TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Can't Access Private Websites on WiFi?

Discussion in 'Model S: User Interface' started by 1NJ85D, Mar 10, 2015.

  1. 1NJ85D

    1NJ85D Member

    Joined:
    Feb 26, 2015
    Messages:
    93
    Location:
    Scotch Plains, NJ
    With my Model S connected to my home WiFi, why is that I can't access/browse websites / webservers on my home/private network?
     
  2. jgs

    jgs Active Member

    Joined:
    Oct 28, 2014
    Messages:
    1,232
    Location:
    Ann Arbor, Michigan
    Is it possible that all of the car's Internet access is mediated through the VPN connection back to Tesla? You might give http://www.whatismyip.com a try from the car browser and see what you get.
     
  3. 1NJ85D

    1NJ85D Member

    Joined:
    Feb 26, 2015
    Messages:
    93
    Location:
    Scotch Plains, NJ
    Good point! I read it somewhere, it uses Open VPN. That would explain it. Thanks much.
     
  4. scaesare

    scaesare Well-Known Member

    Joined:
    Mar 14, 2013
    Messages:
    6,306
    Location:
    NoVA
    They do tunnel back to the Tesla mothership (the actual DNS name, lol) via VPN. I suspect they use their own DNS servers to try and avoid folks mounting MitM attacks...
     
  5. wk057

    wk057 Senior Tinkerer

    Joined:
    Feb 23, 2014
    Messages:
    5,111
    Location:
    Hickory, NC, USA
    The Model S does not route internet traffic via the Tesla VPN. The web browser won't connect to IPs in any of the private IP ranges specified in RFC1918. I'd assume because some of these IPs are in use on their VPN and they don't want people poking around.
     
  6. jerry33

    jerry33 S85 - VIN:P05130 - 3/2/13

    Joined:
    Mar 8, 2012
    Messages:
    13,557
    Location:
    Texas
    The private IP ranges are non-routeable. You'd have to manually route them, probably through NAT, to the car to make it work.
     
  7. scottm

    scottm Active Member

    Joined:
    Jun 13, 2014
    Messages:
    2,369
    Location:
    Canada
    Maybe people need to be reminded what a private IP is....

    A ten-dot or 10.x.x.x

    These are "not routed on the Internet" by definition (of the RFC rules).
     
  8. jgs

    jgs Active Member

    Joined:
    Oct 28, 2014
    Messages:
    1,232
    Location:
    Ann Arbor, Michigan
    Well, those plus 192.168.x.x and 172.16.x.x through 172.31.x.x. The relevant RFC is https://tools.ietf.org/html/rfc1918. There's no standards-related reason 1NJ85D shouldn't be able to reach these since after all, 1NJ85D's browser isn't trying to "route anything on the Internet" in this case, it's within the private address scope (the local network). But wk057's guess that Tesla is using RFC 1918 space for their own nefarious purposes seems very likely. It's messy of them to stomp on the entire RFC 1918 space when they're surely only using a small portion of it, but then again everything about RFC 1918 is a kludge.
     
  9. Eseell

    Eseell Member

    Joined:
    Aug 23, 2014
    Messages:
    51
    Location:
    Phoenix, AZ
    Not really, that's a pretty standard security policy. I wonder if it allows connections to RFC 6598 space.
     
  10. jgs

    jgs Active Member

    Joined:
    Oct 28, 2014
    Messages:
    1,232
    Location:
    Ann Arbor, Michigan
    Depends on what you think is being secured from whom. If you consider the browser to be inside Tesla's security perimeter and they're letting you out to the Internet as a special case, then I guess you could call this "standard security policy". OTOH if you consider the browser to belong to you, and Tesla is allowing certain traffic into their perimeter via the VPN, then good practice would be for them to VPN the minimum set of what they need and leave the rest of it alone. I suppose maybe they grab all the 1918 stuff and VPN it because it lets them change their internal addressing scheme without having to push new configs out to the fleet, but really? They need to reserve *all* of 10/8, 172.16/12 *and* 192.168/16 just in case they need a few million extra addresses in the future? It seems sloppy. They could've taken (say) net ten for themselves and left the rest alone. Oh well, whatever.

    Good question, someone could try. Not me, I don't even have my car yet much less the stomach for tinkering with my home infrastructure.
     
  11. schneiderjohn

    schneiderjohn Member

    Joined:
    Aug 10, 2014
    Messages:
    61
    Location:
    Atlanta, GA
    Out of curiosity, has anyone tried to SSL VPN via the Tesla browser? Mine doesn't come until Monday, so I haven't had an opportunity to try.
     
  12. pcrow

    pcrow Member

    Joined:
    Jul 28, 2015
    Messages:
    52
    Location:
    Ashland, MA
    I just figured out that this was the problem I was having. I have a registered domain name pointing at my home, but on my home WiFi, the local name server provides the internal 192.168.x.x address for that domain name. The Tesla is clearly using the DHCP-provided name server, as it's routing my domain to the internal address and then blocking it. If I manually put in the external IP address for my home server, then it works just fine.

    I've created a nice web page at home with big graphics and text for all my favorite web sites. It's much easier to use than the favorites menu the browser provides. I think in my case I can do one of two things: remove my home from the local DNS, or provide a different DNS server for the Tesla. I'll have to look at the configuration of my router to see if I can send different DHCP results for a specific MAC address.
     
  13. pcrow

    pcrow Member

    Joined:
    Jul 28, 2015
    Messages:
    52
    Location:
    Ashland, MA
    I do understand that they don't want people using the browser to connect to ports on the network within the car. I'm sure some of the various components use http, so you could probably get some interesting stuff that they would want to keep private. It's also possible that they have a VPN into Tesla for downloading logs and such, and they don't want any risk of the browser accessing internal Tesla servers.

    I still don't like the restriction.
     
  14. pcrow

    pcrow Member

    Joined:
    Jul 28, 2015
    Messages:
    52
    Location:
    Ashland, MA
    Obviously it is accessing the local DNS server, which the WiFi handed out as a 192.168.x.x address, so some access is not filtered. I would guess that TCP packets are blocked, but UDP packets aren't, and from a web browser, you can only control TCP packets. Though now I'm thinking I should create a web page with tons of IMG links targeting specific ports to see if any get through (watching with a packet sniffer on the other end). I could do the same to check the full range of local IP addresses to see if they left anything open.
     

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC