Can you replicate NabuCasa? How does it send/receive data?

Of course. I was referring to the typical devices found at homes, which often combines capabilities.

A VPN extends a private network, which is not what NC does. It’s a connection over a secure layer, sure, but your private network is still its own network. Sure, that network is exposed via a port and said connection (and hence the whole drama with the recent security exploit), but I don’t see how that can be called a VPN by its formal definition. Routing between different networks or subnets isn’t the same as a VPN.

No, that is not the definition.
A VPN is a connection between 2 parts over insecure networks that tunnels packets by encapsulating them.
The 2 parts can be in a site-to-site configuration, a host-to-site configuration or even a host-to-host configuration.

Are we still trying to answer the question??

Yeah, sorry.
It got a bit of track.

But the fact is if you want to run a NabuCasa style service, then you need to open ports where that service is running and it is not just like that to set it up, because there is not a simple click install and run solution for it.
Best solution is to accept that an VPN service on remote installation and an open port for VPN is the easiest way to set this up.

I believe the details are important for someone to decide whether they want to attempt something like the OP asked.

I definitely don’t dispute that. I was just stating what had to be done (typically).

I agree with this 100%.

Just to throw one more item out there. While I do my site to site using my Asus Routers which have OpenVPN built in, if I was going to do it again I’d use two Netgate appliances instead since they provide better granularity of control and are less opaque. While I have the Netgate appliances I haven’t changed the site to site because the Asus have been 100% rock solid for 2+ years.

I have had a Cisco ASA5506 running a bit and it was really good, but it is a beast for a home network with just occasional reconfigurations, so I have switched to an Ubiquiti EdgeRouter 4 and that is easier to handle and have also been rock solid.
It comes with a license to a StrongSwan VPN-service where the clients have App control, so I can have my HA Companion App use the VPN and not the other apps.

To be fair, it’s good reading all the methods available.

However, I’m not wanting to use VPN.
I suppose without a lot of development, it’s a big ask to connect to HA remotely via the Android App with no 3rd party integrations.

I am curious how some above are using cloud services to relay the info.

To throw a random thought out, could anything be done with Webhoooks or would that require open ports too?

You will always need open ports in the places where there are incoming connections.
This might help you.

1 Like

Thanks.
I thought it would require the ports opening.

You can liken Nabu Casa’s remote access features to Google Remote Desktop App, or “Go to My PC”. The port through your firewall is opened by an “inside man”, e.g. Home Assistant itself, by making an outbound connection to Nabu Casa. As mentioned before, this is allowed by firewalls by default. Once this port is open, Nabu Casa can perform actions in either direction. This is an extremely common circumstance for convenience sake.

Not mentioned yet: Tailscale ?

Some of you guys might also be interested in this:

This ready-to-use HA add-on of mine connects to an external SSH server and opens connection to your local HA instance this way. You need an SSH server you control for this.

It’s working pretty much flawlessly for me and a good number of users.

1 Like

Thanks I’ll take a look into this.
Can you use the HA App with this?

Could you share anymore info on this?

Absolutely. The solution simply forwards your HA web frontend to be accessible via an external IP or associated domain name. I access my home assistant instance through something like https://home.mydomain.de in the HA app

1 Like

This is my configuration for access HA from home.mydomain.com.

I created a free google cloud instance.

I in my dns setup for mydomain.com I have an “A” entry for home.mydomain.com pointing at the cloud instance IP.

On my google cloud instance I have setup a user ha_tunnel and created an ssh key for them. I have also installed caddy server. In the caddyfile I have this configuration

home.mydomain.com {
  proxy / localhost:24769 {
    websocket
  }
}

This caddy configuration will take any incoming traffic for home.mydomain.com and forward it to port 24769. Caddy automatically configures https for the url you are listening on.

Then on my HA server at home I have this in my docker-compose file

  autossh-gcloud-tunnel:
    image: jnovack/autossh
    container_name: autossh-gcloud-tunnel
    environment:
      - SSH_REMOTE_USER=ha_tunnel
      - SSH_REMOTE_HOST=home.mydomain.com
      - SSH_TUNNEL_PORT=24769
      - SSH_TARGET_HOST=<homassistant hostname or IP> # The host you would use to connect locally
      - SSH_TARGET_PORT=8123
      - SSH_KEY_FILE=/id_rsa/autossh_id_rsa # This is the ssh key I created for ha_tunnel
    restart: always
    volumes:
      - ./autossh/id_rsa:/id_rsa
    dns:
      - 192.168.1.1 # my LAN router/gateway
      - 1.1.1.1 # Cloudare DNS server as backup, probably pointless

When the autossh container is run, it will create the tunnel.
autossh supports a bunch of options for connection resiliance, but with the defaults I have never seen any downtime, running for years.

A google cloud instance is plenty. I logged into it the admin console for the first time in about 3 years to copy my config and it was suggesting I shut it down because it is underutilized lol.

1 Like

Do you have any authentication on that setup?

To me it just looks like a VPN connect to the Google server and then a insecure portforward.
This is of course a good solution to those who have CGNat on their internet connection, because they can not just do a portforward, but for people who can, this is just seems like an unnecessary complicated setup.

Personally I am using OAuth, but since it was disallowed in webview some years ago it has added a layer of inconvenience to using the app. I have not included my auth config partially because I was just intending to show an alternate method for access without the need for vpn or port forwarding, and partially because I expect there is a better method for achieving this.

Edit: After a quick google it doesn’t seem like there has been any progress on the security of HA and has been ruled out by the primary devs :frowning: