ESPHome devices outside the local network

I was curious whether it’s possible to set up ESPHome devices in such a way that they are connected on a completely different network (e.g. a outside network on a different house) but still able to show up on your local HA?

Basically, I would like to have a couple of devices (sensors + light) in my parent’s house to keep an eye out. E.g. A doorbell notification triggering a light since one of them has hearing problems.

I was hoping to avoid setting up a whole new home automation system.

Any suggestions would be greatly appreciated :slight_smile:

1 Like

You would need to setup a Site to Site VPN between your router and parents router. If you want just to use the native API

Or use The MQTT option
And open your MQTT broker to the outside.
You can limit access by there ip so your not inviting the whole world in.
There’s also the public brokers you can bridge to as an option.

That’s exactly what I’m looking for, the MQTT solution could work.

I have some questions:

  1. when you say “open MQTT broker to the world” you mean a router “port forwarding” of the Mosquito broker port in HA?

  2. How can you limit access? I know how to do it in a LAN (by MAC) but no by IP

  3. Is there a place where they show how to modify the code inside the ESPHome to disable the API and use instead my name.duckdns.org to connect and being discovered?

You can manually add esphome device in home assistant integration page using ip or hostname. Make sure you port forward the other router to your remote esphome device.

So far i tried two methods:

Try to add manually the EspHome device, connected to the external WiFi, introducing the public IP / duckdns.org and forwarding port 6053 in both routers. --Fail

Change configuration in the ESPHome device

  • remove api:
  • adding MQTT, port 1883, username and password (it works in local network)
  • connecting in external network, forwarding port 1883 in both routers. --Fail

I guess I’m close to it, I just don’t know how to make it work so far

Try a mqtt bridge.

do you know, how to solve this? ESPHome issue with a repeater (NAT)
Thanks

I found a solution, i open the port 1883 of the HA on the router and with the DNS + 1883 i could stablish connection even outside the network.

Unencrypted communication should be avoided over the internet. Using your solution anyone can listen to the traffic between MQTT client and broker or even modify the payload (MITM attack).

It would be helpful if there was a clear write-down of the solution for such a use-case.
I can imagine there are more people who have the problem to have an ESPhome device outside the local network.

1 Like

Is there a way to encrypt communication between esphome device and HA in this case?

Has anyone tried using Tailscale to bridge networks?

Yes, API component of ESPHome supports ‘encryption:’ (with ‘key:’) --and in fact ‘password:’ option is deprecated. And of course, really should not ever use wide-open unprotected API (with neither ‘encryption:’ nor ‘password:’) --although many ESPHome YAML examples show ‘api:’ usage with no protection,

Bottom line: Always use ‘encryption:’ option in ‘api:’ section of ESPHome YAML.

Hello.
Is there any tutorial or documentation how to set up a safe and stable connection? I’m beginner in Homeassitant and ESP home and I‘m facing the same challenge to connect some devices outside my Home network to homeassistant.
I would appreciate any advice or link.
If I understand anything right the best and safest way should be a vpn connection, right?
My DrayTek router at home has a build in vpn server but I don’t know how to setup the esp home device to connect via vpn.
Greats Tobias

any tutorial on this? me too I would like to set up an ESP32 inside a garage within a different WiFi network, so I’ll need to access the ESP32 from the internet

You can port forward your chip’s 6065 port (I think that’s the API port) then it would work with HA over the internet, I have done this but it’s obviously not that stable if not on LAN.

EDIT: HA needs to connect to chip and not the other way around so HA doesn’t need to be port forwarded for this.