Connecting to HASS using ssh and no hole thru your firewall

Hello, I just want to share what I did to connect to HASS with ssh, without ssl/tls and certificates, and no firewall port forwarding mumbo jumbo… :slight_smile:
My internal network is protected by a “leaf firewall” ( http://leaf.sourceforge.net/bering-uclibc/ ) which runs SSHD that allows you to create encrypted tunnels to your private net machines.
Otherwise, most popular routers’s firmwares can be upgraded to run SSHD; DDWRT, TOMATO, Asus Merlin… and it is a good idea to have some form of port knocking to hide port 22.

1- With putty or command line, set an ssh connection to your firewall/router with a tunnel to your HASS server on port 22 ( ssh -L:10022:hass.server.ip:22 [email protected] )

2- Set another ssh connection to localhost:10022 with a tunnel to hass.server.ip:8123
( ssh -L8123:hass.server.ip:8123 pi@localhost:10022 )

In your browser’s URL window just type: http://localhost:8123 and you should have HASS web page displayed… enjoy !

I just picked port 10022 randomly, use what you like.
I thought one tunnel would be enough but this does not work, try it, two are needed.
My firewall runs a script every day that e-mail me my external IP address if it changes, I came up with that when DYNDNS became$ commercial… :slight_smile: !
j
rb.

3 Likes

:laughing: that’s exactly what you are doing!

3 Likes

Semantically one could say so but this is encrypted software port forwarding, much more secure than punching holes in the firewall…

You do have a port opened and forwarded. If you are doing this, I would use a different port than 22 just for the extra obscurity it provides.You might also think about ssh keys to enhance security.

Yes, for simplicity my example only shows I use port 22 on the firewall, but this port is normally closed, and will open for a short time with a proper “port knocking” sequence. Once logged-in, the port 22 closes and no more connections can go through. With this, you can indeed use any port you want, including notorious port 22. Ssh Keys are also the best. My goal was to show it is possible to connect to HASS from the web without tls/ssl and router port forwarding and dynamic DNS provider.

1 Like

Sorry the last ssh command should be:

ssh -L8123:hass.server.ip:8123 pi@localhost -p 10022

Wow your promise of eliminating mumbo jumbo didn’t last long! :rofl:
You’re offering to replace a fairly simple, widely documented, procedure with a very exotic setup that is somewhat more secure but eventually still leaves to be desired…

I’ll stay on Team Simplicity.

Also I feel that the use of « punching holes in the firewall » is needlessly fear-inducing.

Arnaud, essayez le, vous verrez c est plus simple … :roll_eyes:

First I want to thank @arnaudm for his somewhat pedantic comment, which I was first tempted to ignore, as it deserves, but which made me realize my explanations were not clear enough. So let me re-explain, for the interested layman, what one can do with standard, simple, secure, and widely documented SSH … which might seem exotic if not understood :-).

For simplicity I assume there is a firewall protecting your internal network, and it runs SSHD. Normally you should try to have no outside ports opened on your firewall, “port knocking” might help you do that. If not, you should tell SSHD to listen on another port and use encryption keys. For my example let’s assume the firewall has external IP 73.84.202.130 and SSHD listens on port 50022, with user “root” … and the internal net computer that runs HomeAssistant is at 192.168.1.50, with user “pi” (it’s a RPI) .

First tunnel: ssh -p 50022 -L10022:192.168.1.50:22 [email protected]

This would normally allow you to open a simple ssh session from your local computer to the internal RPI computer, if you were to use a terminal session like: ssh -p 10022 pi@localhost .

But nothing prevents you from using instead a more complex terminal session like: ssh -p 10022 L8123:192.168.1.50:8123 pi@localhost, which will create another tunnel inside the previous one, but this one will forward your local computer port 8123 to HASS on the RPI port 8123 … and from a web browser you can get HASS web page with URL= localhost:8123 .

info here: ( https://bering-uclibc.zetam.org/wiki/Bering-uClibc_7.x_-User_Guide-Advanced_Topics-_Setting_Up_SSH_password-less_login_and_Port_Knocking)

Let me know if this is less obscure,
bye, jrb.

2 Likes