And that is no doubt the missing piece of the puzzle. Although in my defense, I would not have expected a “start” button on an “info” page.
I’ll try it tomorrow. Thanks for the help.
Well, its there on all the addons.
Also all the start settings, like start on boot, watchdog, auto-update and so on. 
Haven’t done much with add-ons.
I saw the options but missed the ‘start’ wich is not even a button, just a link. 
Well, now you know.
And link and button is pretty much the same.
A link is a clickable text that shifts your focus and a button is on that activates an action, like a script behind the page.
The action/script can shift your focus though
Hi all, I had the same experience a while ago, after struggle and found out what the problem was (my provider!) I changed to TailScale VPN what is very easy to use, FREE and can be added in HA as it is ready for you. One click and it runs. But follow the guide first because you just can make a free account and add your devices.
I have used DuckDNS and was very happy with it. When you have a good password and SSL you should be pretty safe. The last version installs the SSL part for you as soon you have made a connection from home with your DuckDNS, if all okay the SSL part will be installed for you. I found out that my provider changed configuration so that Dynamic DNS was not possible any more, so no certificates are generated and put in place. That is it. No work around possible in my case, so I went to TailScale what works fine and fast and easy to set up. You can even tweak the settings in DNS so that it looks like you are in another country, in case you need that as well. Happy with the VPN on HA, a click and it runs, done!
You are mixing up the security types.
SSL only provides confidentiality when the network traffic is en route.
Your security hole is with authentication and all that protects you there is your password and the code of the program (or should I say programS, since there a lot of them inside HA).
If you ask any of the developer, then none of them will say this is a secure way to connect your HA to the internet, because they can not control every single code provider for HA and you need just one of them to err and your “strong” password would then be worthless.
HA is about functionality and features. Security is secondary, and for some coders tertiary or lower.
A VPN service is all about security, because that is all there is to it.
1 Like
Not to mention, as you said above, about opening Port 80/443 … BOOOM, the whole world is at your “front-door” knocking
Well, if it was only your front door, but HA is like an office building.
HA might be the reception just inside the front door, but all the other programmers have their own office in the building and they might unaware leave their window open or their may be a defective window hatch.
A VPN service puts a high fence around your building and a security guard at the gate, so you do not have to worry that much about the front door and the windows.
1 Like
I have my self and previously recommended to minor companies, to have a “Hosted” solution for their “Company-Front” Web-server, cheap and less worries for their own “Internal” Network. Previously, with low speed/band-wide connections(well still), one also don’t need the whole world constantly “Knocking” on your NIC, because your expose (80/443)
I get the security risk and I’ll consider a VPN. But like many people, I burn out on ‘security’ when it wipes out convenience. For example - I can’t change my router password, because then I’d have to change it in 15 wfi-fi-connected home automation devices, using 15 different apps.
The emphasis is switching from security to loss mitigation. If some jerk gets into my network, what can he do do me? My important stuff is backed up on an SSD which isn’t plugged in. If I get ransomewared I just wipe the PC and start over.
So, VPN. I’ve actually never used one. Maybe it’s easy to set up. But can I still use the HA mobile app? Will I have to do a logon every time I want to open my garage door?
With VPN You log into your “Local” Network, so from the Device you use(with your vpn-client/tokens), will become a part of your local network, and work as you were “Home” … and if you actually are home, you just disable/or logout from your VPN … and you connect to your wifi , as usual
But that’s my point. Once this is set up, would I still have to log on/off, enable/disable, or jump through hoops on a regular basis?
I want to just pull out the phone and use the HA app to do something - like open the garage when I pull up. If it can’t be that simple then it’s not for me.
Fiddling the the phone coming up the drive way ?, you call that simple ? … use an automation for that
But yes indeed, i think you should go for what you find simple, thou not many “solutions” in HA , is integrated/maintained with a “click on a button”
Ransomware is just the end attack.
A HA server is valuable in many ways to hackers. Linux is a native remote managed system and since its a HA server, then it is always on, so no annoying shutdowns when the user goes to bed or work.
Linux have a lot of tools to attack the rest of your devices and your HA installation might already come with SSH access, either through Linux or through an addon, and also a samba client to easily extract files.
Once they get to your workstation then the real attack begins.
The first attack is usually to extract info from your system, like sensitive file with passwords and put keylogger in, so they can gain extra access.
Your github, email and facebook accounts are really interesting to hackers, because they usually give access to other sites.
Then they can install MITM software for netbanking.
And when they got what they want, then the encrypt it and demand ransom.
Yeah it’s a bleak landscape. On the other hand, we’re all being driven nuts with logons and passwords. People can’t be nagged or scared into jumping through any more hoops in the name of security. At some point we’re going to lose, unless the platforms finally catch up with the threats.
And, as you dont like passwords, not on your phone, not on your HA-APP etc( most likely you then also have very “easy/simple” passwords) … because you want to open your Garage port with a click on a button, in a daily running app, with no password, on a phone with no password … leave a note with your bank account as-well, and sleep tight
…oops not to you Wally 
I read the discussion and want to make my Home Assistant instance accessible over the Internet. I do not want to use Home Assistant Cloud / Nabu Casa. How can I get a secure system accessible over the Internet? I didn‘t find a solution yet 
Does it means, I configure TailScale in HA and can access to it when I‘m logged in to TailScale VPN on my device that is not in my local network? Tailscale - Home Assistant In the documentation, I read that the integration doesn‘t make it accessible. Thanks!
I got hit by ransomeware once - I know the pain.
That was years ago and the ransomeware was primitive. Instead of encrypting all my files it just set the ‘hidden’ attribute. Eventually I was able to create a batch file to walk the entire file system and clear that attribute - got everything back.
I don’t have answers for the situation today. I understand the risks. On the other hand, every web site I need to use is now demanding 2-factor and it’s becoming more than just a PITA. Just the other day, I realized it was now actually quicker and easier to pay my bills by mailing in checks than by fighting with the web sites, security codes sent by texts, changing passwords. So that’s what I do now - snail mail.
Florian, Nabu Casa apparently works well for most people. Unfortunately on my system it drops out every now and then for unknown reasons.
I see what you mean about TailScale - looks like another rabbit hole. The documentation says this:
" This integration DOES NOT make your Home Assistant accessible via Tailscale VPN remotely!
If you want to access your Home Assistant instance remotely, you will need to install Tailscale itself on your own. For instructions on how to do this, please consult the Tailscale documentation."
Sadly no. The tailscale integration is for monitoring and controlling a tailscale installation on another device.
You should first look into your routers abilities.
Many routers have the ability to run a VPN service and that might actually be the best and easiest way.
It can be a bit tricky to set up, but once it is running, then there is not much administrating to do.
1 Like