help with forwarding for home assistant
-
@wgstarks said in help with forwarding for home assistant:
@johnpoz said in help with forwarding for home assistant:
Why do you think you even need to open the port? There should be zero reason for opening inbound ports to control your home smart things while outside your home.. They phone home (company servers) and you control via that connection.
I can turn on/off my lights, change the temp on the hvac, etc. without having any ports open.
My iOS app fails to connect without a connection to my local network.
Yes
-
Yeah you would want vpn then... If they server doesn't make a connection to outside services, like alexa, google, all the other 3rd brand lights and switches, and etc.. That you can use to control your devices. VPN is the way to do it securely.
https://www.home-assistant.io/docs/configuration/remote/
"Just putting a port up is not secure. "They recommend using ssl - but that still leaves it exposed.. From a security point of view you should setup vpn on your phone to your pfsense box.. Then you can access your remote assistant through the vpn.. This does not expose it to the public internet and anyone hitting that port.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in help with forwarding for home assistant:
Yeah you would want vpn then... If they server doesn't make a connection to outside services, like alexa, google, all the other 3rd brand lights and switches, and etc.. That you can use to control your devices. VPN is the way to do it securely.
They do have a paid service for this but I would rather connect manually (turn the vpn on/off) and save the money if I can't find anyway to keep the vpn active.
-
Well the vpn could be set to always be active.. But turning on and off is just a single click.. On your phone
-
@johnpoz said in help with forwarding for home assistant:
They recommend using ssl - but that still leaves it exposed.. From a security point of view you should setup vpn on your phone to your pfsense box.. Then you can access your remote assistant through the vpn.. This does not expose it to the public internet and anyone hitting that port.
Right now I have ssl (lets encrypt). I have OpenVPN installed on my iPhone but it tends to disconnect when changing networks and won't connect at all when I'm connected to my local network. I see that the OpenVPN app now has functionality to try and re-connect but I'm not sure what those continuous re-connection attempts will do to my battery life and network performance.
-
You don't need it while your on your local network... Just turn it on when your away "and" you want to do something with your home assistant. Its a click to turn it on.
Do what it is you want to do and then disconnect it - click.
I would not suggest you open your home assistant to the public net - it is not secure be it your using https or not..
Here is some info about how often this port is scanned..
https://www.dshield.org/port.html?port=8123
https://www.speedguide.net/port.php?port=8123 -
Can you do what you want with homebridge?
https://homebridge.io/
I can control devices when i’m away from home with out any sort of port forwarding, i run it on a Raspberry Pi 3 and it talks to my Apple TV homekit hub.
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
^ exactly.. There really should be no reason to port forward for home automation sort stuff.. Not sure exactly how OP is setup and what gear..
If you have to open a port to public internet - its not a secure..
-
@NogBadTheBad said in help with forwarding for home assistant:
Can you do what you want with homebridge?
https://homebridge.io/
I can control devices when i’m away from home with out any sort of port forwarding, i run it on a Raspberry Pi 3 and it talks to my Apple TV homekit hub.
For some reason HomeKit doesn’t show any of my insteon sensors. Only the switches. Regardless, I really don’t want to go through the headache of re-creating all of my automations again.
-
The home assistant iOS app relies on anytime access to the server on my local network for some of its services. I’m going to try the OpenVPN option and see how well that works.
-
Let us know how it goes for you.
-
So even their website recommends vpn or ssh (poor mans vpn) ;)
https://www.home-assistant.io/docs/configuration/securing/
"To expose your instance to the internet, use a VPN, or an SSH tunnel."While sure https is more secure than http.. Your still just exposing the service to the public which is bad. A vpn or ssh provides for a secure method to auth to even make an a connection, before exposing the service interface to anyone.
VPN or even ssh can require very secure auth methods, and then keeping all traffic passed between the authed user and the service secure inside an encrypted tunnel.
If my user base was more tech savy, I would require all my friends and family to use vpn to access my plex. Sadly that is not possible - so had to make compromises to a secure setup to allow them to use in a easy fashion. I tried locking it down to only their known IPs - but this proved to be too difficult for many of them. So best I could do was lock down the ips to only the locations they are coming from. Currently the US. Changing the port from the common port. And actively monitoring any access. Any time a new IP access my plex I am notified, and can check with that account - hey are you traveling why am I seeing a connection from different state than your normally from..
But since something like home control/automation remote access should really only be accessed by you, or maybe a house mate or too.. Locking that down to vpn access is a very viable solution. And simple enough to setup via just app on any phone, tablet, laptop - remote access devices. Not like you need a TV to access home assistant server.
From a security point of view I can not stress enough the importance of not allowing such access to just any public IP..
With something like plex, at least the worse thing that could happen is someone deleted all my media. But even if they compromised that system. They would be limited to that service, and not have any access to anything else in my network.
-
I suppose exposing an encrypted service to the Internet is better than just using a plain HTTP/HTTPS server though. I think the most important factor is if this server will be kept updated/patched and monitored. That all depends on if the vendor ever pushes out any updates though.
They always do that right.
lol -
@johnpoz I agree.
-
Its not the "encryption" so much as the more secure auth... To auth to vpn - you would need a cert, issues by you.. Same with ssh - you can require public key auth..
These are almost impossible to "brute force" auth.. And way less likely to have some other form of exploit that could allow some user to gain access do some other exploit.
If I can access the http/https service - while it might ask for a username password, those could "guessed" or possible some sort of exploit that could be used to bypassed this auth in the service. This is highly unlikely in something like a vpn or ssh.
-
I’m testing using OpenVPN. It works fairly well. I’ve only found one app that’s fails to connect when vpn is activated on my phone. Currently I can only connect to the OpenVPN server over WAN which causes some extra battery drain when I’m connected to my LAN network but not really enough to be an issue.
-
@Johnpoz Very good point, encryption just hides information doesn't mean that machine is authorized to connect and freely access the servers information just because its using an encrypted connection.
-
@wgstarks That's great news glad to hear you got it to working.
-
Is it possible to allow the OpenVPN client on my phone to connect to the OpenVPN server running on my pfsense appliance when connecting from LAN? I don’t know enough about this to know if that would even be a good idea?
-
Your LAN or some other LAN?
