Exactly, I have tons of IOT devices. I put them on a separate subnet that does not have a gateway to the internet then I VPN into that network to access them. Perhaps a product that makes that a simple process will solve the problem?
We partly do that at Wormhole. I say partly because you still have to be able to access one of our addresses. Port of last resort is 443/TCP, so it works on lots of tricky networks out there.
The idea is that all your IOT stuff establishes a connection to this server, creating an encrypted network between them. You then add your control servers to that network and job done.
You devices don't need any inbound access to talk to each other. All the connections are outbound, so no ports to open on your firewall and no risk.
You could do this by yourself, but we take that hassle out of your hands. Happy to help with custom deployments too outside our main service; it's a great way of learning our customers' needs.
It's hard though to have your exact setup as a service, it implies incoming VPN connections to the site where you deploy your IOT and a VPN server of sorts.
Our main focus was remote teams and devs having to use remote servers, however IOT might be a killer use here.
Interesting, I have a few thoughts. Perhaps you could sell a preconfigured pfsense box (or make a raspberry pi image to start with) that when plugged into the customers router creates a reverse tunnel via your service as well as a WiFi hotspot. Then offer the user a very simple firewall control panel and they can choose what devices to allow to the open internet and what to keep private and accessible via some sort of authenticated channel. Thus devices that contain sensitive data or require enhanced security (cameras, private network attached storage devices, home automation) and devices that require internet access (Amazon Echo) can both be served by the service.
Very nice service by the way. I have used ngrok in the past and found it invaluable for a few odd applications. I'll give it a try in future.
Thank you for the feedback and the suggestion. It is a good idea actually. I'm considering new features in the roadmap, because at the moment I don't even offer Internet access through my system, it's just a private LAN (I'm not competing with the myriad of privacy-minded browsing VPNs out there). Adding a manageable Internet Gateway could be a nice option.
Developing and deploying a software+hardware piece would be very interesting too, so there's no need to deploy agents on the remote servers or IOT devices (on most of them you probably can't) and I take the hassle out of my customer's hands to setup a e.g. Linux gateway to route traffic through the tunnel.
A flexible gateway would be a great add on, I also like a private DNS server while developing. If you offered a Postfix forwarder and static, clean IP addresses, you could attract home users who wish to host their own email but are behind dynamic residential connections (like me, I use a digital ocean droplet currently for that purpose).
FWIW, I would definitely be interested in paying for a service like this. I'm technical enough to care about this, but not technical enough to solve it myself. Similar to where I was before dropbox.
It could suit your needs or we can help with custom deployments. In any case I'd like to learn more about your needs and your expectations. Can I drop you an email?
I've been thinking about how you'd design a UI for that, that was easy to use. Maybe a separate wifi network that IOT devices go on to, and then a web app that knows devices with XYZ MAC are LIFX bulbs and shouldn't be able to talk to the smart TV, but that phones on the network should be able to jump the subnet and talk to the bulbs.
You can make it semi-automated in a way. I believe the first 6 characters of the mac address are the vendor id, I'd get the DHCP server to assign different vendors into different isolated vlans but with short leases at first and then allow you to merge them, assign permissions and move them around. Call it "learning mode". It won't be perfect but you can also augment it with human created presets.
The problem with any solution is getting it used widely enough to make a difference. We seem to have an unlimited predilection for making the same mistakes repeatedly, even though we could avoid them.
