Tip: A Way to Use the Keyboard Maestro Web Server Remotely

This is pretty darn geeky but I figure there are a some people here that might find the idea interesting. Until recently I've never really used the Keyboard Maestro Web Server because I didn't want to punch a hole in my firewall just for it, and the primary use i would have is when I'm remote from the house. Recently I decided to setup a mesh VPN for all my devices and realized it's perfect to enable me to use the KM Web Server from anywhere. Mesh VPNs are very different from regular VPNs. One of the systems available, Tailscale, has an excellent overview of the difference:

I actually went with a different solution than Tailscale, details below.

I've got a number of computers and mobile devices, plus a virtual server on the internet. I wanted to be able to run services like Keyboard Maestro (and ssh, VNC, plex, syncthing, etc...) without punching holes in my firewall for each service, a couple of typical solutions people use are:

  1. Just open your firewall for ssh, then do port forwarding over ssh for everything else.
    • If you've ever tried to do this for 4 or 5 services it gets pretty confusing pretty quickly. I've used this for 1 or 2 web services and it's pretty painful. And requires a hole in your firewall even for just ssh.
  2. Just run Screens on your mac, remote the mac and then do whatever you need.
    • Pros: probably the easiest solution
    • Cons: I just traded in my desktop Mac for a MacBook Pro so remote controlling it doesn't always provide the access I want.
  3. enable a VPN server on your router and connect to it from your remote device to access your network.
    • Cons:
      • home IP addresses may change
      • router documentation usually questionable
      • router security updates may not be frequent
      • many devices on your network (i.e. IoT devices) may have access to the VPN too.

Instead I went to a newer method called a mesh VPN (or overlay network). This allows me to configure each client i want to have access, define specific firewall rules for each device, rules not based just on the IP address of the device but the roles i've defined for that device (for example, i allow my Mac to ssh my internet server, but my internet server can't ssh to my Mac.) No matter what actual network each device is on, all devices on the mesh appear to be on the same local LAN network. This allows things like the Keyboard Maestro Web Server to work, no matter where I or my MacBook is located. I've used it from coffee shop Wi-Fi and over cellular connections (T-Mobile's network in my case).

I'm not going to provide a whole tutorial, but just some sofware you can look at if you want to go down this rabbit hole. The 2 mesh VPN solutions I'm aware of are Tailscale and Nebula. From the 10,000 ft view distance the primary difference is: Tailscale provides the central coordination, Nebula you have to provide your own. Note that for both solutions the central coordination does not participate in the network itself, and traffic does not route via the central server. So Tailscale's server can never see any of your network traffic or connect to your devices, it just provides information to clients on how to connect. Once they have that info the connections are computer-to-computer direct connections.

Other differences: Tailscale leverages the Wireguard VPN to create it's point-to-point connections. Nebula uses the Noise Protocol Framework.

I happen to have a small ($10/month) virtual server on the internet so I went with Nebula and use my own central server. Nebula was orginally designed by (and is still used by) Slack. They spun off defined.net to maintain and continue development of nebula. Nebula has a lot of clients, including iOS, available (I installed the mac client via homebrew). I've not yet setup a raspberry pi on my nebula network, but they have a client for it and I'm planning on setting it up on one of my pi's.

Nebula & Tailscale have a trick that allows them to make connections even through NAT (or double or more NAT) networks (I've tested going through a double NAT wifi network I have) without needing any special setup on the router. Because of this I've removed the old port forwardings i did have on my home router and even shut off plug-and-play so that if something wants to try open it's own hole in my firewall it can't. On my internet server I've shutoff ssh from listening to the whole internet and now it only allows connections from the VPN.

On nebula you create a client certificate for each device you want to join the network. This certificate defines the IP address it'll (and it'll always be the same IP address) and the roles that device has (my roles are pretty simple, i have client, server, mobile plus a few specialized ones.) The firewall built-in to the client allows rules based on those roles. For example, i allow clients to connect to ssh. That means my iOS devices can ssh both my internet server and my mac, but the internet server (that only has the role server) can't connect to the mac.

Nebula was pretty easy for me to get up and going. Even with copius reviewing of the documentation to make sure I was proceeding correctly it only took me a few hours to really get going with it.