Why do you need a VPN application for IoT?¶
In many cases you want secure remote access through a VPN (virtual private network) to your embedded devices that are behind a firewall. The qbee device management solution has a full VPN integrated. It consists of the agent on the device, the cloud backend and the VPN application for the Desktop which is called qbee-connect. It is possible to dynamically turn this on and off, if needed or required by a client. Therefore, you can immediately do a POC in a remote site or debug devices through ssh or file browser if necessary. Overall, the VPN will very quickly become a part of your development workflow. In production it can be turned off. However, if a device has a problem you can turn it on again and inspect that specific device easily through ssh or any other VPN service.
What is it?
qbee-connect is a desktop VPN application available for
MacOS. It can be downloaded from within your qbee web portal under "qbee packages". This virtual private network application connects to the qbee.io cloud infrastructure and acts as a secure termination end-point for any port or any service on any of the remote devices in the system. Technically all data is routed through the built-in secure VPN from the remote device to your local desktop.
qbee-connect maps any remote port to a defined port on
127.0.0.1) on the local system. This way users can get access to remote devices independent if this is an ssh shell connection, a web server, VNC or any other application. This works across firewalls, NATs, mobile networks and complex network infrastructures because it uses the secure qbee VPN.
qbee-connect maps remote end-point ports and services to localhost
qbee-connect maps remote ports and services (that do not need to be accessible from the outside) to a specified port on localhost.
This way a user can access the remote device across complex network topologies within his browser on the specified port (e.g.
This works with any application no matter if this is ssh, http, https or any other protocol.
It is possible to maintain many parallel VPN connections at the same time. The new auto-connect function allows also to automatically connect them (see more below).
Working with remote files and directories
qbee-connect it is very easy to work with files and directories on remote devices through the VPN application. Please have a look at the following methods and select the one that best fits your workflow. All these methods work for
Installation of the VPN application¶
Please download the
qbee-connect package within the qbee web application. The packages are available under "qbee packages". You will be notified if there is a new version.
Define default ssh user
From version 1.2.0 there is a function to change the default ssh user. Please locate the
qbee-connect.json file in your user directory under
qbee on Windows. If it does not exist just check and uncheck either "reconnect" or "auto-connect", then it is written. In this file you will find the line:
"default_ssh_user": "root", Just replace "root" with your default user.
qbee-connect desktop VPN application¶
After installation the user credentials have to be entered into
qbee-connect. Then it securely connects to qbee.io and represents the same tree structure that is created in qbee.
Not all users have remote access enabled!
Remote access can be granted by any administrator for any user of qbee. This is defined in the user part of settings. If a user has remote access any remote access attempts will be logged thus giving an effective overview over who has been on different devices.
Any device can be selected in the tree on the left. On the right hand side different ports can be selected that will be made available locally. In the displayed example this is ssh with port 22 and a custom port on 1880 (This is a Node-RED server running on the local device).
When the connect button is pressed the connection is established.
qbee-connect will map the remote ports to random (available) ports on localhost. The mapped port is remembered, i.e. the next time you connect to the remote port you will obtain the same mapped port. Therefore, you don't have to change your configuration in any external tools using the mapped port (e.g. a VNC client).
For an ssh mapping the complete command can be copied. The ssh username can be specified under "Default user name" and is included in the command. Paste the command into a regular local terminal, and you can use ssh as usual.
For other applications such as web applications running on a http or https server these can be called in a browser by calling localhost and the respective port such as
127.0.0.1:65446. In the example below we are connecting to a remote Node-RED instance on port 57412. This gives us full local Node-RED functionality in our browser through the Linux VPN.
Just copy the assigned port number (see copy button behind respective line) and start a web browser. Then
localhost:port_number will give you the remote web server in your local browser with full functionality
"Connected devices" tab¶
qbee-connect is capable of handling a large number of concurrent connections at the same time. So it is possible to get information and access to many different web servers on many different devices. The second tab in the
qbee-connect tool shows all active connections along with the information of which ports are mapped to which local port. Just connect any end-point you want to access remotely.
|multiple connected devices||port list expanded|
Each device can be separately disconnected and a new device can be included from the first tab.
Behavior after sleep¶
Since version 1.0.1
qbee-connect has some additional menu items. Current connections can be refreshed and it is also possible to disconnect all connections. As a beta feature we feature the option to connect devices again automatically when coming out of sleep. If you check the box all connections are re-established when the machine wakes up again. By the default all connections are closed after a sleep event.
"Auto connect" feature¶
qbee-connect has the capability to automatically connect to a set of user-defined ports for multiple devices either by pressing the button or on start-up of the application if the box is checked.
The configuration is done in the web UI under remote console. There is a tab "qbee-connect" with the sub-tabs "Connect to Port" and "Port Settings". Select the devices you want to work with in the left tree and define which remote port you want to map.
Then, on the "Connect to Port" tab you will find an overview of the already added ports. If
qbee-connect is connected to the auto connect ports, then you can launch your remote service from within the UI.
In this example we have a grafana service running on the remote port 3000. When launching from the UI this service opens in a new tab.
As you can see the address corresponds to the mapped port 46563 on
SSH Port forwarding of a remote device port within the same network¶
In this relay example we show how a web server running on a remote device (see Machine 1 in the diagram below) within the same network as a qbee device can be forwarded to a local machine using ssh.
Since version 1.1.0
qbee-connect is capable of doing this out of the box. To be able to forward port 80 of Machine 1 we need to
- make sure that this port can be accessed through the local network by your qbee device (potentially adjust the firewall settings on Machine 1)
- distribute our public ssh-key to the qbee device for the ssh user (e.g.
piin case of a Raspberry Pi)
qbee-connect we connect to our qbee device (which is
RPI3 in the image below) on the ssh port (here 22). Expand the "Advanced settings" section and fill in the connection information as seen below:
Now we can connect to the remote webserver via
localhost:8080 in our browser.
Example - VNC through the VPN¶
Here is another example connecting through RealVNC on port 5900 to get full bidirectional VNC access to a remote device across a firewall with the possibility to control the device with mouse and even upload files. This also works through the qbee-connect Linux VPN application. For more information please visit the VNC use case.