10
Secure way to allow external access to Home Assistant (lemmy.ca)
submitted 1 year ago by sikhness@lemmy.ca to c/homeassistant@lemmy.world
26 comments fedilink hide all child comments

Hey all!

I'm fairly new to Home Assistant and have just created a few dashboards to be able to view my router statistics and be able to restart them via REST if need be. Love being able to do this seamlessly from one place.

It got me thinking however, that I can only really access the dashboard when I'm on my internal network. I know that there is a paid Home Assistant cloud that would enable me to view my dashboards and such publicly and securely, but I was wondering if this community has set it up themselves for free and securely.

Would anyone be able to guide me in the right direction?

top 23 comments
sorted by: hot top controversial new old
[-] AlternateRoute@lemmy.ca 9 points 1 year ago* (last edited 1 year ago)

Surprised no one mentioned the native option of paying for the native Nabu Casa tunnel, you also get some other benefits. It is by far the easiest option but not free. It does however support Home Assistant development.

Personally I just expose my instance behind Opnsense with an SSL cert, and some web application firewall rules using nginx but that is a more technical configuration.

[-] chunkystyles@sopuli.xyz 5 points 1 year ago

I like Nabu Casa because it's easy, it works, and it supports the HA devs.

[-] phrogpilot73@lemmy.world 3 points 1 year ago

Supporting the HA Devs is the only reason I didn't set up a reverse proxy myself.

[-] redcalcium@c.calciumlabs.com 6 points 1 year ago

You can use Tailscale and Zerotier to access your local HomeAssistant from any devices connected with your Tailscale/Zerotier account.

But if you want to expose your HomeAssistant to public using a custom domain name, one way to do that is by using Cloudflare Tunnel: https://www.makeuseof.com/use-cloudflare-tunnel-expose-local-servers-internet/

[-] MystikIncarnate@lemmy.ca 3 points 1 year ago

I'm thinking to expose HA via a cloudflare tunnel; but I'm concerned as to what security implications this may have. I'm not sure what, if any, security issues the HA login page may have. I can easily put everything through a reverse proxy, which I already have set up for other reasons. I may migrate all my externally exposed webpages via cloudflare.

Have any lemmings used cloudflare for this? what is your experience with it?

[-] redcalcium@c.calciumlabs.com 3 points 1 year ago* (last edited 1 year ago)

Security is a rabbit hole and you can go very deep depending on your risk model (an ordinary middle class people has different cybersecurity risk than, say, a CEO of a major bank). Let's say you are an ordinary lemming that don't have to be worry about being specifically targeted by a hacker group or a nation state, you just don't want some botnets get into your network and take over your IoT stuff, I think the following is reasonable enough:

  • by deploying your HA instance using docker or VM, if it somehow got compromized by an automated botnets / malware, the infection will be contained and you can easily wipe it off and start again. Real hackers might be able to escape the sandbox but run of the mills botnets that always scan the internet for exploits usually don't.
  • setup OTP: https://www.home-assistant.io/docs/authentication/multi-factor-auth/
  • you can max out security level of HA login page (or the entire HA) using cloudflare's firewall rule: https://developers.cloudflare.com/firewall/cf-dashboard/create-edit-delete-rules/ . This should stop most bots from trying to bruteforce your login page.
  • assuming you're using cloudflare tunnel, you aren't actually exposing your entire machine to the internet, but just the homeassistant port. That being said, it'll be nice if you take some precaution and disable root ssh login and perhaps disallow password login too, just for peace of mind.
[-] sikhness@lemmy.ca 2 points 1 year ago

Would using Tailscale be similar to a VPN where I'd have to establish a VPN connection and have all my traffic directed to Tailscale?

[-] redcalcium@c.calciumlabs.com 2 points 1 year ago

Tailscale is a virtual lan network. When you enable tailscale, you'll have an additional network and ip address in your connected devices. It's not actually redirecting all your traffics there, unless you specifically configure it to do so (if you do so, you can designated a device as an "exit node" for your outbound traffic).

[-] sir_pronoun@lemmy.world 3 points 1 year ago

I'm actually not a Home Assistant User, but if I understand the issue correctly something like that can usually be solved by setting up your own VPN on your modem/router. If you choose the right options and a good password it should even be secure :)

[-] fixmycode@feddit.cl 2 points 1 year ago

the problem with VPN and HA is that if you want to use your phone as a presence sensor, you need to keep your phone connected to your VPN at all times or the HA app won't be able to update your sensors.

[-] EyesEyesBaby@lemmy.world 3 points 1 year ago

Install the Wireguard (and the DuckDNS) add-on(s). It allows you to reach your HA instance from everywhere as long as it's connected to the internet. Make sure to 'autorun' the add-ons after a system restart.

[-] ptz@dubvee.org 3 points 1 year ago* (last edited 1 year ago)

For years, I used Wireguard as my only way to access it remotely. Worked well but always annoying toggling that on/off since all my traffic went over WG and some apps (bank, Pokemon Go, Netflix) didn't like that my source IP was a VPS.

I set up Authelia a year or two ago and now have HA exposed behind that with 2FA. I don't know if the HA app will work with that, but I use the PWA and it works great.

Haven't had any intrusions (yet?) and my HA is "always on" so long as my Authelia session is valid. Other apps are also behind Authelia, so signing into one signs me into all.

[-] vividspecter@vlemmy.net 2 points 1 year ago* (last edited 1 year ago)

Worked well but always annoying toggling that on/off since all my traffic went over WG and some apps (bank, Pokemon Go, Netflix) didn’t like that my source IP was a VPS.

For the record, with wireguard you can configure AllowedIPs on the client such that internet traffic isn't routed through the tunnel. Basically, don't use the wildcard 0.0.0.0/0 and instead set the wireguard network and the LAN subnet that Home Assistant is on if you need to access other devices.

[-] ptz@dubvee.org 1 points 1 year ago

Yep, and I eventually set up a separate WG profile that had just my LAN route and set the DNS to my PiHole.

The full route was more useful most of the time so I still tended to use that more often. Cell signal at the office was nonexistent toward the middle of the building (where the bathrooms are) and the guest WiFi blocked "time waster" sites like Reddit.

[-] 0x442e472e@feddit.de 2 points 1 year ago

I'm not a fan of VPNs for cases like this, but that is a personal preference. I'm using a TLS client certificate with my nginx as load balancer which works very well for me. I have installed that certificate on every PC and my Android device. Let's Encrypt also works, but for every self hosted service a client certificate is required

[-] nottelling@lemmy.world 1 points 1 year ago

LetsEncrypt supports wildcards.

[-] MummifiedClient5000@feddit.dk 2 points 1 year ago

Tailscale is an easy and secure way of getting access to your local network.

[-] spacemanspiffy@lemmy.world 1 points 1 year ago

I just use Open VPN to log in to my home network when away. It was really easy to set it up on my OpenWRT router.

[-] nottelling@lemmy.world 1 points 1 year ago

Only one response in here for using Nginx, and there should be more. The Nginx SSL proxy works with the DuckDNS add-on to manage your IP address and and keep your LetsEncrypt certificates up to date.

If you own a domain and want to do that, you can use the Nginx Proxy Manager, which can also manage LetsEncrypt certs. It's a bit more complex to set up.

Combined with the OTP authentication built-into Home Assistant, it's a pretty good option. The risk is that Home Assistant itself is your edge, and it's always possible there's something to exploit on the front-end.

[-] southqaw@lemmy.world 1 points 1 year ago

I use the Home Assistant Cloud Remote Control feature, which gives an external URL essentially. It does run through Home Assistant’s servers for external access, but I don’t really mind. I was using a DIY DuckDNS setup, but decided to start using HA Cloud for the Google Assistant integration. Using Remote Control is really easy, and I don’t have to think about my setup.

[-] 21racecar12@lemmy.world 1 points 1 year ago

Running cloudflare zt tunnel, just need to set the containers IP as static and allow it as a trusted proxy. No issues here

load more comments
view more: next ›
this post was submitted on 04 Jul 2023
10 points (91.7% liked)

homeassistant

11833 readers
13 users here now

Home Assistant is open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server. Available for free at home-assistant.io

founded 1 year ago
MODERATORS
GreatAlbatross@feddit.uk