Home Assistant is open source home automation that puts local control and privacy first.
Powered by a worldwide community of tinkerers and DIY enthusiasts.
Home Assistant can be self-installed on ProxMox, Raspberry Pi, or even purchased pre-installed: Home Assistant: Installation
Discussion of Home-Assistant adjacent topics is absolutely fine, within reason.
If you're not sure, DM @GreatAlbatross@feddit.uk
It's generally fine to open it up, if your somewhat know what you're doing. I wouldn't do it without some protection measures like fail2ban and making sure HA is always up to date.
Nabu Casa, the manufacturer of HA, has a paid option where they take care of publicly accessing your local HA instance. I think that's a good solution as well. It includes backups on their servers.
Nabu Casa is the way. Built by Home Assistant for Home Assistant, and utterly seamless and reliable (in my experience).
Most importantly it supports the developers who have created this amazing piece if software! Do it! ππΌππΌ
Absolutely, cost-wise is almost the same as any other alternative, plus you support the devs. No brainier choice. I'm 100% in.
not cheaper than free, tailscale is free
I've got it accessible from the internet through a reverse proxy.. My default https drops all connections, so you need to access the right subdomain, which are not advertised on dns or certificates (I use a wildcard). Probably not perfect though but it helps a bit. I also have geo-blocking enabled on my pfSense router, so basically everything outside my country gets blocked by the firewall anyway.
It will always be a risk vs benefit consideration.
the wildcard certificates make a huge difference. I had my services all on servicename.mydomain.com each with an individual certificate, and those certificate registration scrapers make them public and they got hit a lot (but blocked by crowdsec). since moving all my services to servicename.app.mydomain.com with a wildcard dns record and cert for *.app.mydomain.com, they're completely not-public and my crowdsec logs have gone silent.
would running everything thru my tailscale be better? yup, but there's a lot of situations that I want to access home that I can't use with a vpn, where I can't install my own software.
Why not a presence sensor of and kind? Check your router's WiFi client list for your phone MAC or something
Tailscale is possibly a solution for you.
Mine is open to the internet, via a nginx reverse proxy. I made it ban people who try to brute-force my password. It's been fine like that for years now:
http:
trusted_proxies:
- w.x.y.z
use_x_forwarded_for: true
ip_ban_enabled: true
login_attempts_threshold: 10
Thanks, TIL about the built in ip ban
I have mine available as a tor hidden service.
My HA instance is publicly accessible (with 2FA) through Nabu Casa's cloud service. Happily paying the subscription price of a whole $7/mo for that feature and to support them.
I can quickly switch it to my own reverse proxy if necessary.
Mine is on the internet. The real risk is a zero day auth bypass, password cracking won't really work when the HA interface sends notifications on authentication failures.
Iβm using cloudflared to give it a bit more protection over a plain reverse proxy
What I personally do is have it accessible over WireGuard. Open TCP ports to the Internet is a bad idea. This does mean you have to launch WireGuard every time, but itβs way more secure
If I understood correctly, you may find https://wgtunnel.com/ useful. No need to launch wireguard manually anymore.
Wish they had it for iOS
Same, I use wgtunnel with autostart when I'm not on my home wifi. The only time I have to think about it is when I'm trying to see devices on others' networks (ex. Chromecast/apple tv/etc), but that's much less common than just always wanting access to my home services.
Seconded, works great!
Wireguard runs in a different subnet at home, so the ping sensor for my phone fails on the regular WLAN address and this my ha always knows when home and when not.
So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?
Install Fail2Ban on a free cloud VM and watch it for a couple of days. Seeing the never-ending intrusion attempts from around the world was a real eye-opener. There is no way I'd expose HA (or anything else except Wireguard) to the Internet. (Open WG ports appear closed unless they receive the correct key.)
In your situation I'd just pay for Home Assistant Cloud. It's not expensive and will do exactly what you want to do.
For a zero cost solution I use Tasker to automatically enable a Wireguard tunnel whenever we're not on home wifi. It allows direct access to everything on our local lan, and as a bonus prevents our wireless carrier from monitoring our Internet activities. A combination of the OpenWRT Ubus integration and a BLE integration (using inexpensive Shelly switch modules) detect when we're home with 100% accuracy.
I just use a Cloudflare tunnel using the Cloudflared plugin and a custom domain name. So no need to open ports. I use long passwords for the users. Not sure how unsafe it is but in HA you get a notification when a failed login happened.
That + mtls certs from cloudflare. Anyone/thing that doesn't have the cert gets blocked.
Iβm doing that + 2FA
Mine is on the internet behind nginx. I block connections not originating in countries that are reasonable for my family. I donβt like geoip blocking but it straight up eliminated almost all the IDS alerts. I needed to migrate to DNS based validation for certbot.
If I or my family leave the geo region, Iβm βawayβ anyways until I return to the area and my device gets a new IP. Or I can allow the country temporarily.
With the price of oil and therefore plane tickets what it is, I wonβt be leaving my geo region.
If you are hosting other things with it, then a reverse proxy like Caddy or Traefik + crowdsec is pretty much as good as you are going to get and you can add region blocking on your router (if that feature is available) or if you use cloudflare as a proxy.
If you want to go really crazy, you can put authelia/Authentik in front of it, depending on what else you host.
I've got mine accessible with SSL proxy. I would say make sure you use an alternative port to help reduce exposure during scans.
If you don't want to use a VPN like Tailscale (or ZeroTier) then this is exactly what the Home Assistant Cloud is for. And it even has an 1-month trial.
I solved Problem 1 by adding ICMP to HA. It's constantly checking if my phone is present on the WiFi*.
I'm using Tailscale instead of ZeroTier, but that should not matter.
*I could also use my routers integrstion, but this logic worked with my shitty old router that had no integration
I work in IT at a major university, and watch the logs. My Home Assistant instance is open to the Internet behind an nginx reverse proxy with SSL. (The official add-on makes it easy.) Brute-forcing passwords on HTTPS is not really a thing anymore. I get a connection attempt or two per month at home. At work, they go for known vulnerabilities in web apps; WordPress, mostly.
Brute-forcing passwords on HTTPS is not really a thing anymore.
Why is that?
I would expect that the cost-benefit calculation doesn't work out. If you have a password hash in local memory, then the computer can try each possibility in nanoseconds, and it can still take several minutes to crack trivial passwords.
To brute-force a password over HTTPS, each attempt is on the order of microseconds, about 1/1000th the speed, or slower. Plus, all the overhead of SSL, which imposes a compute burden on the attacking machine.
And that's just trivial passwords, plus assuming that the target host doesn't have connection rate-limiting, or even a sysadmin who'd notice the logs getting flooded with bad requests continuously for a couple of days.
I have it available via a reverse proxy with vouch proxy enabled for 2FA.
Layers
HA has it's own built in IP ban function with the HTTP(S) Integration, but that might only see NAT'd addresses (ie the entire internet has the same address as far as HA is concerned), and is really only intended for protection from someone already on your network.
You should also have some other form of external facing brute-force protection with HAproxy, nginx, fail2ban, etc.
You should have a firewall somewhere, maybe a function on your router, maybe a separate box. If possible also use geographical IP ranges to only allow your region(s).
All of that can either be at home, or on a VPS if you wanted to bounce all your traffic via a fixed location, perhaps with an outbound VPN from your home to the VPS.
Also use other network presence detection (ie ICMP ping, GPS, etc) to determine if you're at home.
Or... as others mention... support the devs with their solution.
Iβll add pangolin to the list of things to think about trying. It was relatively easy to set up and it can run locally or on a vps. If itβs on a vps you dont need a constant IP or ddns because your hone server will connect to pangolin on the vps and the vps will serve the apps. youll point the dns records to your vps.
Itβs what i use for my extended family to reach my immich instance. No complaints yet whatsoever. Itβs traefik+crowdsec+wireguard under the hood but all abstracted into a maintained, easy to use GUI. Youll have granular control over which users can use which services/subdomains and geoblocking etc is effortless.
I put a centralised authentication layer (pocket id) on top of it for easier enrollment across various apps im running but for homeassistant only the built in 2FA should be enough.
If you have to open it up, then you can at least allow-list IP addresses through your firewall so itβs not everyone who gets full access.
How's that supposed to work if the other people want to access it "from the Internet", most likely meaning their mobile phones when not at home? Find out all IP subnets for the carrier?
I have done something similar on mine but reversed. Instead of a whitelist I put together a rule to geo block all countries except the one I am in at the firewall. Before doing this I absolutely saw unknown traffic hit me constantly. With this in place it has been quiet ever since. You could probably narrow it down some more if you really feel like it's necessary. I know this is also hardee for some people to do since before I had this firewall I did not have an easy option to just block traffic like this.
I do this as well, but another approach I was thinking about implementing (i havent tried it yet) was to also block all IP addresses not belonging to mobile networks or residential ISPs in my country.
That way, in theory, only a mobile network IP or somone on residential wifi would pass through my firewall to Home Assisstant, and this would filter out IPs belonging to datacentres which may be hosting hostile VPS's, Tor exit nodes, proxies, VPN exit points, etc, etc.
Yeah that's a solid approach if you and your housemates are the only users.