port)” the PORT you’ve forwarded to (from step 3)

Enable the “basic auth.” toggle button, and enter in “Username” your USERNAME and in “Password” your PASSWORD (from step 2)

You can of course work with both LAN and WAN parameters. Printoid will smartly & automatically switch between them when needed.

Important: do not put your public port value in the ‘port’ field of the LAN settings.

Important: The basic authentication settings in Printoid are relative to your haproxy configuration. These crendentials ARE NOT the crendentials to login in the web interface of OctoPrint.

COMMUNICATION WITH TLS (HTTPS)

When you open a port on your router and activate the basic authentication, the best practice is to activate the communication using SSL/TLS (HTTPS) in order to obfuscate your information when you communicate with OctoPrint.

A more secure choice would be client-certificate authentication, this of course requires setting up a PKI to handle the issuance and revocation of certificates.

Here are interesting links that show how to activate/handle TLS and client-certificate authentication with Haproxy:

• MK2 Tips and Tricks – How to activate SSL with haproxy
• Christopher Mullins – Security Hardening OctoPrint/OctoPi
• MK2 Tips and Tricks – Generating a new SSL certificate for OctoPi

If you activate the communication over HTTPS, then don’t forget to activate the option in Printoid, in your OctoPrint profile, in order to force the use of HTTPS instead of HTTP.

TO GO FURTHER: INSTALLATION OF FAIL2BAN

Advanced users can also install Fail2Ban on there Raspberry Pi.

Fail2Ban will automatically blacklist IP address which are trying to connect to your server, but fail to connect (wrong credentials, no credentials provided, etc.) after X times (you can define how many chances you want to provide to the user who’s trying to connect to your server).

This can protect your server against brute force attacks, or simply against not trusted users / prohibited users.

Here is a good tutorial to configure Fail2Ban, that can be applied for OctoPrint too.

I advise you to create a “jail” rule for:

• OctoPrint
• SSH (if you’ve made SSH reachable over the Internet on your server)

(Tutorials written with the help of the Gina’s github and Gaston’s github)