Hey all!
I’m fairly new to Home Assistant and have just created a few dashboards to be able to view my router statistics and be able to restart them via REST if need be. Love being able to do this seamlessly from one place.
It got me thinking however, that I can only really access the dashboard when I’m on my internal network. I know that there is a paid Home Assistant cloud that would enable me to view my dashboards and such publicly and securely, but I was wondering if this community has set it up themselves for free and securely.
Would anyone be able to guide me in the right direction?
Surprised no one mentioned the native option of paying for the native Nabu Casa tunnel, you also get some other benefits. It is by far the easiest option but not free. It does however support Home Assistant development.
Personally I just expose my instance behind Opnsense with an SSL cert, and some web application firewall rules using nginx but that is a more technical configuration.
I like Nabu Casa because it’s easy, it works, and it supports the HA devs.
Only one response in here for using Nginx, and there should be more. The Nginx SSL proxy works with the DuckDNS add-on to manage your IP address and and keep your LetsEncrypt certificates up to date.
If you own a domain and want to do that, you can use the Nginx Proxy Manager, which can also manage LetsEncrypt certs. It’s a bit more complex to set up.
Combined with the OTP authentication built-into Home Assistant, it’s a pretty good option. The risk is that Home Assistant itself is your edge, and it’s always possible there’s something to exploit on the front-end.
I’m not a fan of VPNs for cases like this, but that is a personal preference. I’m using a TLS client certificate with my nginx as load balancer which works very well for me. I have installed that certificate on every PC and my Android device. Let’s Encrypt also works, but for every self hosted service a client certificate is required
deleted by creator
Tailscale is an easy and secure way of getting access to your local network.
Running cloudflare zt tunnel, just need to set the containers IP as static and allow it as a trusted proxy. No issues here
My favorite method is buying a cheap $1/year domain, and connect using cloudflared. There are tons of guides for this on YouTube, everything smart home link here!
You can use Tailscale and Zerotier to access your local HomeAssistant from any devices connected with your Tailscale/Zerotier account.
But if you want to expose your HomeAssistant to public using a custom domain name, one way to do that is by using Cloudflare Tunnel: https://www.makeuseof.com/use-cloudflare-tunnel-expose-local-servers-internet/
I’m thinking to expose HA via a cloudflare tunnel; but I’m concerned as to what security implications this may have. I’m not sure what, if any, security issues the HA login page may have. I can easily put everything through a reverse proxy, which I already have set up for other reasons. I may migrate all my externally exposed webpages via cloudflare.
Have any lemmings used cloudflare for this? what is your experience with it?
Currently using CloudFlare for two different homes. One is on cloudflared add-on, with Nginx Proxy Manager as the reverse proxy.
The other, CloudFlare tunnel hosted on a docker container in the same network, with Nginx Proxy Manager as well to unify ports for some services.
Both setups been working well so far, ignoring the concerns that the HA frontend may have potential security issues.
Security is a rabbit hole and you can go very deep depending on your risk model (an ordinary middle class people has different cybersecurity risk than, say, a CEO of a major bank). Let’s say you are an ordinary lemming that don’t have to be worry about being specifically targeted by a hacker group or a nation state, you just don’t want some botnets get into your network and take over your IoT stuff, I think the following is reasonable enough:
- by deploying your HA instance using docker or VM, if it somehow got compromized by an automated botnets / malware, the infection will be contained and you can easily wipe it off and start again. Real hackers might be able to escape the sandbox but run of the mills botnets that always scan the internet for exploits usually don’t.
- setup OTP: https://www.home-assistant.io/docs/authentication/multi-factor-auth/
- you can max out security level of HA login page (or the entire HA) using cloudflare’s firewall rule: https://developers.cloudflare.com/firewall/cf-dashboard/create-edit-delete-rules/ . This should stop most bots from trying to bruteforce your login page.
- assuming you’re using cloudflare tunnel, you aren’t actually exposing your entire machine to the internet, but just the homeassistant port. That being said, it’ll be nice if you take some precaution and disable root ssh login and perhaps disallow password login too, just for peace of mind.
My HomeAssistant is on a dedicated system right now, so if it’s lost, I can reinstall without too much trouble. I have it backed up to my google drive, and I’m planning on setting up some local backups… so the config will almost certainly not be lost. I have to make it a bit more robust to make sure we have backups of the zwave controller config and security keys and everything for the S2 devices, and whatnot…
I’m wondering if HA supports login via device certificate, it may be more secure than a password, even with OTP, and after a rough initial setup for the users, it should be seamless for them to use it, regardless of if they’re local or remote. I also want to get it set up to integrate with Google’s assistant, mainly for nest home mini’s we have placed around the house. I’m not a fan of paying for that privilege, so I’m still examining my options.
Any input you may have on this from a security standpoint would be appreciated. For context, I’m an IT admin by day (system and network mainly), I have some experience with security, but when it comes to pretty much anything that requires metasploit or anything more complicated, I’m generally out of my league. Working with systems, firewalls, tunnels, forwarding, ports, protocols, etc. that’s all my jam. I’m good with doing what’s needed. I have a homelab and a farm of virtual machines to do my bidding day-to-day. So I’m not stranger to complexity; as long as it’s logical to add complexity to the system, then I won’t shy away from whatever needs to be done to accomplish the task.
If you want some peace of mind, there is nothing wrong to keep your home assistant instance locked up behind your lan. You can still access it externally using a VPN, or zerotier/tailscale. If you need notification support, just configure sms or email notification so HomeAssistant can still send you alert via SMS or email.
If you’re ok with not being able to use HomeAssistant mobile app, then you can add some extra security by putting your home assistant instance behind an authenticating proxy. This means your home assistant will be protected by two login pages when you attempt to access it from outside your network.
Some authenticating proxy options are Cloudflare Access or OAuth2 Proxy.
If you’re already using Cloudflare, then using Cloudflare Access might be no brainer. If you’re already have experience with setting up your own OIDC providers using keycloak, auth0, okta, or Google oauth2 provider, then putting your home assistant instance behind OAuth2 Proxy might be a good option. Those auth providers usually have stricter login pages and you usually can add even stricter rules to the login page (e.g. disallow login from certain countries, rate limit, add captcha in addition to 2fa, etc). How strict your extra login security will be is entirely up to you.
For Google assistant integration, you’ll need to enable the API in your GCP account as mentioned in this page. But it does require your home assistant url to be publicly routable from GCP servers so Google assistant can reach it, which means you can’t put your instance behind an authenticating proxy or keep it behind your lan. You might still be able to whitelist certain path from the authenticating proxy (e.g. the
/api/google_assistantendpoint), but I haven’t tried it yet.