This is a different take at exposing HA to the internet: rather than having a remote proxy in your LAN and punching holes in your router to have Internet getting inside your house, we’ll have the reverse proxy running into the cloud on a fly.io instance, that will communicate with your HA instance via a tailscale VPN.
Disclaimer: At time of writing, both fly.io and tailscale are startups looking at getting traction, so they offer generous free-tiered plan. As with all startups, they’ll likely need to cash-in at some point and reduce what they offer for free, or just disappear altogether.
Principle
- Fly.io will run a docker container that contains a plain nginx reverse proxy doing one thing: redirecting to your HA instance
- Tailscale is the VPN backbone: the container and your HA container will use it for communication. Due to its way of working, no LAN configuration is required.
- Your external devices will connect securely to the container via a *.fly.dev hostname, that is provided by Fly and SSL secured by them.
Note: The docker image used is not specific to fly. It listens for anything on http 8080 and forwards it to the tailscale IP in parameters. So it can (normally) be reused on any cloud machine, provided DNS and certificate termination is done upfront.
Pros / Cons
Pros:
- No fiddling with you local network configuration: tailscale is a P2P VPN based upon wireguard
- Works with CGNAT
-
fly.io handles both SSL/TLS (via letsencrypt) and DNS for you, automatically, so you instantly have a
https://my_ha.fly.devendpoint - More secure: Nobody knows your actual public IP and nobody can get beyond your HA unless you want it to (or you blunder the tailscale configuration).
- Relatively simple to implement through this guide
Cons:
- See above: You might have to pay for this to work in the future
- Although fly.io offers a generous free plan, you still have to register a credit card with them at signup time.
- If someone gets access to the inner of your reverse proxy, they get access to your whole VPN.
Putting it together
All needed files are available on github: https://github.com/koying/ha-fly-tailscale-base
fly.io
- Create a fly.io account. Warning: A credit card is needed for sign-up
-
Install the fly.io client, “flyctl”
- Get flyctrl util (linux)
curl -L https://fly.io/install.sh | sh - Get flyctrl util (windows)
iwr https://fly.io/install.ps1 -useb | iex
- Get flyctrl util (linux)
- login
flyctl auth login
Tailscale
- Create a Tailscale account if you don’t have one, already
- Install the Tailscale client on your HA instance. If you are using a supervised HA install or HAssIO, just install the Tailscale addon
- Create an one-off key
Adjust fly.toml
fly.toml is the configuration file that describes the service that will run on fly.io. Grab it from the repo above.
Adjust app = to a host name of your choice. It will be the hostname you’ll use to access HA from the internet, e.g. https://<my_app_id>.fly.dev
It must be unique across all fly.io, so be creative!
TAILSCALE_HOSTNAME = "fly-tailscale-nginx" # This will be the host name registered in Tailscale
TAILSCALE_HA_SCHEME = "http" # The HA scheme, http or https
TAILSCALE_HA_HOST = "<ha_taiscale_ip>" # The Tailscale address of your HA instance
TAILSCALE_HA_PORT = "8123" # The HA port
TAILSCALE_AUTHKEY = "<the_tailscale_one-off_key>" # The Tailscale one-off key you created earlier
Create a Fly application with the util
-
flyctl apps create foobar-homeassistant(“foobar-homeassistant” will be the name of your application in fly)
Deploying the application
You have docker installed
Easy peasy. Just do flyctl -a foobar-homeassistant deploy to deploy the application on Fly.
After a little while, the application will just be there, ready for usage
You don’t have docker installed
A bit trickier, here. Obviously, you could install it, but it might be involving, especially on Windows.
The alternative route is to let Github do the job.
- Fork this repository: ha-fly-tailscale-base
- Get a Fly API token:
flyctl auth token - Insert this token under the name
FLY_API_TOKENin github, in Settings-Secrets-New Repository secret - Enable Worflow on your fork: Actions-“I understand my workflows, go ahead and enable them”
- Edit the
fly.tomlfile, possibly in github itself, as described above. - Commit your changes.
- Voilà! Github should handle the deployment of your Fly app via Actions.
SECURITY NOTE: Unfortunately, it’s not possible to make a fork of a public repository private in github, so you are now leaking private information in a public repository. Delete the repository from github as soon as the deployment is successful!
An alternative, more secure but more involving, way of working is to duplicate the repo and create a private copy, instead. See, e.g., GitHub: How to make a fork of public repository private?
Adjust configuration.yaml in HA to accept the remote proxy you just created
- In the Tailscale dashboard, note the IP address that was assigned to your Fly application
- In the “3-dots” menu, select "Disable key expiry’.
- Add the IP to your HA “trusted_proxies”.
http:
use_x_forwarded_for: true
trusted_proxies:
- "<tailscale_foobar-homeassistant_ip>"
All done!
Just go to https://<my_app_id>.fly.dev to access your HA instance from anywhere!