Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Can't Access Private Websites on WiFi?

This site may earn commission on affiliate links.
The Model S does not route internet traffic via the Tesla VPN. The web browser won't connect to IPs in any of the private IP ranges specified in RFC1918. I'd assume because some of these IPs are in use on their VPN and they don't want people poking around.
 
  • Informative
Reactions: .jg.
Maybe people need to be reminded what a private IP is....

A ten-dot or 10.x.x.x

These are "not routed on the Internet" by definition (of the RFC rules).
Well, those plus 192.168.x.x and 172.16.x.x through 172.31.x.x. The relevant RFC is https://tools.ietf.org/html/rfc1918. There's no standards-related reason 1NJ85D shouldn't be able to reach these since after all, 1NJ85D's browser isn't trying to "route anything on the Internet" in this case, it's within the private address scope (the local network). But wk057's guess that Tesla is using RFC 1918 space for their own nefarious purposes seems very likely. It's messy of them to stomp on the entire RFC 1918 space when they're surely only using a small portion of it, but then again everything about RFC 1918 is a kludge.
 
Not really, that's a pretty standard security policy.
Depends on what you think is being secured from whom. If you consider the browser to be inside Tesla's security perimeter and they're letting you out to the Internet as a special case, then I guess you could call this "standard security policy". OTOH if you consider the browser to belong to you, and Tesla is allowing certain traffic into their perimeter via the VPN, then good practice would be for them to VPN the minimum set of what they need and leave the rest of it alone. I suppose maybe they grab all the 1918 stuff and VPN it because it lets them change their internal addressing scheme without having to push new configs out to the fleet, but really? They need to reserve *all* of 10/8, 172.16/12 *and* 192.168/16 just in case they need a few million extra addresses in the future? It seems sloppy. They could've taken (say) net ten for themselves and left the rest alone. Oh well, whatever.

I wonder if it allows connections to RFC 6598 space.
Good question, someone could try. Not me, I don't even have my car yet much less the stomach for tinkering with my home infrastructure.
 
I just figured out that this was the problem I was having. I have a registered domain name pointing at my home, but on my home WiFi, the local name server provides the internal 192.168.x.x address for that domain name. The Tesla is clearly using the DHCP-provided name server, as it's routing my domain to the internal address and then blocking it. If I manually put in the external IP address for my home server, then it works just fine.

I've created a nice web page at home with big graphics and text for all my favorite web sites. It's much easier to use than the favorites menu the browser provides. I think in my case I can do one of two things: remove my home from the local DNS, or provide a different DNS server for the Tesla. I'll have to look at the configuration of my router to see if I can send different DHCP results for a specific MAC address.
 
I do understand that they don't want people using the browser to connect to ports on the network within the car. I'm sure some of the various components use http, so you could probably get some interesting stuff that they would want to keep private. It's also possible that they have a VPN into Tesla for downloading logs and such, and they don't want any risk of the browser accessing internal Tesla servers.

I still don't like the restriction.
 
Obviously it is accessing the local DNS server, which the WiFi handed out as a 192.168.x.x address, so some access is not filtered. I would guess that TCP packets are blocked, but UDP packets aren't, and from a web browser, you can only control TCP packets. Though now I'm thinking I should create a web page with tons of IMG links targeting specific ports to see if any get through (watching with a packet sniffer on the other end). I could do the same to check the full range of local IP addresses to see if they left anything open.