I’m also on exposing my HA instance to the internet. Following this Securing - Home Assistant (home-assistant.io) you could either use TLS (via Let’s encrypt) or an SSH tunnel. I want to check the differences between both methods. So if I have a misunderstanding please correct me!
Basically let’s say you simply know you’re changing public IPv4 address (e. g. by a DDNS service) and this address is myha.somedomain.tld.
1. Let’s encrypt
With setting an TLS/SSL certificate by using the Let’s encrypt add-on you need to set a port forwarding in the router, e. g. from public 80 to local 80 and public 443 to local 8123. So if you call https://myha.somedomain.tld you should see your HA instance.
Entry to your HA: Login credentials (username + password)
Weakest point: Your password and brute-force attack
Security improvement: Strong password + 2FA
2. SSH Tunnel
You need to set a port forwarding from e. g. public 22222 to local 22. So first you need to open a SSH tunnel from your remote network (= internet) to myha.somedomain.tld. After establishing this connection you could access your local HA instance, e. g. 192.168.0.5:8123.
Entry to your HA: SSH server
Weakest point: SSH password and brute-force attack
Security improvement: Using combination of public/private key instead of password
If these descriptions are correct, why should you use TLS instead of a SSH tunnel (presuming port 22 is available on the remote machine)?
This is not correct. With SSH Tunnel (basically a permanent, auto-restartet SSH connection) you connect to the SSH server on the host on port 22 (usually). You can provide options, that tunnel remote ports traffic thru ssh to local ports. So, you would connect to a mapped port on your client, no the (Home Assistant) host.
I’d go for a TLS/SSL connection for the UI, allowing you to login to the UI easily from any host using https and a dedicated SSH connection (not tunnel) for sporadic connections doing administrative tasks not achievable via the UI.
First: Please don’t misunderstand my comments, what I write here is my current knowledge as a newbie. So I appreciate any suggestions or information!
Could so perhaps specify this? I thought the purpose of SSH tunnel is to access ressources (e. g. third-party websites which are blocked by the remote client or remote “local” network ressources such as HA UI). So it’s a bit like a VPN tunnel.
Especially I don’t understand your last sentence. Assuming I use this $ ssh -L 8000:192.168.0.5:8123 [email protected]
I would connect to myha.somedomain.tld as user user. In the network system I want to access I want to use port 8000 (through the router, for which I’d need to forward port public 8000 to… local 22?) to access 192.168.0.5 at port 8123, which, to use my example from the OP, my HA UI. Isn’t this correct?
But, what I really appreciate, is your suggestion to use a TLS/SSL connection, even if I still wonder why? Assuming my understanding of the tunnel is as written above, a key pair was much stronger than credentials (+2FA).
That will establish port forwarding from your local machine (where you run the SSH command), port 8000 to IP 192.168.0.5, port 8123 via an ssh connection to myha.somedomain.tld. If IP 192.168.0.5 is the IP of the Home Assistant host, then it will work.
If Home Assistant is running on myha.somedomain.tld itself, then the alternative command would be
Actually, the instructions on the referenced page are somehow … promoting the use of Home Assistant Cloud. Let’s Encrypt will not issue a certificate for an IP, so you need a public resolvable DNS name for your HA host to use it.
if you want to connect to the Home Assistant UI from anywhere, TLS/SSL is the only way to go (ever started an SSH tunnel on your mobile phone?). Strong, auto-generated passwords and a password-manager like Bitwarden are always a good choice. 2FA, too.
if you want to connect to the Home Assistant UI and host from a local, secure network and you have the possibility, I’d go for a VPN. Just address the HA host via IP on any port. There might be an appropriate option available on your router. At least I use this with the AVM Fritz!Box (quite popular in Germany).
if you want to connect to the Home Assistant UI and host from a local, secure network and cannot use a VPN, you could use the SSH command above to open a command line on the HA host while at the same time exposing the HA UI on port 8000 on your local machine.
But there I’d need a port forwarding from the router (let’s say 192.168.0.1) to 192.168.0.5 (which is my HA instance and the SSH server). So port 22 on 192.168.0.1 should be forwarded to 192.168.0.5, right?
Your router’s admin interface will allow you to define a port forwarding to an internal host (like external port 22 to 192.168.0.5, port 22). It opens the external port on the (temporary) external IP, given by your internet connectivity provider.