I’m running my own HA locally, in my house, but I would like to be able to access it also when I’m not home. So I’ve put it on my Zerotier One VPN, which works fine. Except for two things:
-
HA no longer knows when I’m home - it thinks I’m always home;
-
Other people in my household would also like to have remote access, but it’s unrealistic to have them install and use the VPN.
So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?
I use nginx proxy manager and then a cloudflare to protect my actual IP
I’ve got it accessible from the internet through a reverse proxy… My default https drops all connections, so you need to access the right subdomain, which are not advertised on dns or certificates (I use a wildcard). Probably not perfect though but it helps a bit. I also have geo-blocking enabled on my pfSense router, so basically everything outside my country gets blocked by the firewall anyway.
It will always be a risk vs benefit consideration.
the wildcard certificates make a huge difference. I had my services all on servicename.mydomain.com each with an individual certificate, and those certificate registration scrapers make them public and they got hit a lot (but blocked by crowdsec). since moving all my services to servicename.app.mydomain.com with a wildcard dns record and cert for *.app.mydomain.com, they’re completely not-public and my crowdsec logs have gone silent.
would running everything thru my tailscale be better? yup, but there’s a lot of situations that I want to access home that I can’t use with a vpn, where I can’t install my own software.
Why not a presence sensor of and kind? Check your router’s WiFi client list for your phone MAC or something
I’m using cloudflared to give it a bit more protection over a plain reverse proxy
My HA instance is publicly accessible (with 2FA) through Nabu Casa’s cloud service. Happily paying the subscription price of a whole $7/mo for that feature and to support them.
I can quickly switch it to my own reverse proxy if necessary.
I’ve got mine accessible with SSL proxy. I would say make sure you use an alternative port to help reduce exposure during scans.
Layers
HA has it’s own built in IP ban function with the HTTP(S) Integration, but that might only see NAT’d addresses (ie the entire internet has the same address as far as HA is concerned), and is really only intended for protection from someone already on your network.
You should also have some other form of external facing brute-force protection with HAproxy, nginx, fail2ban, etc.
You should have a firewall somewhere, maybe a function on your router, maybe a separate box. If possible also use geographical IP ranges to only allow your region(s).
All of that can either be at home, or on a VPS if you wanted to bounce all your traffic via a fixed location, perhaps with an outbound VPN from your home to the VPS.
Also use other network presence detection (ie ICMP ping, GPS, etc) to determine if you’re at home.
Or… as others mention… support the devs with their solution.
I’ll add pangolin to the list of things to think about trying. It was relatively easy to set up and it can run locally or on a vps. If it’s on a vps you dont need a constant IP or ddns because your hone server will connect to pangolin on the vps and the vps will serve the apps. youll point the dns records to your vps.
It’s what i use for my extended family to reach my immich instance. No complaints yet whatsoever. It’s traefik+crowdsec+wireguard under the hood but all abstracted into a maintained, easy to use GUI. Youll have granular control over which users can use which services/subdomains and geoblocking etc is effortless.
I put a centralised authentication layer (pocket id) on top of it for easier enrollment across various apps im running but for homeassistant only the built in 2FA should be enough.
It’s generally fine to open it up, if your somewhat know what you’re doing. I wouldn’t do it without some protection measures like fail2ban and making sure HA is always up to date.
Nabu Casa, the manufacturer of HA, has a paid option where they take care of publicly accessing your local HA instance. I think that’s a good solution as well. It includes backups on their servers.
Nabu Casa is the way. Built by Home Assistant for Home Assistant, and utterly seamless and reliable (in my experience).
Most importantly it supports the developers who have created this amazing piece if software! Do it! 👍🏼🙏🏼
Absolutely, cost-wise is almost the same as any other alternative, plus you support the devs. No brainier choice. I’m 100% in.
not cheaper than free, tailscale is free
@ropatrick
Plus offsite encrypted backup included.
I don’t really see why you shouldn’t… I have mine behind a reverse proxy, which puts SSL on the public endpoint. The biggest “issue” today, is the isp rotating my ipv4 address to often.
Can you not buy a static IP address from them? It’s inexpensive
My ISP only have static ipv4 available for businesses. The price increase is quite a lot. I have been experimenting with ipv6, though I will loose connection when I am at someone else’s WiFi with no ipv6… It’s there as a fallback for now.
That kind of blows, I’m blessed with an ISP who doesn’t discriminate against power users and I get it gor relatively cheap (~$15 per month)
DDNS might help you with that
Yeah, I just made a quick script that queries my public IP every 5 minutes, then changes the a-records via the registrar’s API, if it detects a change.
@dislabled
Nowadays there are lots of people without a routable IP V4 address. As providers don’t have enough addressspace for all their customers they use NAT.Yeah I know, i have turned down 2 potential ISPs already, because they use cgnat. Too bad, because they are cheaper. Just wish ipv6 would really catch on soon.
Tailscale is possibly a solution for you.
Mine is open to the internet, via a nginx reverse proxy. I made it ban people who try to brute-force my password. It’s been fine like that for years now:
http: trusted_proxies: - w.x.y.z use_x_forwarded_for: true ip_ban_enabled: true login_attempts_threshold: 10Thanks, TIL about the built in ip ban
I have mine available as a tor hidden service.
What I personally do is have it accessible over WireGuard. Open TCP ports to the Internet is a bad idea. This does mean you have to launch WireGuard every time, but it’s way more secure
If I understood correctly, you may find https://wgtunnel.com/ useful. No need to launch wireguard manually anymore.
Wish they had it for iOS
Seconded, works great!
Same, I use wgtunnel with autostart when I’m not on my home wifi. The only time I have to think about it is when I’m trying to see devices on others’ networks (ex. Chromecast/apple tv/etc), but that’s much less common than just always wanting access to my home services.
Wireguard runs in a different subnet at home, so the ping sensor for my phone fails on the regular WLAN address and this my ha always knows when home and when not.
@Archer indeed. A small effort for a good result
Mine is on the internet. The real risk is a zero day auth bypass, password cracking won’t really work when the HA interface sends notifications on authentication failures.
