It seems every VPN Client app requires a lock screen on the phone.
For now, I’ve set up port forwarding and I’m using TP-Link’s dynamic DNS which is built into my router. That works fine and I don’t need Duck DNS. I’d like to add SSL but that doesn’t seem dead simple. I’ve cancelled Nabu Casa for now - maybe I’ll try it again someday.
I understand at least some of the risk of port forwarding - what can I can do to reduce it?
SSL is securing some part of your communication, especially the login parts.
Without SSL it can be easily read, if the network is open for this.
Typical WIFI networks would be open to this sort of sniffing, so avoid public WIFI networks in cafees, airports and the likes , until you have SSL set up.
If you have portforwarded port 8123, then you are already using a non-custom port.
It does not give much security, but some of the scanner scripts might miss that port, since the only check typical http ports, like 80, 1080 and 8080.
If you can then you might be able to limit the access a bit by using some of the restrictions in the router, like only allow access to the portforwarded port from certain IP-addresses, like the range for you mobile service provider, or MAC-addresses, like the MAC-address on your phone, but this depends on the network setup, since NAT can prevent this, especially Carrier Grade NAT at your ISP.
You also need to make sure that you have a tight control of all usernames and passwords for HA and have configured your own credentials for all addons and integrations where possible.
A reverse proxy with page control might be a good way to limit access to integrations and addons, but can be a bit tricky to set up too.
And of course have long and “gibberish” passwords, so dictonary attacks is prevented.
Atleast , even thou you click “keep me logged in”, then make sure you have a “very” strong password ( Long with kapital, lower, number, and “special characters” if supported, as the “port forwarding” goes direct to your HA-Device, use that Device only for HA, and other simple tasks, have another device(laptop) for “household” tasks, like mail/bank etc ( also with strong password 
, and if windows 6Pin code login
PS: if you are curious you could set up a “sniffer” on your HA-devices IP number, thou most “unvanted” incoming Traffic would be from “harmless” crawlers like i.e. google, and you’ll notice traffic from china, chech-rep(most likely spoofed russian) … “curious” crawlers, who “initially” don’t know your login ( Name / Password ) , and they don’t even try to look for other open ports etc. i.e It’s search-engines, thou China tend to use whatever info they “initially” discover to “block” the domain-name/ip for China citizens , im sure RU increased this “behavior” lately 
Yeah it would be interesting to see all that port scanning activity directed at my forwarded part (and yes I chose an odd port number and a strong password. I’ll get around to adding SSL at some point.
My HA is on an RPi which isn’t doing anything else. I have the perhaps-naïve belief that “Home Assistant OS” is at least something of a sandbox, hard to get out of.
Obviously a VPN would have been better, and I’m really annoyed that all the Android clients did a corporate suck-up by demanding the users have lock screens. That’s none of their business. Ironic that a system calling itself “Open” VPN won’t allow users to make their own decision on how to manage their phones.
I think it depends of which “Integrations/Add-Ons” you have, and as any “webserver/app” they have to pass through “web-root first” , so your HA-Login/username is essential here ( don’t use “jimh12345” ), it’s too “exposed” in Google already 
Most likely a good “recommendation” and a “cover for their own Brand” to minimize the risk of being sued, due to people claiming it’s not secured, which it per definition is NOT, if anyone can use your passwordfree phone
Seems like the thing to do would be to restrict access to the forwarded port via an IP whitelist. I’m surprised my router doesn’t seem to have any such capability. It has ACLs for devices on the LAN
In general, how does one restrict outside accesses at router level, by IP?
Had a look at DD-Wrt or OpenWRT?
It will open a whole new dimension to your router (if your router is supported) 
Alternative router firmware - wow, who knew? I’d have to really summon up some ambition to go there…
I prefer OpenWRT (i find it a bit more user friendly), but have an old linksys running dd-wrt, both became a lot more reliable with it.
Installing is not that difficult, it is like upgrading the firmware, but the router chipset needs to support it. 
Personally I would even buy another router, if my current router wouldn’t support it 
ps: OpenVpn is also supported
as i have a fairly new Asus RT-AX68U , i have Asuswrt-Merlin, also a nice UI
If I ever find a VPN client that doesn’t require me to use a lock screen on my phone, my problem will be solved.
Try Iphone…it doesn’t require it
Am curious - what kind of lock screen we are talking about? System lock screen? Or some lock screen from the VPN client? Or, are VPN clients enforcing system lock screen? What’s on the lock screen exactly?
And when the lock screen would popup? Is it something that would pop up in your face like every one hour?
Trying to understand why those lock screens are such a big problem, and what they are about.
I mean, I use VPN that is built-in as part of the Android OS, but can’t say I recall there is any lock screen step required. Is something else going on?
Programs can require a certain level of security on a device and a VPN client would typically do that as default, but I wonder if it can not be configured to accept another security level.
The lock screen that’s displayed every time you pull out the phone and wake it up.
Hmmm… I certainly don’t have that when I VPN back home to my VPN server, and I have got multiple phones over the years. Maybe I’m not setting up mine correctly? Maybe it’s a setting somewhere on my phone or in the app?
Also, couldn’t you connect to VPN and just leave it on, so that the lock screen only pops when you setup things up for the first time?
Now, I understand what you mean with VPN.
I have a built-in VPN in my FRITZ!Box (Is the company avm with its routers called FRITZ!Box in not german-speaking regions popular? In Germany, many people use FRITZ!Box) and it uses IPsec. I use it for 4 days now and didn‘t have any problems, it‘s also allowed in my school network that has a very strict internet access.
Thank you for the ideas, at the moment it works very well!
Yes folks, TailScale works like a charm! Go to the Tailscale site and make your account first! Activate it and then start installing in on HA. I assume you have the client installed on your device yet.
TailScale makes a connection with your instance, you need to approve the connection between HA and TailScale first. After this you also have to add your device(s) that you want to use remote to be allowed and you have to install the client also on these devices. And approve it of course within the website from TailScale. After this you copy the made IP address from HA at your desired location into your HA-client (or app) and connect. Might take 1-4 seconds but works like you are not remote. I have used this long time, but now have some issues with a new provider (StarLink) that needs fixing, but most connections work like a charm! Worth trying for me, you always can de-install if you are disappointed.
Thank you, that‘s even better and especially faster than my VPN solution before! But I think that the integration description on the Home Assistant website has some mistakes.
There is written that Tailscale doesn‘t make home assistant to be controled over the internet.
Yes, and I suspect where it comes from. As I learner I went through many documents and youtubes to learn what HA was and could do, perfect for me. But the mistakes came when the versions update and functionality changes. That made me reinstall many times to avoid there errors.
I just moved over to StarLink (from Elon Musk) to have fast en reliable internet, and found out that this VPN is not working. With the team from TailScale working on to get it going.
P.s. TailScale has another benefit: you can change DNS settings in TailScale, so suddenly you are in other countries. Now I can listen to Hawaiian music what I could not do before…!