Device tracking without exposing HA to the Internet?

I’m looking for a way to track my android phone without opening up any ports to the Internet, there are quite a few integrations available, gpslogger, zanzito, owntracks etc… But they all require that the client hits HA or MQTT directly therefore exposing my install to the Internet and I’m not really comfortable doing that. I do have a VPN that would work but prefer to have PIA running on the phone and obviously can’t have 2 VPNs running at the same time. It’s there a solution that I haven’t thought about?

You could use a cloud-based MQTT together with Owntracks. That way, you don’t have to open up anything.

That’s an idea, do you know of any that are relatively secure? Can I connect more than one broker to HA? I use one internally for other things that I wouldn’t want to be dependant on having Internet connectivity to work so wouldn’t be able to completely shift everything over to a cloud based MQTT broker.

CloudMQTT?

You can bridge your LOCAL MQTT instance to a cloud instance and sub/pub to the topics you want. I do that with my own ‘public’ MQTT server running on a Digital Ocean Droplet.

Google Maps tracker works pretty well for us.

1 Like

I had issues with that component when it was released. I need to revisit it though.

Thanks for the ideas, going to try out Google Maps as it has less moving parts and as they already have my location data I won’t have to entrust it to another third party.

You can turn on symmetric encryption in Owntracks

Thanks, I have set up both the Google maps tracker and owntracks (bridged to cloudmqtt with symmetric encryption), in my testing so far it looks like Google maps is much quicker to update my location when I leave (I had driven 30 minutes away before owntracks realised I’d left), I’ll keep them both running for a few days and see how they work out.

Thanks for the help.

Inspired by your question I came up with a solution that should work for exposing your HA to the internet but keep security at a reasonable level:

I initially had my HA running on docker exposed to the internet via a docker install of NGINX that handles setting up the Letsencrypt certs. I also had Mosquitto installed directly on the NUC outside of Docker.

Then I decided it was too much of a risk to have my HA exposed to the 'net with just a password to protect it so I setup a VPN using PiVPN. BUT… that caused me to not be able to use the components that require access to the API thru an open port.

My tentative solution was just installing another bare bones HA docker container running on a different port than my original HA that will be again managed by NGINX.

Then I installed eclipse-mosquitto in docker (also on a different port than my original mosquitto) then set up the new MQTT broker in bridge mode to pass all MQTT traffic to my original MQTT broker which my original HA is connected to. Then I can open the single port for the new MQTT on my router and allow traffic to that one service. :crazy_face:

It sounds kind of complicated but it really wasn’t.

Even if someone does manage to gain access to the exposed API-only HA then they can’t see or control anything else on my other HA. I think…:thinking:

I haven’t really had a need to fully test it yet but I know I can trigger MQTT traffic on the API-only HA and the messages are seen instantly on my protected HA.

If for some reason it doesn’t work I’ll just blow away the un-needed containers and nothing changes.

I think next I’ll try to figure out how I can hide my docker MQTT behind NGINX as well and if that will work to receive traffic to the new broker.

Owntracks has different modes and defaults to significant change. If Google Maps is much quicker, it will more frequently update the position, which you can also do with Owntracks (press the button that looks like a play button).

This is supposed to be draining the battery quicker though - which thus might be true for Google as well

I think that’s only the case for the IOS app? Although I have changed the locator background displacement and locator background interval settings in the app in the hope it improves its reliability.