I’ve been using NabuCasa for years for remote access to my Home Assistant.
I’ve also tested other “free” methods with opening ports/DuckDNS etc.
But I’m curious how does Home Assistant & NabuCasa work?
Is it possible for me to create my own cloud network to replicate how NabuCasa works without having to open ports?
I thought it could be possible to set up some sort of API to send/receive the data but yeah it’s a total novice area.
Ideally I’m wanting to install Home Assistant in a couple of family members homes with remote access. But, without having multiple NabuCasa accounts or opening and maintaining the ports/IPs etc.
When using NabuCasa[NC], it is HomeAssistant [HA] that connects to NC and from there on NC ‘relays’ all traffic between outside and your HA.
That is also the reason you don’t need to do any port forwarding.
You could do something similar by running something similar as NC on Azure or Amazon.
But i guess this would be more expensive, as you would be the only one that uses it.
And if you’re further interested, you might’ve seen errors or warnings in your logs (after a restart) about a failure to connect to the “snitun server”. This refers to the SNI connection. I suppose tun is for tunnel… You can actually look at the diagrams in the public HA repo (and even the code, which I suppose you can run yourself too).
NabuCasa is a VPN services and yes you can make your own,but you can not do it without opening a port.
NabuCasa works by having two ports open.
One for your HA installation and one for your HA companion app.
If you run your own VPN then you would still need a port open for your companion app.
A VPN is considered why more secure than a port forward with a reverse proxy, like NGInx.
I use an external MySQL server, no issues there (this i do because i already had it running for other things, so why would i not re-use it?)
This part i do not understand…
Cloud refers to some virtual machines in some data centre somewhere on earth…
So your ‘own’ cloud would refer to your own azure or amazon account, and would not run at home…it would run in the memory of some server somewhere here:
So…. going to set up your own data center?? ambitious!!!
And the part about reconfiguring i also don’t get…
i don’t reconfigure all the time, but occasionally I do so some changes, either because of i want to do it different, or just because i have a new ‘toy’
If i decided to move to NC, i would just enable it without any reconfiguration.
PS, NC doesn’t run nor store anything of your HA, it just relays data…
To keep things simple.
I have a Synology Rack Station which is pretty powerful… this could be “the cloud”
How would I have that Synology relay messages between multiple HA instances?
Edit:
The “constantly configure” - if I add a new sensor in HA at my Uncles house, it would automatically be accessible via a Web front end (for example).
I have HASS in two houses, I’ve linked the houses together using VPN, which links both LANS together, this was I can access anything in either house from either house. This is commonly called a site-to-site VPN.
When I need access to HASS when I’m not in either house. I have a separate VPN endpoint that I connect to. This way I can also ssh into servers, access cameras, etc., when needed.
The remote access part without opened ports is not too tricky to replicate, I use a free google cloud instance as my relay. On my HA server I have autossh connect to the instance and create a reverse tunnel.
The Nabu Casa subscription I believe also provides integration with goolgle assisant/alexa/etc which is not straightforward to do yourself.
Same, but i’m using a $5 digital ocean droplet for the openvpn hub. Site to site is really powerful, saves me a lot of driving. The benefits are far beyond HA itself… Do it.
I don’t think this is accurate. A VPN typically joins networks to make them act as one. This is not the case with NC.
In TCP, you always have two ports: one for the client and one for the server. It’s part of opening a socket connection between two systems (IPs). If you meant you need to open ports on a firewall, that’s not true (assuming one isn’t blocking silly things like port 80 or 443). Also, routers by default will block incoming connections, but not outgoing (on any port). The whole point of NC is that you don’t need to do anything special.
Not true. Yes, you always need ports when opening connections as mentioned above, but you don’t need to do anything special. That is what SNI does (see my earlier post). It leverages existing mechanisms.
You are talking about a site-to-site VPN.
NabuCasa is a host-to-site VPN.
I meant in the firewall.
And yes NC needs two ports open to make it work.
NC is in fact a double VPN service to be more precise.
If you make the setup at home then you might move the VPN service into your trusted computing base and then one port opening can be avoided, but the right thing would be to place it in a DMZ and open ports to that from the different networks.
And routers do not block. They route.
Firewall blocks and it is correct that often firewalls often have a default permit rule for outgoing connections, which is such a bad security practice.
SNI??
Server Name Indication?
SNI is just a method to provide the hostname you want to visit in the request packets. That is all it does.
You need to open a port for an incoming connection, because all normal firewalls will at least have a default_deny rule on incoming connections, no matter what!
Then you of course will have to recode the hardcoded NabuCasa URL in you HA Companion Apps and in your HA installations.
Then you need to setup a double VPN service, like NabuCasa and then you can install your SNI tunnel on that.
I think it would be easier to find a good VPN installation (maybe their routers already have one built-in) and then just setting that up once.
Besides having a private NabuCasa also means that you will interrupt all clients remote connections on a restart or other issue with the server or network.
A VPN extends a private network, which is not what NC does. It’s a connection over a secure layer, sure, but your private network is still its own network. Sure, that network is exposed via a port and said connection (and hence the whole drama with the recent security exploit), but I don’t see how that can be called a VPN by its formal definition. Routing between different networks or subnets isn’t the same as a VPN.
No, that is not the definition.
A VPN is a connection between 2 parts over insecure networks that tunnels packets by encapsulating them.
The 2 parts can be in a site-to-site configuration, a host-to-site configuration or even a host-to-host configuration.
But the fact is if you want to run a NabuCasa style service, then you need to open ports where that service is running and it is not just like that to set it up, because there is not a simple click install and run solution for it.
Best solution is to accept that an VPN service on remote installation and an open port for VPN is the easiest way to set this up.
