How does remote access work

can someone please point me at some documentation that explain how accessing the gateway web portal work remotely? Basically, I took off my phone from the wifi, and I can still access the sub-domain I created and login as the user I created and control the lights.

is the gateway poling? or listening on some websocket? are my things synced to the cloud?

sorry, if I had missed some documentation and asking this question.

1 Like

To make this happen, we use PageKite on a Mozilla-owned AWS server to securely tunnel traffic, and that server also handles DNS resolution. For an explanation, see here:

Essentially, the gateway initiates a secure tunnel with the AWS server. All * domains resolve to the AWS server’s IP address, but we do some magic to map that domain to the proper PageKite tunnel.


The link seems to be dead.

Find information at

1 Like

I typoed before. The link is updated.

1 Like

HI Mozilla,

I’ve just got a couple of Rapi 3 gateways running directly from the github instructions. I set them up using self certification for SSL.

Any pointers/documents to allow me to setup a Currently the menu system does not allow modification of the domain? :frowning:

Kind regards, Nicholas

Hi Nicholas,

You can’t really use self-signed certificates in conjunction with a subdomain, because the certificates need to be generated by LetsEncrypt on behalf of Mozilla in ordered to be trusted by browsers.

You either need to opt into the subdomain during first time setup and allow LetsEncrypt to automatically generate the certificates for you, or choose your own domain (or local host) and generate your own certificates.

We haven’t created a UI for configuring a custom domain in settings yet (that’s bug so you’d need to do that yourself on the command line.

If you’re running the gateway on a Raspberry Pi you might be better off using the pre-built image (instructions on the blog) which also does other useful things like configure iptables so the gateway process doesn’t have to run as root to run on port 80/443.

If you want to configure a custom domain yourself, you just need to point that domain at your IP address, but if you Raspberry Pi is behind a firewall you’ll need to open up ports on your router and forward them to the Raspberry Pi. This is something else the pre-built image solves automatically, by using a tunnelling service.


1 Like

Thank you Ben for the quick reply.

This bug is marked as a ‘story’ in github. Is this linked to a trello or jira story that is public in some way that I can look at to potentially contribute to?

Kind regards, Nicholas.

The GitHub issue is the user story, our backlog is public on Waffle

Doesn’t have UI mockups yet and the requirements probably need discussing in more detail, but contributions are welcome!

1 Like

How do I trigger the first time setup on a gateway that skipped that process originally?

How do I trigger the first time setup on a gateway that skipped that process originally?

I’m afraid there’s not yet an easy way to do that, though it will eventually be part of the Settings UI. Someone may be able to tell you the exact things you need to delete from the database in order to re-trigger first time setup, but otherwise your best bet is probably to re-flash a fresh image.


I’ve already created a personal registration-server per the registration-server-docker. What steps do I need to point the UI app to that private server now that it is configured to replace the public server?

You’ll essentially need to reconfigure the following settings:

You can do this in your ~/.mozilla-iot/config/local.json file, i.e.

  "ssltunnel": {
    "registration_endpoint": ""
1 Like

Hi Michael, question about PageKite, I have tried using it with my own web service, running on a pi, and it is so slow its totally unusable. I am not hosting the relay, but using the one offered by pagekite. Did you guys do anything special on your host / relay side do speed up the speed?, Your speed is great… thanks ,

Not really. We just host multiple dedicated AWS servers for this (one in North America, one in Europe), that way the hosts don’t get overloaded.

Hi Micheal, I’ve gotten the configurations on the registration-server set up as well as setting up the front-end tunneling params but Im not getting a response back in the browser when making the <IPAddress>/settings/subscribe call. All of the conf files have been configured per your readme. If I make the telnet the server ip address I’m able connect just fine. Container is running and nginx is running. Is there a way to test that the configuration is done correctly? Im using google cloud and it could be firewall related. Im unsure where to go from this point. Your help would be appreciated.

So it turns out the issue is between nginx and docker. The docker port is not opening the port on the VM even though it is listening.

tcp 0 0* LISTEN 5538/nginx: master
tcp6 0 0 :::8443 :::* LISTEN 5538/nginx: master
tcp6 0 0 :::443 :::* LISTEN 7379/docker-proxy

but when I run nmap on the ip I see the following

22/tcp open ssh
80/tcp open http
443/tcp closed https
3389/tcp closed ms-wbt-server

Should’t the docker instance open the port on the VM? When I set the port on Nginx it opens without issue.

Make sure you’re opening the ports properly with your docker run command. You’ll need to add -p args for each port, i.e. -p 81:81.

please check it out for a clear understanding

Hope it helps !

We are experimenting with another way to do secure tunneling for remote access of iot-gw, and here is our approach.

I’m writing a web service running on a pi like you.
could you please help me and guide how did you change your web things properties by your own web service?

I want to use my own gateway instead of mozilla I need to know how to call web things directly, to send them PUT requsets(with no need to have the gateway address for extended web thing url)

with model of address below i can call my thing with Get request and it’s response is true.but for sending PUT request this URL doesn’t work. : this is the ip of my web thing and with Get requset it returns json to me and is ok.I have problem with PUT.