<?sphp $this->text('pagetitle') ?>
 
Home of the Squeezebox™ & Transporter® network music players.

Connecting remotely

From SqueezeboxWiki

Revision as of 09:11, 19 October 2017 by Mavit (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

NOTE: exposing your Logitech Music Server to the internet is a bad idea. This page is left here for reference. But we strongly suggest you don't do this. Use a VPN if you want to access your music from the outside.

If you have SlimServer running on a computer at your home, but wish to connect to it over the internet, you can do this by adding some port forwarding options on your router.

  • First, configure your router to forward two ports to the server's IP address: 3483 and 9000
  • Find out what the outside IP address of your router is. The quick way to do this is to go to http://www.whatismyip.com/ from a web browser inside your router
  • You can also connect a Squeezebox remotely to the router's outside IP address, or install and run SoftSqueeze from the web interface, remotely.
  • If your outside IP address is subject to random change by your ISP, and you don't want to have to keep working out what it is today, you can get yourself a free network name which is mapped onto your IP address (automatically updated, if you get it set up correctly). Start here: http://www.dyndns.com/
  • Please note that there are security issues inherent in opening up your system to outside access and you should take steps to secure access. This can be done by restricting access to the relevant ports either in your router firewall settings or by whitelisting your LAN, players and remote computer IP using Server Settings/Security and blocking all other incoming connections. However, the best way to secure the connection is by using a SSH tunnel or VPN connection as described below.

Contents

HTTPS/SSL Tunnelling

This is a more advanced solution, and not one for the beginner. It can only be attempted in situations where you have good control of your home network and your Internet connection. This approach has security risks associated with it, which you should understand fully before attempting to use it. That said, it's probably a better solution than opening up port 9000 on your server (as described above).

  • First, setup an Apache (or possibly IIS) web server on a machine on your home network. Ideally, this will be the same machine as Squeezecenter, although does not have to be.
  • Configure SSL for your web server so that https://yourserver/ responds correctly. You will need to generate an SSL certificate for this to work. In most cases this can be a self-signed certificate, or otherwise buy one from a certificate provider.
  • Configure a proxy to run on your web server. This must proxy all requests to "/" on your server to http://yourserver:9000/.
  • Optionally (but most recommended) protect your site with Basic HTTP Authentication. This will cause your browser to prompt for a username and password in order to access the SSL proxy service. Basic Authentication does not have any protection for brute force password guessing, so ensure the username and password you use is different from any other on your system.

Note: Users of the old Slimserver software may be expecting that they can tunnel /slimserver/ or /squeezecenter/, and so would not have to run an entire virtual host for Squeezecenter. At time of writing, versions 7.3.2 and earlier did not support this feature.

An example Apache configuration for this might be:

<VirtualHost *:443>
 ServerName yourserver.com
 ServerAdmin you@your.address
 
 # Turn on SSL
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
 SSLCertificateKeyFile /etc/httpd/conf/ssl.crt/server.key
 
 # Configure the proxy
 ProxyRequests off
 RequestHeader edit Host (:\d+)?$ :443
 ProxyPreserveHost On
 ProxyPass / http://127.0.0.1:9000/ nocanon
 ProxyPassReverse / http://127.0.0.1:9000/
 AllowEncodedSlashes NoDecode
 
 # Turn on Basic Authentication
 <Location />
  AuthType Basic
  AuthName "Squeezecenter"
  AuthUserFile /etc/httpd/conf/passwd
  Require valid-user
 </Location>
</VirtualHost>

Within your home network

If you have SlimServer running on a computer at your home and you wish to connect to it using a different PC on your home network. Point your browser to the following

Your slim server PC IP address + add port 9000. It would look like this 192.1.4.100:9000.

Restrictive Internet Service Provider

If your ISP disallows offering services to the world, which applies to pretty much any provider in Germany, for example, you can still connect to your local SlimServer provided the ISP accepts that you run an ssh server for remote administration.

  • Configure your router to forward the SSH port (22) to your server's IP address.
  • Configure your slimserver to accept connections from the server IP address in the local net. Let's assume your slimserver has the IP 192.168.0.1
  • Register with http://dyndns.org/ (see above).
  • Do a port-forward using ssh. Let's assume you have the host name example-name.dyndns.org and your user name on the slimserver is 'slimuser'.
    • If your client is Linux, you already have ssh. This should work (You will be asked for slimuser's password):
      ssh -L9000:192.168.0.1:9000 -C slimuser@example-name.dyndns.org
    • If your client is Windows, you can get the PuTTY client for free at http://www.chiark.greenend.org.uk/%7Esgtatham/putty/download.html.
      • Fire up your putty.exe,
      • enter the dyndns address (example-name.dyndns.org) as the host name,
      • go to the port forwarding options in the menu on the left,
      • add a local forwarded port from port 9000 to port 9000 on 192.168.0.1.
      • Go back to the basic setup page and save the configuration so you do not need to redo this next time.
      • Connect, enter your user name and password.
  • SSH Tunneling: On Debian-based (and perhaps other Linux ssh installations), you must edit the sshd conf to "enable tunnelled clear text passwords"
# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication yes

See also