help with forwarding for home assistant
-
Can you do what you want with homebridge?
https://homebridge.io/
I can control devices when i’m away from home with out any sort of port forwarding, i run it on a Raspberry Pi 3 and it talks to my Apple TV homekit hub.
-
^ exactly.. There really should be no reason to port forward for home automation sort stuff.. Not sure exactly how OP is setup and what gear..
If you have to open a port to public internet - its not a secure..
-
@NogBadTheBad said in help with forwarding for home assistant:
Can you do what you want with homebridge?
https://homebridge.io/
I can control devices when i’m away from home with out any sort of port forwarding, i run it on a Raspberry Pi 3 and it talks to my Apple TV homekit hub.
For some reason HomeKit doesn’t show any of my insteon sensors. Only the switches. Regardless, I really don’t want to go through the headache of re-creating all of my automations again.
-
The home assistant iOS app relies on anytime access to the server on my local network for some of its services. I’m going to try the OpenVPN option and see how well that works.
-
Let us know how it goes for you.
-
So even their website recommends vpn or ssh (poor mans vpn) ;)
https://www.home-assistant.io/docs/configuration/securing/
"To expose your instance to the internet, use a VPN, or an SSH tunnel."While sure https is more secure than http.. Your still just exposing the service to the public which is bad. A vpn or ssh provides for a secure method to auth to even make an a connection, before exposing the service interface to anyone.
VPN or even ssh can require very secure auth methods, and then keeping all traffic passed between the authed user and the service secure inside an encrypted tunnel.
If my user base was more tech savy, I would require all my friends and family to use vpn to access my plex. Sadly that is not possible - so had to make compromises to a secure setup to allow them to use in a easy fashion. I tried locking it down to only their known IPs - but this proved to be too difficult for many of them. So best I could do was lock down the ips to only the locations they are coming from. Currently the US. Changing the port from the common port. And actively monitoring any access. Any time a new IP access my plex I am notified, and can check with that account - hey are you traveling why am I seeing a connection from different state than your normally from..
But since something like home control/automation remote access should really only be accessed by you, or maybe a house mate or too.. Locking that down to vpn access is a very viable solution. And simple enough to setup via just app on any phone, tablet, laptop - remote access devices. Not like you need a TV to access home assistant server.
From a security point of view I can not stress enough the importance of not allowing such access to just any public IP..
With something like plex, at least the worse thing that could happen is someone deleted all my media. But even if they compromised that system. They would be limited to that service, and not have any access to anything else in my network.
-
I suppose exposing an encrypted service to the Internet is better than just using a plain HTTP/HTTPS server though. I think the most important factor is if this server will be kept updated/patched and monitored. That all depends on if the vendor ever pushes out any updates though.
They always do that right. lol
-
@johnpoz I agree.
-
Its not the "encryption" so much as the more secure auth... To auth to vpn - you would need a cert, issues by you.. Same with ssh - you can require public key auth..
These are almost impossible to "brute force" auth.. And way less likely to have some other form of exploit that could allow some user to gain access do some other exploit.
If I can access the http/https service - while it might ask for a username password, those could "guessed" or possible some sort of exploit that could be used to bypassed this auth in the service. This is highly unlikely in something like a vpn or ssh.
-
I’m testing using OpenVPN. It works fairly well. I’ve only found one app that’s fails to connect when vpn is activated on my phone. Currently I can only connect to the OpenVPN server over WAN which causes some extra battery drain when I’m connected to my LAN network but not really enough to be an issue.
-
@Johnpoz Very good point, encryption just hides information doesn't mean that machine is authorized to connect and freely access the servers information just because its using an encrypted connection.
-
@wgstarks That's great news glad to hear you got it to working.
-
Is it possible to allow the OpenVPN client on my phone to connect to the OpenVPN server running on my pfsense appliance when connecting from LAN? I don’t know enough about this to know if that would even be a good idea?
-
Your LAN or some other LAN?
-
@tman904 said in help with forwarding for home assistant:
Your LAN or some other LAN?
My LAN network.
-
While you can do that - it can be problematic.. Because your on the same network as what your trying to access via the vpn, etc. There is little advantage to doing such a thing.. Just click the vpn on when your remote and you need to do something with your automation system... To be honest - how often would that even be?
-
@wgstarks I would only connect to the VPN when somewhere outside my LAN. Reason being is when your inside of your LAN you already have access to every route/network. When outside of it the VPN creates a virtual tunnel network that allows your device to route to the networks inside your LAN even though your not physical there.
-
@johnpoz said in help with forwarding for home assistant:
While you can do that - it can be problematic.. Because your on the same network as what your trying to access via the vpn, etc. There is little advantage to doing such a thing.. Just click the vpn on when your remote and you need to do something with your automation system... To be honest - how often would that even be?
I haven’t been able to get an exact time schedule for this but it’s every few minutes (and push notifications can happen at any time). I just leave the OpenVPN activated. The settings for the OpenVPN client on my iPhone warn that setting the app to continuously attempt to re-connect may cause increased battery drain but honestly it doesn’t seem to be enough to notice.
-
Are you using OpenVPN Connect on iOS by any chance?
-
@JeGr said in help with forwarding for home assistant:
Are you using OpenVPN Connect on iOS by any chance?
Yes