ipWhitelist HowTo

mochman

Since a couple people are having issues with the ipWhitelist (me included), I’m putting this up to help people use the whitelist correctly.

For starters, the easiest way to whitelist your IP is to start up Magic Mirror with the default settings. Try opening it up remotely from the computer you want to grant access to. You’ll probably see an error that says:

“This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.”

Now you need to check your MagicMirror logs.

If you are VPN’d into (or running directly on your pi), take a look at the terminal output.
If you are running MagicMirror using SSH and DISPLAY=:0 nohup npm start & to start your mirror, take a look at your nohup.out file (tail -f ~/MagicMirror/nohup.out) to see the output.
If you are using pm2, run tail -f ~/.pm2/logs/mm-out-0.log

You should see an error in there stating something like

Access denied to IP address: ::ffff:192.168.1.120

Change/Add your ipWhitelist in your config.js.
If you upgraded to MM 2.1.0 you’ll probably need to add the line
ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1", "::ffff:192.168.1.120"], to your file, otherwise just add the IP that was denied to the list.

If you want to give all of your network IPs access to your MagicMirror
You’ll have to use IPv6 CIDR.
For example, you have a couple devices with the IPs of 192.168.1.120, 192.168.1.155, 192.168.1.230 and you want to give them all access (along with everything else in the 192.168.1.X range), you should put "::ffff:192.168.1.1/120" in your ipWhitelist.
If you want to allow 192.168.0.0 - 192.168.255.255 access, you should use "::fff:192.168.1.1/112"

Restart MagicMirror to update your changes

The reason why “/24” works
A couple different threads state to add /24 to the end of the IP address. (I’ve put a couple of those up before doing some research too). While this will indeed allow your network devices access to your magic mirror, it will also allow any device with an IPv4 based address access to your mirror (obviously your router would need to be configured to allow this).
This “/24” in IPv6 CIDR allows 20,282,409,603,651,670,423,947,251,286,016 different IP addresses access. (IPv4’s total addresses are 4,294,967,296).

More information
If you’d like to learn more or have different sub-netting needs, I found this page useful.

lolobyte

@mochman

Thank you.

Now i understand this thematic a bit better an can solve my issue.

schlachtkreuzer6

Thanks! but i don´t like this feature in the moment… i`m travelling with my “mirror” (home-work-home-work…) I´m not finishend yet, so its only a raspi with a screen in a small box XD

looolz

Thank you for posting this! However, I still haven’t got it working yet. Access via VNC works fine, but not via a remote web browser.

1: When I ran the command tail -f ~/MagicMirror/nohup.out I got this:

Loading module helpers …
Initializing new module helper …
No helper found for module: helloworld.
All module helpers loaded.
Starting server op port 8080 …
Server started …
Connecting socket for: updatenotification
Sockets connected & modules started …
Fontconfig warning: ignoring UTF-8: not a valid region tag
Launching application.

Nothing more happens. I’ve tried to access the mirror both via Chrome and Safari. Both before and after I run the command. Nothing shows up in the log.

My desktops IP is 10.0.0.95, so I added the ipWhitelist line:

    ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1", "::ffff:10.0.0.95"],

Still, I get the same error:

This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.

I experimented with various writings, such as: “::fff:10.0.0.1/120” No dice.

Is there a way to disable the whitelist function completely?

toonazd

@mochman thanks topman been trying to get this back up and running

mochman

@looolz When you run the mirror through VNC. If you leave the terminal open then try to open the mirror on your other computer, do you see the

“This device is not allowed to access your mirror.
Please check your config.js or config.js.sample to change this.”

message? If so, does anything pop up in your terminal?

Another thing to look at, if you run ifconfig and take a look at your wlan0 (assuming you are using wifi to get internet) do you see a “inet6 addr:”? If not, just try adding "10.0.0.95" to the whitelist.

mochman

A way to tell if you need to use "::ffff:192.168.1.120" or just "192.168.1.120"
Run netstat -lnpt, if you see something like:

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1271/electron.js

Then you are using IPv4 and should add "YO.UR.IP.AD" or "YO.UR.IP.AD/24" to the whitelist.

If you see: tcp6 0 0

spoiler


* LISTEN 1170/electron.js

You are using IPv6 address schemas and need to add "::ffff:YO.UR.IP.AD" or "::ffff:YO.UR.IP.AD/120" to the whitelist.

If you have IPv6 and want to turn it off, add ipv6.disable=1 to your /boot/cmdline.txt and restart your pi.

xer0design

Not a fan of this addition; would have rathered it was something you enable rather than disable.

For anyone wondering how to allow all ips, use:

ipWhitelist: ["::fff:0.0.0.0/1", "::fff:128.0.0.0/2", "::fff:192.0.0.0/3", "::fff:224.0.0.0/4", "127.0.0.1", "::ffff:127.0.0.1", "::1"],

looolz

@xer0design

Thanks! That worked for me!

looolz

@mochman

Thanks, I do see a inet6 address with the command ifconfig.

I tried to add 10.0.0.95 to the config with no success

But @xer0design’s tip worked!