I have installed Home Assistant (HA) for a year ago and I really like the software that has been developed. I have now come to the stage that I want to access HA remotely, I have read the documentation about remote access to a HA server and didn’t find any solution that I feel is secure enough. I am not so keen on opening up a TCP port and expose HA to the rest of the internet.
If there is another solution I’m not aware of, I would be glad to hear it out.
I have been thinking of creating a solution to create a transport method between HA and an end device, such as a mobile phone or your desktop computer on your workplace. To make a cloud based service which will “glue” the two endpoints together and have security in mind. The communication messages will be end to end encrypted, which will make the cloud based service only a communication entity between the two endpoints and it cannot see any communication between the endpoints.
I just wanted to share my thoughts and I would appreciate some feedback from the community for the next project I will dive into.
Yes the Google Assistant App you create with the component needs a https address to connect to internally so you can’t use a VPN. It does use oAuth to authenticate though and supports 2FA.
@DavidFW1960: A reverse proxy is good, but it then I need to open up a port in my firewall at home, which will be one entry point for an unprivileged user to attack. Also if your internet service provider is giving you a dynamic IP address, you need to have a DNS client that the A-record that you are connecting to.
@JuanM: VPN is nice! I have been thinking of that too, the drawbacks I see is that you need a stateful connection towards your VPN-service, it would be nicer if it were a stateless connection instead, I think that could be battery consuming for a mobile device to have a persistent connection. And what happens if your device is roaming around on different networks, sometimes 3G, 4G, wifi, no internet connection, I think you need to actively connect the VPN service again for it to work.
I would rather not setup a VPN or reverse http proxy and a DNS service that updates the dns-record, instead I want to be easy to setup and maintain. I’m thinking of developing component in HA that subscribes to all relevant queues and forwards it to the internet cloud based service (the message that will be sent is encrypted using asymmetric encryption, so no one can snoop into the message that is being sent, only the receiver can decrypt the message). The message arrives into a message queue and will be picked up next time the mobile phone is connected to the cloud based service. The communication will be bi-directional, so the mobile device also can send messages back to HA.
The goal is to have a configuration item in your configuration.yaml that enables the cloud based service, you need to configure it with some settings and tie it to your account in the cloud. In your HA app on your mobile device, you give the host address to the cloud based service and some settings to tie the mobile device to your account. Every n:th minute your mobile device checks if there is unread messages in the message queue, if so it pops on your mobile phone. The look and feel should be that you are constantly connected to your HA and if something has happen you should get a notice quickly.
The things that needs to be implemented are:
HA connector module to the cloud based service.
Cloud based service web GUI (frontend).
Cloud based service backend.
A patch in the HA android and IOS app.
That’s something I’m missing out in the HA application, otherwise I think it is a really nice implementation, but remote access would be awesome!
I’ve been using a VPN (on an old Pi2) for years now - even before I got involved with HA - and it’s the simplest thing to use.
Your router probably has an OVPN server built in that you could set up for this; it probably can handle some DDNS as well.
And the app on my Andoid mobile and tablet just requires one click (via a shortcut on the home screen) and is stays connected even if I switch between WiFi and mobile connections and it also re-connects after I’ve had no data connection at all.
Benefits:
I use the VPN also when I’m on an open WiFi connection, at a Starbucks or some place where I’m not sure it really a secure connection.
And I can access my security cameras, of course.
Drawback:
I have to manually start it when I need it (one click!) at the moment because I don’t have it running all the time - and therefore I don’t know battery consumption either because I’m only connected for 15min at a time.
I receive notifications via Pushbullet without being connected to the VPN, but I can not set up a service to respond to notifications when I’m out and about - not seen the need for this yet, though.
@chairstacker: My firewall does not have OVPN support. But i can always install it on the PI. I wanted to have connection between the HA server and HA client (mobile) to be seamless. But i think i will go for the VPN solution.
Interesting!