HOWTO: Allow v8 Client Remote Control
Posted: Thu Feb 02, 2023 1:06 am
HOWTO: Allow v8 Client Remote Control
Summary
This tells how to configure a client to allow remote control direct connections.
This is not needed for remote control of FAH v8.3+, which has a login option for secure remote access via Web Control.
This allows you to add its host to the peers list of a local client (FAH v8.1).
The computer that will access remotes does not need its own local client.
WARNING
This has security implications.
The client will have a wide open port.
Anyone on the local network will be able to tamper with your client.
If vulnerabilities are found in fah-client, your computer could be compromised.
Only do this on completely trusted networks.
You should not do this on a laptop or any computer that might join a public network such as a coffee shop wifi.
A secure way to control remotes is with a ssh tunnel.
If you are proficient with tunnels, you should consider using them instead.
Prerequisites
Create/Edit config.txt on a remote client computer
macOS
Linux
Note: for v8.1, the path was /etc/fahclient/config.xml
If the file is empty, first add
Allow access on all network interfaces, for all local network addresses
Copy-paste these lines after <config>
Note: You should always include 127.0.0.1 in your allow list.
For improved security, use a more restrictive allow list
Remove networks that don't apply to you.
For example, most home networks use the 192.168 network, so you might use
Most home networks further only vary the last number.
If your assigned addresses were all, for example, 192.168.22.*, you could use
On your (macOS) control/monitor computer, see System Settings/Preferences > Sharing and Network for hostname and address. Use the specific hostname or address of the computer that will control remotes.
On Linux, use the `hostname` command, and add suffix ".local". If you are using virtual machines, the numeric address of the control computer may be different on the remote host.
On remote, get numeric address using something like `ping -c 1 my-control-computer.local`.
Note that numeric addresses can change.
WARNING: The client will fail to launch if named hosts in the allow list cannot be resolved.
Example:
Save your config.xml
In nano, use Write Out, <enter>, Exit.
Restart client
macOS
Linux
Configure your browser
On your control computer, in a browser other than Safari or Firefox, go to Web Control
https://beta.foldingathome.org
Change site settings to allow insecure content.
E.g., in Chrome
Add Peers
Optional direct Web Control v8.1 to remote
Once a client allows remote control, you also have the option to point Web Control directly at that client.
When https://app.foldingathome.org is open, press control-shift-L and enter the remote host name.
This is stored in the browser. To reset, press control-shift-L, delete the host and save. It will revert to 127.0.0.1:7396.
Summary
This tells how to configure a client to allow remote control direct connections.
This is not needed for remote control of FAH v8.3+, which has a login option for secure remote access via Web Control.
This allows you to add its host to the peers list of a local client (FAH v8.1).
The computer that will access remotes does not need its own local client.
WARNING
This has security implications.
The client will have a wide open port.
Anyone on the local network will be able to tamper with your client.
If vulnerabilities are found in fah-client, your computer could be compromised.
Only do this on completely trusted networks.
You should not do this on a laptop or any computer that might join a public network such as a coffee shop wifi.
A secure way to control remotes is with a ssh tunnel.
If you are proficient with tunnels, you should consider using them instead.
Prerequisites
- Administrator account so you can use sudo
- Comfortable using the command line in Terminal
Create/Edit config.txt on a remote client computer
macOS
Code: Select all
sudo nano "/Library/Application Support/FAHClient/config.xml"
Note: for v8.1, the path was /etc/fahclient/config.xml
Code: Select all
sudo mkdir -p /etc/fah-client
sudo nano /etc/fah-client/config.xml
Code: Select all
<config>
</config>
Allow access on all network interfaces, for all local network addresses
Copy-paste these lines after <config>
Code: Select all
<http-addresses v='0.0.0.0:7396'/>
<allow v='127.0.0.1 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16'/>
<deny v='0/0'/>
For improved security, use a more restrictive allow list
Remove networks that don't apply to you.
For example, most home networks use the 192.168 network, so you might use
Code: Select all
<allow v='127.0.0.1 192.168.0.0/16'/>
If your assigned addresses were all, for example, 192.168.22.*, you could use
Code: Select all
<allow v='127.0.0.1 192.168.22.0/24'/>
On Linux, use the `hostname` command, and add suffix ".local". If you are using virtual machines, the numeric address of the control computer may be different on the remote host.
On remote, get numeric address using something like `ping -c 1 my-control-computer.local`.
Note that numeric addresses can change.
Code: Select all
<allow v='127.0.0.1 192.168.77.222'/>
Example:
Code: Select all
<allow v='127.0.0.1 no-such-host.local'/>
In nano, use Write Out, <enter>, Exit.
Restart client
macOS
Code: Select all
sudo /bin/launchctl stop org.foldingathome.fahclient
sudo /bin/launchctl start org.foldingathome.fahclient
Code: Select all
sudo /usr/bin/systemctl restart fah-client
Configure your browser
On your control computer, in a browser other than Safari or Firefox, go to Web Control
https://beta.foldingathome.org
Change site settings to allow insecure content.
E.g., in Chrome
- click lock next to url
- click Site settings
- scroll down to Insecure content
- select Allow
Add Peers
- Click Settings for local client
- Add remote client hosts as Peers
- Save
Optional direct Web Control v8.1 to remote
Once a client allows remote control, you also have the option to point Web Control directly at that client.
When https://app.foldingathome.org is open, press control-shift-L and enter the remote host name.
This is stored in the browser. To reset, press control-shift-L, delete the host and save. It will revert to 127.0.0.1:7396.