Accessing HomeAssistant via router VPN

Sushukka · October 23, 2022, 8:14am

This topic has been around many times, but none of the ones I have seen have provided help yet.
Here is the situation bullet form:

Hardware: Normal x86 server with Proxmox virtualization.
Home Assistant appliance, whole image (OS, Supervisor, Core) has been installed.
There are two network interfaces defined to Home Assistant: First one is the internal home network used to access the UI (192.168.50.x), make definitions etc, the second network is a dedicated IoT network (192.168.0.x) where the bulk of the actual sensors/actuators etc. reside. These two networks are not connected in any way with each other. Only Proxmox can see them and only HA VM has them both defined.
The home network is connected to internet via an Asus router which have VPN enabled. I have actually tested three different router supported VPN servers: OpenVPN, IPSec VPN and Asus own Instant Guard.
OpenVPN works but Asus somehow cannot handle the push client function even all the options should be ok and my mobile phone is left outside the LAN even the VPN connection is fine.
IPSec VPN and Instant Guard works nicely. I can access all my LAN service with my mobile phone BUT NOT Home Asisstant. And with this I mean everything else, even my other dockerized services works fine via these VPNs.

I have the following in my configuration.yml:
homeassistant:

	auth_providers: 
		- type: trusted_networks
		  trusted_networks:
				- 10.10.10.0/24
				- 10.8.0.0/24
				- 192.168.50.0/24
				- 192.168.0.0/24

My VPN IP is 10.10.10.1 when I connect by mobile. Have crosschecked it multiple times. Also the configuration.yml is active as I was nicely blocked out from HA UI when I first defined only 10.10.10.0/24… Luckily I was able to access the configuration.yml via Proxmox console and add the 192.168.50.0/24 which let me access the UI normally again inside the LAN.

I have shell access to HA server via Proxmox and also inside the HA container via the Terminal addon. I have tried to find out how the HA virtual server handles the network between the LAN and internal HA container but so far no luck.

Questions:

To my undestanding the HA virtual server under Proxmox is just a small stub which mainly runs the Home Assistant core container. Is this correct?
If above is correct, there is some kind of extra network layer between the vm and HA container. At least the IP address seen via Terminal addon shows something like 172… which means that there is some address translation internally going on. Somehow I assume that this layer now blocks the access when trying via VPN. Also it seems to do the work very efficiently as I can’t even ping the HA address with my mobile VPN even I can ping nearly everthing else in the LAN.
Could it have something to do with the two network interfaces I have defined to HA? In web UI under System → Network → Network Adapter they are both selected, but the IoT one 192.168.0… has “Default” star on it. Note that the 192.168.50… network is the one which should be used here. The 192.168.0… network is only for connecting the IoT devices, not for user access.
What to do?

WallyR · October 23, 2022, 12:45pm

I think your “Default” star is the problem, since it probably indicate the default gateway.
Unless you have been very creative with manually setting up routes, then the default gateway will be used for all network traffic that is destined to other networks than the local ones, which means what ever network your phone will be on when you are not connected to your own WiFi.

Sushukka · October 23, 2022, 6:33pm

I haven’t been super creative with the routes because this has been working fine in LAN so far. I have just enabled the two network interfaces from Proxmox for HA VM and HA seems to work fine with them. From where can I change which one HA uses as a default gateway?

WallyR · October 24, 2022, 2:27pm

I do not know proxmox and it also depends on your network setup, since you might have extra virtual networks if you run virtualized enviroments.

Sushukka · November 6, 2022, 2:37pm

There are no additional networks defined for this virtual server. Still it seems strange that you can see the default network interface in HA Web UI but there seem to be no way to change it. Should be easy one to implement as HASS runs on Linux.

WallyR · November 6, 2022, 2:45pm

What happens if you do not supply a gateway to one of the interfaces?

Sushukka · November 7, 2022, 11:20am

They both didn’t have default gateway defined in Proxmox. Now I added 192.168.50.1 but it makes no difference. When I remove the whole IoT interface (192.168.0.x) from HomeAssistant VM the VPN connection works fine; I can access HomeAssistant Web GUI like other home services via VPN connection. However, it always defaults to the IoT network when I enable it from Proxmox.

In “normal” Linux one could check and change the default interfaces with “ip route” commands, but the HA OS doesn’t seem to have even this binary properly installed. Ip addr command works but all the other parameters seems not to work eg. in this case the very important command “ip route list” gives just nothing as a result. Even the basic ping has some wrapper built on it and it just shows alive or not alive message after a short while, why? The whole HA OS is imo little bit too crippled as there are lots of common packages missing (shouldn’t take too much space either) which would be crucial when doing this kind of problem solving.

I mean this shouldn’t be so hard. Separating the usually low security IoT network from the main home network is a common sense security implementation. Why one cannot change the default interface in the Web GUI where it is shown? Shouldn’t be too hard as it is in Linux basically two route commands. Is this really a showstopper for using the whole HA VM and forces people to move to HA container installation?

Additional information:
In Proxmox host:

default via 192.168.50.1 dev vmbr0 onlink 
192.168.0.0/24 dev vmbr1 proto kernel scope link src 192.168.0.10 
192.168.50.0/24 dev vmbr0 proto kernel scope link src 192.168.50.10

Edit. Managed to get it working by defining static ip addresses to both of the interfaces in Web UI then putting DHCP back again and now it somehow swapped the main one 192.168.50.x as default and everything works as it should. Still this is not a solution but more like good luck. Not sure what happens after rebooting the server hence not doing it now.

piping_piper · May 17, 2023, 9:20pm

Bit late to replying to this thread, but I thought I’d leave a fix here for anyone else looking in the future.

I have a similar setup, the VPN server is running on a different machine than Home Assistant (in our case, it’s the router). Using WireGuard or whatever the VPN is, add your VPN IP range to the clients list of acceptable IP addresses. On your mobile phone you probably have a split tunnel set up, and have specified an acceptable IP Range, ie that traffic going to 192.168.50.x/24 should go through the VPN. Add 10.10.10.x/32 or 10.10.10.1 or whatever your VPN IP range is as well and you should be all set.

For my case, on my phone in the wireguard app I have in the acceptable IP Range:
192.168.50.x/24, 10.6.0.1/32

No changes required to HA at all, it’s all done on your client device after turning on the VPN server in your asus router.