Skip to main content

Security Considerations for External Access

Our cloud logging dashboard connects to home automation controllers that expose a plain TCP socket.
In many setups, the controller is made reachable from the internet via TCP port forwarding on the router.

While this approach is simple, it introduces important security risks that you should carefully evaluate and mitigate.

Risks of Direct TCP Port Forwarding

When you expose your controller to the internet using plain TCP port forwarding:

  • The controller’s TCP port becomes publicly reachable from anywhere on the internet.
  • Attackers can scan your public IP and probe the open port.
  • If the controller uses no encryption and weak or no authentication, traffic may be:
    • Intercepted (sniffed)
    • Manipulated (tampered with)
    • Used to trigger unauthorized commands on the controller

For this reason, we strongly recommend restricting access and, where possible, avoiding direct exposure of your controller to the public internet.

Recommendation 1 – Restrict Access with Firewall Rules

If you must use port forwarding, always restrict who can reach the forwarded port.

Configure a firewall rule on the network where the controller resides so that the mapped port is accessible only from a specific allowlist of external IP addresses.

At minimum, allow only our cloud logging backend:

  • 85.215.237.42

This ensures that:

  • The forwarded port is not open to the entire internet.
  • Only our logging service can reach the controller’s TCP socket.
  • Port scans and random attacks from unknown hosts are significantly reduced.
tip

After configuring the firewall rule, test connectivity from our service and verify that the port is not reachable from arbitrary external hosts (for example, by attempting a connection from another public network).

Recommendation 2 – Use the VPN Tunnel

Instead of exposing a plain TCP socket on the internet via port forwarding, you may strongly mitigate security risks by using our VPN Tunnel solution.

The VPN Tunnel is based on WireGuard and creates a secure, encrypted channel between:

  • LOGether Cloud
  • the LOGether VPN network
  • a local VPN client running in the same LAN as your
  • Vantage controller

In this model, the controller is no longer directly reachable from the public internet. Only the VPN endpoint is exposed, and all traffic between LOGether Cloud and your controller travels inside an encrypted, authenticated tunnel.

VPN Tunnel Architecture SchemeLocal NetworkLOGether VPNLOGether CloudundefinedundefinedYour Local VPN ClientYour controller

Benefits of the VPN Tunnel

Using the WireGuard-based VPN Tunnel offers several advantages over plain TCP port forwarding:

  • No direct exposure of the controller
    • The controller is not directly reachable from the internet; only the VPN endpoint is.
  • Encrypted communication
    • All traffic between LOGether Cloud and your network is encrypted using modern cryptography.
  • Strong authentication
    • Only devices with valid WireGuard keys can join the VPN and reach the controller.
  • Reduced attack surface
    • Port scans and random attacks on the controller’s TCP port are effectively eliminated.
  • Stable addressing
    • The controller can be reached through a stable VPN IP, even if your public IP changes (depending on your network setup).

Our Service: WireGuard Configuration on Request

We offer the possibility to generate and provide a WireGuard configuration file for your local VPN client.
This is an on-demand service.

You can request this service through our pricing page:
Request VPN Tunnel configuration

warning

Important: Our service is limited to generating and delivering the WireGuard configuration file.
We do not perform any installation, deployment, or validation on your local systems.

We recommend running the VPN client on a Linux machine located in the same local network as the Vantage controller, for example:

  • A small Linux PC or mini-PC
  • A single-board computer such as a Raspberry Pi

This device will:

  1. Act as the WireGuard VPN client for the LOGether VPN network.
  2. Route traffic from LOGether Cloud through the VPN to the local Vantage controller.
  3. Apply the required firewall and NAT rules on your local network.
note

You are fully responsible for:

  • Installing and maintaining the Linux system
  • Installing WireGuard and required dependencies
  • Applying firewall/NAT rules
  • Ensuring that routing works as expected in your environment

Scope of Our Responsibility

To avoid misunderstandings, please note the limitations of our responsibility:

  • We only provide:
    • A WireGuard configuration file with predefined VPN parameters (IP addressing, DNS, peer settings, etc.).
  • We do not:
    • Access your systems or network
    • Install, configure, or update WireGuard on your devices
    • Apply or test firewall, iptables, or routing rules on the local peer
    • Guarantee that your local network configuration is correct or secure

All activities required to apply the configuration on the local peer (Linux system, router, firewall, etc.) are the sole responsibility of the user or their network administrator.

Example WireGuard Configuration File

Below is an example of the WireGuard configuration file we may provide.
For security reasons, keys are redacted in this example.

You will be responsible for setting the values of the following placeholders:

  • <WIREGUARD_INTERFACE_NAME> – the name of your WireGuard interface (e.g. wg0)
  • <VANTAGE_CONTROLLER_IP> – the LAN IP address of your Vantage controller (e.g. 192.168.1.100)
  • <LAN_INTERFACE_NAME> – the name of the LAN network interface on the VPN client (e.g. eth0)
[Interface]
Address = 10.123.123.254/32
PrivateKey = <REDACTED_PRIVATE_KEY>
MTU = 1420
DNS = 10.123.123.1
PostUp = iptables -t nat -A PREROUTING -i <WIREGUARD_INTERFACE_NAME> -j DNAT --to-destination <VANTAGE_CONTROLLER_IP>
PostUp = iptables -A FORWARD -i <WIREGUARD_INTERFACE_NAME> -d <VANTAGE_CONTROLLER_IP> -j ACCEPT
PostUp = iptables -A FORWARD -s <VANTAGE_CONTROLLER_IP> -o <WIREGUARD_INTERFACE_NAME> -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o <LAN_INTERFACE_NAME> -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i <WIREGUARD_INTERFACE_NAME> -j DNAT --to-destination <VANTAGE_CONTROLLER_IP>
PostDown = iptables -D FORWARD -i <WIREGUARD_INTERFACE_NAME> -d <VANTAGE_CONTROLLER_IP> -j ACCEPT
PostDown = iptables -D FORWARD -s <VANTAGE_CONTROLLER_IP> -o <WIREGUARD_INTERFACE_NAME> -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o <LAN_INTERFACE_NAME> -j MASQUERADE

[Peer]
PublicKey = <REDACTED_PUBLIC_KEY>
AllowedIPs = 10.123.123.0/24
Endpoint = 82.165.165.137:12345
PersistentKeepalive = 20