I was using Home Assistant successfully with DuckDNS and 8123 port forwarding
After reading more stuff, i found out this technique is easy but not secure (i guess it’s easy for someone to enter your network through open ports?)
So, i decided to go for the much better VPN with wireguard. I disabled the 8123 port forwarding and open Wireguard port (51820) and setup my devices (tablets, phones etc) with Wireguard app.
It worked successfully except that the android/ios app couldnt connect (more here). The reason was: i didnt have any https address to connect to the GUI. Instead i was using the 192.168.1.X in browsers even remotely (after enabling the VPN) without the app.
After it was suggested i installed the NGINX SSL proxy addon, port forwarded 443 in router and now im using myNiceUrl.duckdns.org i can connect remotely to HA even without the VPN. VPN is nice for other reasons (i am in a public WiFi, so i use my own VPN to be secure) but considering HA there is no use…
To finish: is NGINX SSL proxy a secure way to go?
Why use VPN then?
Can i uninstall NGINX SSL proxy, but have a https with VPN?
This is a long but i found all these very common issues without finding any clear explanation…
Is a proxy secure? Well, proxy servers aren’t really about security. It’s more a question as to whether your configuration (proxy + HA) is secure.
Can you have HTTPS with a VPN? No, but you don’t need HTTPS. The official app doesn’t require it at all.
You don’t need a VPN and SSL. You may want both so that you can have the app report back when you’re not VPN connected, but you don’t need both if you don’t want that.
I see…even SSL proxy doesnt guaranty an SSL security?
Can you have HTTPS with a VPN? No, but you don’t need HTTPS. The official app doesn’t require it at all.
Thats the problem, i dont have HTTPS with VPN. I guess this doesnt matter, as i am “in my home” with the VPN so i already have security.
The problem is i dont have https:// link so HA app cannot work. (i’ve posted here more on this)
Well, it gives you SSL. SSL isn’t about security though. It protects (when done right) your data from other people. That’s it.
Well, no, the VPN is just a tunnel - a way of connecting to something.
I’m sorry, but that’s wrong. The HA app works just fine without HTTPS. Whatever is going on with that thread, it’s not about the official app requiring SSL.
I know this, because I use it without SSL…
Your early problems there were likely because you had SSL in HA, for use with your domain. At that point you also had to use https:// with the LAN IP (which would then fail because the certificate is for another identity).
Indeed, that’s exactly what the final error is about.
As already mentioned in the other thread you are absolutely right.
The problem is i had an SSL certificate, but i was trying to connect with my local IP.
I had just to deactivate my SSL (comment ssl_certificate and ssl_key in configuration.yaml) and everything works fine.
By the way, no that i use only the VPN and local ip, why does this considered safer than expose my HA to public? In both cases i have to port forward, so my ports are “accessible”.
Generally speaking a VPN is considered more secure because you’re exposing a single hardened service, rather than services that may not be so hardened.
It’s a lot less likely that your VPN will have a remotely exploitable vulnerability in it than there will be one in the many Python packages HA uses, or in any of the integrations, custom components, etc that you’re using.
All this of course assumes you’re setting a sensible password, or using key based authentication for the VPN. If you’re using admin and password then all bets are off.