Fullscreen HTML5Med Res (??MB)HTML4

Using your Raspberry Pi with a smart-phone as a WiFi-controlled switch Bake your Raspberry Pi with a smartphone and a relay board to open or close your garage door remotely By Greg Swain & Nicholas Vinen Ever driven 1km down the road and wondered if you had closed the garage door? Well, by installing a WiFi camera and an app on your smartphone, you can easily check the door’s status. Add an RPi computer that’s coupled to a garage-door remote and you can also use the phone to open or close the door via a web browser. W E’VE ALL done it – driven off and then couldn’t remember whether or not the garage door had been closed. Fortunately, a mix of technology makes it easy to remedy that situation. The ingredients are simple: take one IP camera to monitor the garage, add a spare garage remote, mix in your smart-phone and bake them all with a $60 Raspberry Pi (RPi) computer and a 3-way relay board. Once it’s all done, you can use the smart-phone (or a PC) to “see” inside your garage and control up to three doors by “pressing” virtual buttons on a web page served up by the RPi When you press a web-page button, the RPi momentarily sends one of its I/O pins high to pulse a relay on. The relay’s NO (normally open) contacts are wired 74  Silicon Chip across one of the remote’s switches. When they close, this simulates a button press and the garage door opens or closes accordingly. If you have more than one door, it’s just a matter of wiring another set of relay contacts acoss the relevant button on the remote. This set-up can not only remotely close a garage door if you’ve accidentally left it open but is also useful if you want to give someone access to the garage when you’re not at home; eg, to have building materials delivered. It also lets you gain access to the garage if you’ve accidentally left your garage remote at work or lost it. In summary then, the RPi has two functions: (1) it serves up the web page with the garage door control buttons; and (2) it briefly pulses the garage-door remote via the relay board. The separate camera app on your phone siliconchip.com.au The web page served up by the RPi has nine control buttons – three to pulse the relays on for 0.5s, three to toggle them on and three to turn them off. simply lets you check the garage door status. As shown in the photos, the web page served up by the RPi has nine control buttons, three for each relay. In each case, the “pulse output x” button pulses the associated relay on for half a second (0.5s), while the “output on x” and “output off x” buttons respectively toggle the relay on and off. So as well as briefly pulsing the relays on, you can also toggle them on or off to switch low-voltage devices. RPi relay board The Waveshare RPi Relay Board used here supports the Raspberry Pi A+, B+, 2B and 3B models. It has three relays and plugs directly into the RPi’s 40-pin I/O header. In operation, the relays are driven via optocouplers, while their contacts are brought out to 3-way screw terminal blocks. Separate on-board status LEDs are used to indicate whether each relay is on or off. By default, the relays are controlled by pins 37, 38 & 40 on the RPi’s I/O header, as selected by three jumpers. These jumpers can be removed so that other I/O pins on the header can be linked across to control the relays if that suits your particular application. Supplied with the relay board are two M2.5 x 16mm metal stand-offs (plus screws & nuts). As shown in the photos, these are used to support one side of the relay board (ie, the side opposite the header) when it is plugged into the RPi. Raspberry Pi set-up Any RPi computer with a 40-pin GPIO header can be used, including the RPi Model B+, RPi 2 Model B and the recently released RPi 3 Model B. If you’re buying a new unit, get the RPi 3 since this comes with onboard WiFi. If you have an earlier model, then you will also siliconchip.com.au need to buy a Wi-Pi WiFi dongle. An 8-32GB microSD card to accommodate the operating system and a suitable power supply are also required. In addition, you’ll also initially need these parts to set the unit up: a USB keyboard and mouse (wireless units can be used), an HDMI cable, a suitable monitor (with HDMI input) and a USB memory card reader. Once you have all the ingredients, install and configure the Raspbian operating system on the microSD card, as detailed in Steps 1-5 on pages 20-22 of the January 2016 issue (ie, in the RPi Temperature Monitor article). Be sure to use a strong password (Step 5), then get the WiFi working as outlined in Steps 6 & 7. Steps 8-10 can be omitted but you should install TightVNC by following the instructions on pages 26 & 27. Once you’ve installed TightVNC (VNC = Virtual Network Computing), you will be able to run your RPi “headless” (ie, without a mouse, keyboard or monitor), with all control now coming via your PC (ie, the RPi’s desktop will appear on your PC’s monitor). Next, you need to install the Apache2 Web Server and the mod_python module on the RPi. Python is a programming language that’s used with Raspbian and the mod_python module embeds the Python interpretor with Apache2 so that the two can work together. First, make sure that your Raspbian OS is completely up to date by running the following commands from a terminal window: sudo apt-get update sudo apt-get upgrade sudo reboot That done, install Apache2 and the Python module by following Steps 1-8 on pages 56 & 57 of the February November 2016  75 the RPi’s Apache2 web server by entering https:// <yourpublicIPaddress> in a web browser on your PC or smartphone. When you do so, the log-in dialog should immediately appear and you should be able to enter your details to access Apache2’s default web page. How do you know what your public IP address is? That’s easy; just go to www.whatismyip.com/ and the address will be displayed. If you don’t know how to assign a fixed IP address to the RPi or how to set up port forwarding, page 59 of the February 2016 issue spells it out in detail. Dynamic DNS (DDNS) The relay board plugs into the RPi’s I/O header. By default, it’s controlled by I/O pins 37, 38 & 40. 2016 issue of SILICON CHIP. And because the RPi’s web server will be accessible via the internet, it’s necessary to set up password access, as follows: sudo apt-get install apache2-utils sudo a2enmod authn_dbm sudo htdbm -c -TSDBM /etc/apache2/dbmpasswd <username> <enter password> sudo chown www-data /etc/apache2/dbmpasswd.pag Once again, be sure to choose a strong password. It should be a mixture of upper case and lower case letters, numbers and alphanumeric symbols. (Note: the above procedure is exactly the same as Step 10 in the February 2016 issue except that the -c and -TSDBM switches in line 3 have been transposed). Next, go to the two Apache2 configuration files (ie, 000-default.conf and default-ssl.conf, in /etc/apache2/ sites-available/) and add the following lines under the lines you added in Steps 2 & 3: AuthType basic AuthName “private area” AuthBasicProvider dbm AuthDBMType SDBM AuthDBMUserFile /etc/apache2/dbmpasswd Require valid-user Then do: sudo service apache2 restart Now, whenever you attempt to browse to the RPi’s web server, you will initially be greeted by a dialog box asking you to enter your user-name and password. Note, however, that you must use SSL (set up as in Step 6 of February 2016) and use https://<yourpublicIPaddress> to access the site when browsing from the internet (see later), otherwise your password could be intercepted. Accessing it via the internet The next step is to configure the RPi so that you can access its web server via the internet. That’s done by: (1) assigning a fixed IP address to the RPi (by default, it has a dynamic IP that’s assigned by the router); and (2) setting up port forwarding on the router so that port 443 (for https) is forwarded to that fixed IP. Once that’s been done, you should be able to access 76  Silicon Chip Having to remember your WAN IP is a hassle. Not only that but it can change if the modem/router is restarted. So if you want to be sure that you always have online access to your RPi’s web server, the answer is to use a DDNS service. DDNS stands for “Dynamic Domain Name Server” and it allows you to connect to your home network by using a hostname and domain name. It still makes the connection via your public IP (WAN) address but it no longer matters if this IP address changes and you don’t have to know (or remember) what the address is. The DDNS service will let you choose a hostname when you sign up. You can then browse to your RPi’s web server by using this hostname and the DDNS domain name. If your router supports your preferred DDNS, then you can use the router itself to update the DDNS with your WAN IP. Note, however, that the popular DynDNS service is no longer free, while No-IP now requires you to confirm your hostname every 30 days unless you sign up for the paid version. Duck DNS is a great free alternative and it only takes a few minutes to sign up. It probably won’t be supported by your router but there’s an easy answer to that problem – use the RPi itself to run a script to periodically update the Duck DNS server with your WAN (public) IP address. It’s all quite easy to do and is set out in detail on page 60 of the February 2016 issue. Having completed the set-up, check that you can browse to your RPi’s default web page using the hostname. For example, if you’re using Duck DNS, enter http://yourhostname.duckdns.org into your browser (replace “yourhostname” with your chosen name). Web page set-up The next step is to get Apache2 working with the Python 3 program that displays our web page with the relay control buttons. The program itself is called index. py and you’ll find it on the SILICON CHIP website zipped up inside RpiWiFiSwitchV1.zip. You have to download this file, unzip it and move it into the RPi’s /var/www/html folder. Begin by browsing to http://www.siliconchip.com.au using the RPi’s web browser. Now click Shop, select Software from the drop-list and left-click the RPiWiFiSwitch.zip file. The file will download into the /pi/Downloads folder after which you navigate to this folder, then right click the zip file to extract index.py. Before moving index.py, it’s a good idea to rename siliconchip.com.au You’ll Need These Parts Core parts The NO relay contacts are wired across the buttons on the garage remote as shown here. Remove the battery before soldering the wires. any existing index.py file in /var/www/html. That’s done by issuing the following commands: cd /var/www/html sudo mv index.py index.py.old The new index.py file can now be moved into /var/ www/html as follows: sudo mv /pi/Downloads/index.py /var/www/html You now need to give Apache2 permission to access the RPI’s GPIO pins, as follows: sudo adduser www-data gpio That’s it! – it should now work. Using a computer on the local network (or the RPi itself), browse to (for example) https://yourhostname.duckdns.org (or use your public IP address). Enter your user-name and password to log-in, then check that the relays on the RPi Relay Board respond when the various control buttons are clicked. If it works, test it out on your smart-phone. Note that you will have to zoom in on the buttons to make sure you touch the correct one. Retaining access to an existing web page What if you want to keep an existing index.py web page? For example, you may have previously set up your RPi’s web server so that you can monitor temperatures (see March 2016 issue) and you may want to maintain access to these measurements. In that case, it’s just a matter of renaming the newly unzipped index.py file for the garage doors before moving it. For example, you could rename the file to garage. py and then move this to /var/www/html. The web page for your temperature measurements can then be access­ ed as normal, while the garage door control buttons are accessed by browsing to https://yourhostname.duckdns. org/garage.py Wiring the remote This job couldn’t be easier; just wire a pair of leads across each button you wish to control and connect them to the NO & COM contacts of the corresponding relay. You will need to remove the remote’s PCB from its case and use a soldering iron with a fine tip to connect the wires. It’s a good idea to remove the battery before soldering, to prevent the remote from being damaged during this process. Once the leads have been attached, cut a couple of siliconchip.com.au 1 Raspberry Pi 3 Model B or Raspberry Pi 2 Model B computer module 1 Wi-Pi WiFi dongle (not necessary if you have a RPi 3 Model B, as these have onboard WiFi) 1 8-32GB microSD card (class 6 or class 10) . . . or purchase a pre-programmed microSD card from element14 or Wiltronics 1 5V power supply with USB to micro-USB cable (note: must be rated at 2.5A for RPi 3 Model B) 1 spare garage remote 1 Waveshare RPi Relay Board (order from AliExpress or Amazon) The parts required during set-up 1 USB keyboard and mouse (wireless units should work, provided they’re paired) 1 monitor with HDMI or DVI input 1 HDMI-HDMI or HDMI-DVI cable to suit monitor 1 microSD card reader Raspberry Pi starter packs Wiltronics has a number of Raspberry Pi starter packs – see www.wiltronics.com.au notches in one end of the case for the leads to exit and refit the PCB. If that’s not practical, install the PCB inside a separate case (perhaps with the RPi itself). If you don’t have a spare remote, you can buy one from a garage door specialist. You can buy these quite cheaply on eBay but if you take that approach, make sure it’s the right type to work with your garage door controller as many remotes look similar but operate differently. Another possibility is to simply connect the relay contacts across the manually-operated door control switch that’s mounted on the garage wall or even directly to the open/close terminals on the back of the motor control unit itself. Take security seriously Security is a serious issue here. You really don’t want someone to hack their way in and open or close your garage doors at will! So how secure is it? The answer is that your garage doors are about as secure as the password you chose for the RPi’s web server. Similarly, your camera (see below) will be about as secure as the strength of its password. Fortunately, there’s a fairly simple way to lock it down even further, to keep the bad guys out of your RPi’s web server. The answer is to install an intrusion software utility called “Fail2Ban”. This utility monitors the number of log-in attempts and if they exceed a preset number (say five), it bans the offending source IP address from making any further attempts for a set period (or even permanently). Fail2Ban is easy to install and configure. The accomNovember 2016  77 This screen grab shows the RPi’s web page as it appears on a PC. If a smartphone is used, the page is automatically zoomed. It’s a good idea to install a panning camera on the back wall of the garage so that you can check that the garage is empty before closing the door. panying panel titled “Keeping The Bad Guys Out” (reproduced from February 2016) has the details. You could also install a separate firewall on the RPi but since it normally sits behind your router’s firewall, this won’t normally be necessary. Once again, the accompanying panel has the details. Setting up an IP camera OK, now that the RPi’s web server and relay board are working correctly, the next step is to set up an IP camera to monitor the garage doors. If you don’t already have a suitable camera, the Jaycar TechView QC3834 and Altronics EasyN S9012 are good candidates. Setting up the camera to connect to your WiFi network is straightforward. It’s usually just a matter Exercise Caution Naturally, you should exercise a great deal of caution if you intend to close a garage door from a remote location. After all, you don’t want to close it on a family member who is out the front working in the garden, or collecting the mail, or who has just come home and is driving into the garage. To avoid problems like this, always check where each family member is before closing the door. It’s also a good idea to restrict usage to one smartphone only, to avoid potential conflicts. Setting up a panning camera so that you can monitor the whole inside garage area is also a good idea (eg, mount the camera high up on the back wall). That way, you can pan to ensure that your neighbour’s dog or a curious cat hasn’t wondered inside while the door was opened. Both the Jaycar TechView QC3834 and Altronics EasyN S9012 IP cameras can be panned and so are well suited to this role. 78  Silicon Chip of first plugging it into your router via a Cat5 cable, figuring out its IP address, then logging into the camera’s web interface (via a browser) and entering your WiFi network’s SSID (ie, the network name) and password. How do you figure out the camera’s IP address in order to access its web interface? Well, assuming your router has DHCP enabled, it will automatically allocate an IP address to the camera when it is plugged in, just as it does for other devices on the network. From there, you can quickly figure out the allocated IP address by trial and error. For example, if the router itself has an IP address of 192.168.0.1, then the camera might be on 192.168.0.2 or 192.168.0.3 (or higher), depending on which addresses have already been allocated to devices such as PCs, smart-phones and smart TVs, etc. To test an IP address, simply enter it along with the camera’s port number into the address bar of your web browser. The default port number (usually 80) will either be on a label on the camera’s body or listed in the supplied instructions. It must be separated from the IP address by a colon. For example, let’s say that the camera’s port number is 80 and you want to test an IP address of 192.168.0.7. It’s just a matter of entering 192.168.0.7:80 into your browser and pressing Enter. If it’s the correct IP, the camera’s web interface will immediately appear and you can log into it using the default user name (usually “admin”) and password (usually “admin” or left blank). Another way of determining the IP address is to log into your router’s web interface and check the DHCP client table or similar. In addition, some cameras such as the TechView QC3834 are supplied with a software utility called “IP Camera Tool”. Installing and running this on your PC will then list the camera’s IP and its port number. Double-clicking this will then bring up its web interface. Before actually entering the WiFi set-up details, be sure to change the camera’s default user name and password. A strong password is an absolute must if you don’t want others spying on you. You can also change the default port number if you wish. Disconnect the LAN cable and restart the camera after entering all the details. You will then be able to access the camera and view the video via the WiFi network. Viewing via the internet In most cases, an IP camera will be supplied with a unique DDNS hostname so that you can view it over the siliconchip.com.au Keeping The Bad Guys Out Opening port 443 on the router (to enable internet access to the web-server) is a potential security problem. That’s why it’s important to choose a strong password for the Apache2 authentication log-in. Fail2Ban Despite this, the web-server’s log-in prompt will soon attract brute force attempts to gain access by people running password dictionaries. There’s an easy way to defeat such attacks, though: limit the number of log-in attempts by using an intrusion detection software utility called “Fail2Ban”. Fail2Ban works by monitoring the logs generated by various services (such as Apache2). If there are too many failed log-in attempts, it then temporarily (or permanently) bans the offending IP from making further attempts. For example, it can be configured to allow three login attempts and if all are unsuccessful, ban the offending IP for 20 minutes, depending on the settings in the configuration file. In practice, Fail2Ban sets up a few simple iptable firewall rules (iptables is the utility used to configure Linux fire- walls). It then automatically alters these rules after the preset number of failed log-in attempts. By default, it monitors SSH (port 22) only but it’s just a matter of altering its configuration file to include other protocols such as HTTP (port 80) and HTTPS (port 443), as used by Apache2. An excellent guide on configuring Fail2Ban can be found at www.digitalocean. com/community/tutorials/how-to-protect-an-apache-server-with-fail2banon-ubuntu-14-04 It’s just a matter of following this to configure Fail2Ban so that, as well as SSH, it also protects the RPi’s Apache2 server (HTTP & HTTPS). Important points Note that you have to copy the default configuration file to “/etc/fail2ban/jail. local ”.You then edit this new file (it overrides the original configuration file) to set the “bantime”, the maximum number of tries (“maxretry”) and the “findtime” (the time period over which the retries are counted). The default bantime is 600 seconds but you can increase this (eg, to 1800 seconds) or enter a negative number to ban the offending IP forever. It’s then important to scroll down to internet. It’s just a matter of setting the camera up for WiFi access as described above, then entering the address shown on a label on the bottom of the camera into your browser, followed by a colon, then the port number. Alternatively, some cameras carry a Q-code on the base label and scanning this using a smartphone (with the necessary app installed) will take you straight to that address (you may have to manually enter the port number if you’ve changed it). If it works, then your router has inbuilt support for automatic port forwarding via UPnP (Universal Plug and Play) and that’s the end of the story. Of course, your IP camera must also support UPnP but just about all do. If it doesn’t work, check that UPnP hasn’t been disabled in the router. That said, not all routers support automatic port forwarding, even if they do have UPnP. In that case, you will have to assign a static IP address to your camera and manually set up the port forwarding in your router. A detailed explanation on how to do this is in “Setting Up An IP Camera For WiFi & Internet Access” in the March 2015 issue of SILICON CHIP. Once its working, install the relevant camera app on your smartphone and enter the connection details. These details include the DDNS hostname, the port number, your user name (ie, for the camera) and the password. You will then be able to fire up the app and view the video inside your garage. siliconchip.com.au the [apache] jail section and change to line enabled = false to enabled = true. Fail2Ban will then cover both http and https. Installing a firewall Unless you’ve opened up myriad ports on your router, a separate firewall on the RPi isn’t really necessary. However, if you’re a “belts’n’braces” type, try Uncomplicated Firewall (UFW) which is an easy-to-use iptables configuration utility. The following website has the basics on UFW’s installation and usage: www. digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufwon-ubuntu-14-04 Of course, all bets are off if you decide to add the RPi to your router’s DMZ (demilitarised zone). Placing it in the DMZ means that it cannot contact other devices on your internal LAN in the event that it’s compromised (it’s added to the DMZ by logging into your router and going to the DMZ set-up page). The downside is that all ports on the router will then be forwarded to the RPi, so it’s wide open. As a result, a firewall is then an absolute must. In practice, you would set up the firewall to initially block all incoming ports. You then create rules to open port 443 (for https) and any other ports required, eg, for SSH (secure shell) long-ins. Controlling Other Devices As well as controlling garage doors, you could also use the RPi to control other devices. For example, it could be used to pulse the remote of a remote-controlled mains power board. However, exercise caution as to the circumstances under which you remotely turn mains-powered devices on in this manner. Turning on an unattended device such as a heater or a lamp could lead to a fire, for example (and in any case, a heater should not be plugged into a power board). Because the relay outputs can be toggled, you can directly switch low-voltage devices (eg, LED lamps) on or off (up to about 24V DC or 15VAC). However, despite the fact that the relays are rated at 250VAC, you should keep mains voltages well away from your RPi set-up. Running mains wiring to the RPi’s relay board would be much too dangerous. If you do wish to switch mains voltages, use the RPi to control the remote of a remote-controlled mains switch or use a commercial WiFi switch, eg, from Bunnings – see https://www.bunnings.com.au/belkin-wemo-switch_ p4420346 In the unlikely event that the camera’s manufacturer doesn’t offer a DDNS service, use Duck DNS as explain­ SC ed earlier. November 2016  79