The best way? Depends how savvy you are, family approval factor, and how much pain and suffering you are willing to put up with. The internet is a dangerous place for anyone, especially your house and private lives. If you don’t really know what you are doing, a VPN is usually a great first step instead of exposing HASS to the internet.
My current setup consists of, following the flow of a packet from Internet -> Cloudflare -> Firewall -> NGINX -> HASS:
-
Hosted DNS, TLS/Certificate, and proxied through Cloudflare using Authenticated Origin Pulls. This is all free, and they have excellent documentation and tutorials. Even if you don’t upgrade to Pro (for the WAF) there are great features like DNSSEC and Certificates. Be careful with the caching settings, I have had a few problems with HASS when those settings were enabled. Don’t forget to enable websocket support in the CF console!
-
PFsense 2.4 running dynamic dns updates to Cloudflare, Snort pro rules with custom tuned rules for the WAN interface and ‘balanced’ rule set on LAN/IOT. Then add pfblockerng with cherry picked threat feeds from FireHOL. If an ip address ends up sending you a packet of any kind and it is known by these feeds… they generally don’t need to continue and get blocked. Why let an attacker try all your doors and windows when you know they are bad after one knock.
-
(2a) Take a look for some big names. Talos (Cisco), Bambenek, binary defense systems (bds) and other well known threat intelligence are out there for free.
-
Previously mentioned by others; PFsense as a router on a stick, and Unifi wireless/switch run three networks: LAN, IOT, and Guest. Dump everything in the IOT vlan and setup very specific firewall rules between your vlans. Block by default and use the firewall logs to figure out what is the minimum set of ports (if any) you need back into the LAN.
-
NGINX running locally as a reverse proxy using TLS and a certificate provided by Cloudflare. Combined with authN origin pulls from #1. I have been lazy, but want to get around to running mod_security as a module here if you wanted to BYO-WAF instead of paying Cloudflare. I kinda-sorta compensate with some snort web app rules, but I should get around to this…
-
(5a) If you didn’t want to go with Cloudflare, you could also setup your own NGINX mutual auth using your own self-signed certificates.
-
Homeassistant with a good password, and make sure you read the components to setup cors_allowed_origins, use_x_forwarded_for (critical for correct proxy functionality), ip_ban_enabled, and login_attempts_threshold.
-
Make sure you test and run scans on your domain using SSLabs or HTbridge. Then check your headers using securityheaders.io. Lastly, sign up for a free shodan account and search your own IP. Shodan should only show ports you expect (Like TCP 443 for HTTPS/TLS).
-
Stay on top of your patching. OS, Packages, Libraries, patch it all and constantly.
A full writeup of that would be quite the saga, and there is probably something I missed. However take a look at either a VPN or Cloudflare first and get started, buy a domain from a reputable reseller like gandi and not godaddy, then configure HASS and NGINX… big win and free TLS/Certificates. Second priority would be pfsense, what a wonderful piece of free open source software and packages. Dump your terrible consumer router and never look back. I could see some not bothering with segmented vlans and wifi… leave this until later as being exposed to the internet is your primary threat. I have some terrible wemo devices I am afraid of, alexa, and the nvidia shield all belong in the dirty IOT vlan because they are far too chatty for my liking.