My Home Assistant is reachable from the internet over https protocol but i have devices that should never be available over the internet for security purposes (e.g. hacked Home Assistant). Thus I’m wondering if it’s possible to restrict some devices to be available only when the user is connected on the LAN network and ignore instructions when coming over the internet. One of such a device is my garage door.
I’m tinkering with the idea to setup 2 instances (public and private) of Home Assistant. The first would be accessible over the internet and the second one only over the lan network.
All the devices would be connected to the mqtt broker of the local Home Assistant. In order to allow several devices to be available over the public Home Assistant instance, i would bridge the 2 mqtt brokers.
This setup is complex, thus I’m wondering if an easier way exists to restrict device’s availability only to users connected to the lan network?
They want one instance of HA to be outward facing to the internet and one to have no internet accessibility at all.
To the OP, I did exactly what you suggested for a while having two instances of HA and bridged by mqtt internally.
I’m not sure it was as secure as I would have wanted tho, so I eventually settled on using a VPN with encrypted keys to access HA via my local LAN or by using Nabu Casa.
So you had this setup of bridged mqtt brokers, but you had doubts about the security in this kind of configuration ? Did you had some issues ?
I imagined this kind of configuration would be hacker proof because it’s your local mqtt broker that connects overs ssl to the public mqtt broker.
This way it would be nearly impossible for a hacker to reach your local instance of the Home Assistant event if he manages to get access to the public instance.
The vpn setup would be a good alternative too, but for the setup it’s not that easy (certificate installation on each user device) and finally if the user leaves its device unattended this would give an access to the internal Home Assistant instance and this would be too risky.
I didn’t use a public broker. I used two internal brokers. but it’s still the same effectively. You still need to open your HA to the internet. Then in your case it goes back out to the internet to forward the messages. in my case it stayed local.
The VPN certs aren’t that hard to set up. All you do is copy one ovpn file to the device you want to use that contains the key. And that makes it so the only thing you have to expose to the internet is the port for your VPN. Which is totally encrypted internally. So it’s inherently more safe than an unencrypted port to HA exposed to the internet no matter what you use in between. The unprotected port is still exposed.
So if someone leaves their device unattended and unlocked then there are plenty more things to worry about at that point besides the person who takes the phone trying to figure out where you live so they can open your garage door. How many apps do you have that contains other personal/financial info in them?
I didn’t understand why you say i would still need to open my HA to the internet and then i realised i forgot to specify that the public HA would not be hosted on my home network but i would rent a vps with a fix ip address (you can rent one starting from 5€/month). This way my home network would never need to be opened to the internet, the only external connection would be the local mqtt broker connected over a secured connection to the public broker.
For the vpn solution, i agree that the risk is small having an unattended client device being used by an unauthorised person but if this would happen, the potential damage would be not acceptable.
This kind of intrusion could even remain never noticed with a backdoor leading inside your local network.