Basically I want to keep my HA server locally accessible, but have some basic access remotely. Like to tell my lights to turn on if I am out of town without having to open up the entire server to the internet.
My fallback is to port forward MQTT or use an ESP8266 with a basic form page that is accessible outside of my LAN and can interface directly with my local MQTT service.
Ideas?
Have you tried the telegram component? You can send messages forwards and backwards between your phone and your HA instance.
I don’t know whether it works without port forwarding, but I would guess that it does.
Thanks for the recommendation, unfortunately to use the Web-hooks part of Telegram, you do need a publicly accessible URL.
I have never tried, but you can use TOR
@gpbenton Wow that sounds like a way better way to go than using Lets-encrypt and Duck DNS for remote access to your HA UI. I will have to check that one out in more detail later.
Still just looking of something like a simple tunnel to a local MQTT topic like “home/status”
I don’t use webhooks, just the polling mode, and it still has two way comms.
I have open ports for other things, I don’t think it will be required for telegram in polling mode.
In fact, it does say that you don’t need to have HA open to the Internet for polling mode in the docs, so should suit you…
You can set up a bridge to a cloud based MQTT broker and send messages via that. But I’m not sure that is really more secure than opening up your own port. Its a matter of which poison you want to take.
Will this work with HASSIO? If so, where did they put mosquitto/conf.d/?
This looks like it could work well for me once I can get it connected.
Thanks 
Yes it works perfectly fine with HASSIO. I just configured it yesterday. The documentation is a bit hard to find. Am thinking of summarizing all the things for HASSIO that i learned here in this forum.
Anyway:
In the mosquitto plugin you add a folder name (as you wish) and then create this folder in the available share/ folder. I just did that via the samba plugin.
There you can put the conf file. The bridge works really nice In case you want to debug, the sent/received MQTT messages you can enable the debug logger just for the MQTT module in your conf file.
I’ve set myself up with an OpenVPN Server on an old Pi2.
Works fine and gives me access to other functionality as well, like looking at my security cameras or my NAS, without having to forward any other ports than the one for the OpenVPN Server.