Hello!
My HA instance is accessible from outside its local network only via VPN. I have no specific port forwarding on my router.
Does it matter in this case if I disable the Android companion app setting for a user to only allow local access? Its meaning is not entirely clear to me, hence the question.
Thanks for your help! 
i thought the local access setting forces the companion apps to be on the same subnet as homeassistant. vpn’s often connect into your home network but on a different subnet. at least mine does. does yours? so have do not have “local access only” turned on for my users. but if you have local access only enabled and connect through vpn still works, then go for it…
When I’m away, my mobile (with HA companion app) indeed is connected to my home network via VPN. Whereas this leads to 2 different subnets when using WireGuard, it remains one single subnet when using IKEv2/IPSec PSK.
I only now realise that I cannot open the GUI with my companion app when not directely connected to my home WiFi. Either way, via IPSec or WireGuard, with “Local access only” enabled or disabled, the connection to my HA instance cannot be established.
But that seems to be another problem.
I wish that the “Local access only” setting for HA users and its meaning was documented somewhere. Maybe I searched in the wrong places?
EDIT:
My bad - I should have checked this out:
Define if they should have Local access only.
- If this is enabled, they won’t have access to Home Assistant when they are outside your network, for example from their phone.
Now I have to find out what’s wrong with the connection despite VPN. I shall open a separate topic for this, though, or see if this question was already asked/answered.
I hope that nobody minds that I mark my own post (this one) as the “solution”. 