Supporting on-demand remote access to device web interface

Our devices have a user interface, a display where the user can control the device.
For support purposes the user should be able to temporarily enable remote access to this user interface.

I am inspired by how some of the PC support frameworks works (e.g. fastsupport or teamviever). The user and the supporter just needs to exchange a support key and then a remote session can be established.

I am considering using the balena public url concept to achieve something similar.
Web interface access will probably do the job. I don’t need full remote desktop access.

My thoughts and questions so far:

  1. Is the public URL secure all the way to the device? Can I leave it turned on for all devices 24/7? Can it be turned on/off through the supervisor API?
  2. Since the public URL remains the same, it is not itself useful as a temporary session key. I could make the public URL point to some kind of device login, where the temporary session key would be the credential.
  3. The remote supporter should NOT have access to the balena web interface. I could create a web interface that when a “session key” and “device ID” is entered would forward the supporter to the public url, which would allow access with exactly that session key.
  • Is this a reasonable way to solve this?
  • Have others been doing similar?
  • Have others tried to incorporate any 3rd party support solution on a Balena device like e.g. fastsupport or teamviewer?

Hi @krix. Can you detail a little bit the 3rd item? I want to make sure I understand what you propose there.

The Balena web interface is too detailed and too powerful for a “standard” support session. I don’t want a support engineer to see the whole fleet. The roles concept is not flexible enough for us I think.
With #3 I mean that I could create a proxy for the Balena backend, so the support engineer didn’t have to know anything about the Balena backend and would only worry about one single device.
The proxy would connect to the Balena backend and know about all devices, their IDs and “nick names” and of course their public URL.

Hi @krix , I think what you propose makes sense however its important that whatever you serve on the deviceURL has some kind of authentication, because these urls are public anyone with your device’s UUID can guess the URL and get in. To answer number #1 the device URL uses https our backend where the https is terminated and then it is tunnelled through the balena VPN from our backend to the device, we do have some features in the work to allow SSL termination on the device side, but that is not ready yet.

We have had a few other people (mostly digital signage users) that have set up something similar with VNC so they can see what is being displayed on screen. We have an example of something like that here: