Secured remote access to openHAB and Vera

I would like to setup a secured remote access to my openHAB server (and why not my VeraLite) located in my home network.
My Internet router provides few VPN server options:

• OpenVPN in routed mode (tun)
• OpenVPN in bridged mode (tap)
• PPTP

My logical choice was to setup OpenVPN in bridged mode. Unfortunately, my remote device is an Android phone and tap mode is not provided by OpenVPN clients (because tap is simply not implemented in the API provided by Android !).

Is there a workaround for me with OpenVPN that remains secured ?

Is PPTP a real alternative choice in my case ?

What solution have you setup for your secured remote access ?

What about this other solution ? Solution I have not yet tried.

• enable authentication in openHAB: Security · openhab/openhab1-addons Wiki · GitHub
• enable security in openHAB: Security · openhab/openhab1-addons Wiki · GitHub
• Use an HTTPS URL with port 8443 in HABdroid
• Redirect in my internet router the port 8443 to port 8443 of my home RPI running openHAB

Does HABdroid encrypt the username and password in this case ?

Is it less secure than a solution like OpenVPN ? If it is, why ?

I don’t know if it is really secured but the solution with HTTPS + port forwarding in router is at least working.

Mine is L2TP, but it’s handled at the Router level so I use it for a bunch of stuff. I figured @futzle may chime in, since she’s knowledgable on setting up various VPN options (IIRC)

I manually launch access into/via my VPN (from phone, laptop, etc). I have the option (with CERTS) to make it automatic but I’ve just never needed to go that route.

I would be hesitant to use app, or app-server, level security for this type of stuff, not unless it’s out of the hands of the folks developing the app (with a lot of security eyeballs on code AND operational processes).

I’ve seen a few “oops” incidents when things weren’t locked down correctly.

: Vera…

I’ll chime in that VPN is always the more secure option. I did opt for using the built in security mechanisms to ensure SSL Certs are being used, I’ve enabled security with passwords (and ensured they aren’t important passwords - since I haven’t seen a thorough review of code yet) and then setup the port forwarding on the router. I mainly have this because I’m using a Geo app to notify when we are home/away and this needs to be open. I could go the route of setting up the auto-cert-based-vpn but haven’t wanted to trudge through that headache. Perhaps that will be a next step as I get my Synology system further setup (no I’m not using their mysyno system) and want more access to those apps and functions (like all my downloading systems (sab, sickbeard, couch potato, etc).

It has worked well for me and I still have netmon systems in place to look our for unauthorized access attempts, people banging on the front door, etc. Nothing of note and no security issues so far.