Guide : OpenVPN Access to Home Assistant

Preface:

I remember when I discovered port forwarding for the first time 16 years ago - I was amazed I could open a port on my router and point it to a device on the LAN side of my router. I had many services I was running on my LAN which I wanted to access, I even ran my own web server, opening port 80 for the web server and port 22 so I could ssh in and administer it. I then opened my routers port for web administration. My defining achievement and ultimately my undoing was opening my RealVNC(password protected) port on my home PC so I could control my pc from elsewhere!

Then one day when using my PC at home - my mouse moved on screen without me moving it, then notepad opened and someone typed “I can see what you see” ! crapping myself I immediately turned off my PC. after crawling out from under my bed I took a look at my routers log file, surly enough someone had accessed my VNC service, I closed all the ports down on my router. It turned out that someone had scanned my public IP for open ports and accessed my VNC service via an exploit that had been exposed on the website Milw0rm. I thought how could this happen - how could someone find my IP and find open ports, but as my research expanded it was clear how easy it was. Would-be hackers had used NMAP to scan a range of public IP addresses for the default open VNC ports - found mine, used the exploit and they were in.

This taught me to be careful what you expose to your public IP - even password protected didn’t protect me from holes in software and services I was running.

How to check your own network security

Be savy on network security by checking your router log file - checking what ports you have forwarded and how your router is configued

  1. SSH to your server and install NMAP and xsltproc

  2. Run the following for your LAN address range

    nmap -oX output.xml -T4 -A 192.168.0.1-254
    xsltproc output.xml -o network.html

    network.html is the report you can check for your LAN’s devices - just read though it and check for things that you are not happy with

  3. Run Shields Up! on your network to scan your network from the outside https://www.grc.com/x/ne.dll?bh0bkyd2

Base Knowledge:
Before I get into the technology of how to setup OpenVPN - I’m going to describe a bit of network topology -starting VERY basic - sorry seasoned techies.

The internet/cloud/web - whatever you want to call it is just a load of servers or PC’s connecting to each other and providing information from one device to another. When your router connects to the internet it gets a public IP address - the other thing it does is hands out(by default) private IP addresses to the local devices on your LAN. Anything on your LAN side can see each other by default unless the other device has some kind of firewall or blocking mechanism. Hence why you can access something like Home Assistant on your LAN via your Laptop.

By default devices on the LAN side can access the internet - but the internet devices can’t access LAN devices - unless you tell your router to allow it via UPnP, a DMZ, port forwarding or a static route though. I won’t cover disabling UPnP but I highly recommend it - (It opens ports on your router automatically from the LAN side requesting device on your router - allowing the outside in to that device !)

The devices on the LAN side can run any number of services and expose them to other devices, LAN side or WAN side (if ports are open on your router) via ports 0 to 65535 (0-1024 are reserved for known services) some examples include SSH on port 22 (reserved) and Home Assistant default port 8123 (unreserved)

An example of this(Looking at the diagram above) is if Home Assistant is running on Server (192.168.0.14) to access Home Assistant you would navigate to http://192.168.0.14:8123 LAN side and if you opened port 8123 on the router to point to the Server you could, from the WAN side, access http://56.34.155.66:8123. When this happens you router knows to forward traffic from the requesting WAN device to the internal server (Port Forwarded)

Great, but you just exposed Home Assistant to the internet - As amazing as Home Assistant is, it’s purpose is Home Automation and control - not military grade security. I hear you saying well I could password protect it, or encrypt the connection - fair enough but think about it like this - if a hacker accesses your password protected Home Assistant - they already successfully connected to a service on your LAN(be it on the password page, making exploration easier) and encryption only helps prevent tapping of the information from one end point to another (there are devices that can sniff encrypted SSL traffic if they are in the right place Blue Coat Proxy)

An alternative to port forwarding is SSH tunneling - This is good because it is encrypted - but you need to have ssh open to the world and running on a server and you need to tunnel each port you want to connect too.

The recommendation is to run a service which has been designed for managing and allowing connections in a secure manner, a VPN.

What is a VPN
VPN stands for Virtual Private Network - it’s a service you connect to on your LAN from the internet, you get an IP and if configured in such a way the device you connected from thinks it’s on your LAN at home, Thus allowing you to connect to any local services you are running.

e.g. I use my iPhone to VPN into my home LAN and it’s like connecting to my home WIFI - I get all the benefits of being secure on my LAN with the convenience I would get from being on my LAN at home

The other benefit is you can browse the internet and it’s as if the traffic is originating from your home LAN not from the internet - useful if you want to appear as if you are at home - or encrypt all the traffic you are browsing, from the originating network - useful on public WI-FI - who knows which IT admin is logging traffic you are using in Starbucks from your device - connect to OpenVPN and you just made it a ton harder for that admin to tap that information.

e.g I have my iPhone on LTE or a public WIFI and search for show my ip in Google - it will show my LTE or public wifi IP but if I connect to my VPN I will see my home routers external IP

It encrypts all traffic over the connection using certificates that have been exchanged prior to forming the connection - not at the time of the connection. These certificates are the “keys to the vault” and can even be password protected themselves. If that’s not enough you create a user on the VPN server which can have 2FA / Key added to the password (Like an RSA key) to further make the connection more secure.

How to setup OpenVPN
Your going to need a Linux server - I run mine on Ubuntu 16.04.4 LTS - but you could run it on a spare Raspberry Pi - it’s going to take you 1-2 hours to complete this, buckle up and MAKE SURE YOU READ EVERYTHING IN THE FIRST GUIDE - as tempting as it maybe don’t just copy paste the commands - understand them and ask questions here if you need to.

There are three guides to follow(these are the best guides I have found) - each can be done separately

Follow the guide here

I would advise running OpenVPN on a different port to the default one and this is the port you will need to open on your router to allow VPN connections inbound to your network. Also choose the build-key-pass path route for the client.

There are further guides to Harden OpenVPN - pick and choose which you wish to do

Configuring 2FA with OpenVPN

Once complete go to somewhere remote and connect to your new VPN, open Home Assistants local IP address or any other service on your LAN - you can also use show my IP to test your public IP of your device changes to you home LANs IP

Good Luck!

26 Likes

Great write up and explanation! Thank you! Before diving into the secondary guides, is there any downside to the VPN? Does it affect any components or cause a slow down in connecting to HA? What about if you are already using duckdns and https? Are there any adjustments that need to be made in that respect? Lastly, how resource intensive is OpenVPN? I.e. can I run it on the same pi as HASS (and pihole, etc) or does it need a standalone machine? Thank! Sorry for all the questions

1 Like

Not at all, and great questions.

Downsides… hmmm takes time to setup, connecting to OpenVPN once setup, isn’t as seamless as going direct to home assistant when on your lan, you need to guard your certificates and config like gold.

You only use it to connect yourself to your lan when your remote, not at home

OpenVPN is only for connecting from outside it won’t effect how home assistant connects to components, that still happens on a local level.

It can be slower than Wi-Fi or lan when connecting to lan side services but to be honest I haven’t noticed.

It uses resources when your connected, when there are no connections it’s just a small service foot print. I can check my server if you like.

Not sure how duck dns and https are effected. What do you use them for?

You could try it on the same device and if unsure just remove or purge it using apt get I doubt it would interfere with existing config but always backup, maybe clone your SD card?

Great stuff, @Robbrad!

I’ve been using Open VPN for few years myself, way before I started with HomeAssistant.

I installed it when I first had IP Cameras at home and wanted to have secure access without exposing my network. I still use it for this purpose, but also used it to access my Buffalo Linkstation in the past and now my Synology NAS - without having to open any ports or rely on a web service hosted by a company that could be a more ‘lucrative’ target for hackers that my own setup.

And the latest addition was now HomeAssistant - easypeasy, nothing to add from what I had in place before, it just works. From my PC, my mobile phone and my tablet - especially with something like an OpenVPN Client for Android.

2 Likes

@Robbrad, Thanks for this, very interesting. Naturally it raises a couple of questions…

I have read through the first guide and it is indeed very well written and I kind of followed most of it (certainly enough to know what was going on) but:

  1. It refers specifically to Ubuntu, I use hassio on a Pi and I am pretty old-school (emphasis on the ‘old’ :slight_smile:) with all my IT experience being IBM, Microsoft and the like. all this Linux, Python etc. is very new to me.
  2. As I was reading the guide, at the back of my mind I was thinking ‘what a lot of steps, any one of which done wrong might compromise what I am trying to achieve. Surely something that can be written down in such concise instructions could be wrapped up in an idiot proof script of some sort?’.

A combination of those two lines of thought got me searching the web. I found lots of tutorials for setting up a VPN server on a Pi, in fact it seems that this is one of those projects that many tout the Pi as being ideal for.

Specifically I found PiVPN (based on OpenVPN) which does seem to wrap almost all of the set up into a script. I also found a few tutorials for setting up PiVPN and as well, it is hosted on GitHub. All of which led me to think it could be a legitimate option.

I am not asking for actual personal advice as I know you can’t give that on a user by user basis but does it seem reasonable to you to go down that route?

1 Like

Old-School is cool in my books :wink:

Firstly fantastic to hear and to be honest this is the objective I set out to do - just get people to dip their toe into this and think about what they wanted / understand how a VPN was a sound choice - yep following the guide will get results but exploration is also recommended.

Couple of extra diagrams to help with the above explination

image

See: https://www.home-network-help.com/virtual-private-network.html - Remote Access VPN

Your correct there are a lot of steps - but until you forward port to the VPN server on the router, you can’t really go wrong - I would say you can just uninstall OpenVPN / purge it - or start over - I’d always recommend if people are running stable Pi builds, to img there sd card to a Hard drive for backup - so it can be flashed back at the point of failure - its the same process as initially flashing the SD card for the Pi but in reverse. SD to Img file.

I started writing out all the steps but just found myself pretty much copying Digital Ocean - which I didn’t feel was right as this was the guide I followed.

Correct - Its written for Ubuntu - but OpenVPN runs on many systems - so choose the one that’s right for you. FYI Raspbian which runs on a PI is based on Debian - Ubuntu is also based on Debian - so the commands should all work.

Pi’s do make great VPN servers - but be aware that it needs to run some well maintained VPN software with regular updates and fixes - PiVPN looks very good - but I’d really want to do the steps myself so I knew what it was doing, I had a quick look at the scrips it uses and it just automates a lot of the commands.

Overall this is something that takes time to setup but is worth it once done - as you will be able to do so much with it with some security piece of mind (in that only the VPN server is open on your router)

2 Likes

The PiVPN site tells you to install it by downloading a script via curl and directly executing it by piping it into a bash shell.

There is no verification that what you downloaded is actually what you intended, or that it has not been compromised in some way. I would not trust any site that tried to get you to do this, let alone something related to security.

At the very least you should download the code first and inspect it manually to make sure it does something like you expect, and doesn’t download anything else.

1 Like

@Robbrad
Rob, i just want to say thank you for taking the time to put this together and sharing it with the community.
I recently learnt how to set up reverse proxy and configured my set up as such.
However, it seems this is not sufficient and vpn may be the way forward.

1 Like

Can you share how you did it - i’d love to learn that :slight_smile:

of course Rob, I did a write up.

Awesome - i’ll read up and see if I can spot any pro’s vs con’s of each

I echo this.
This community is wonderful, some extremely helpful people and I wouldn’t have my HA system running as well as it is today if it weren’t for the help I’ve had here. But what you have done is avoid speaking down to people who don’t have the same skill set as you. something that is sometimes lacking here. Sometimes too many assumptions are made about what the questioner knows about or understands making the reply appear condescending however helpful their intent.

1 Like

@klogg
Agreed, on my reverse proxy write up i start with a short rant exactly about some individuals’ attitude; but anyway, the reality is that most people are genuinely helpful and kind.

1 Like

@Robbrad,

Ok, I am going to try and set aside some time to do this, it seems like I have nothing to lose - until I open that port!

So I am reading the guide again and I have a question (and I am only at the pre-requisites!!!) but I think it is a simple one. It points you to a guide for creating the appropriate user (I told you Linux wasn’t my thing!) and setting up the firewall but that guide also talks about adding public key authentication. Is that appropriate in this case?

Please backup your system before you start - https://lifehacker.com/how-to-clone-your-raspberry-pi-sd-card-for-super-easy-r-1261113524

No problem - depending on where you plan to do this - as long as your not logging in as root you probably already have a SUDO user - and it will be the user you use for your PI. If not and it is root (scary) then - login as root and do the following

use commands :
adduser <username>

Follow the wizard then do
usermod -aG sudo <username>

That’s all you need to do - SSH key exchange isn’t required at this stage nor is the firewall stuff

I would then login as this user and use for all activity on the PI from that point - don’t do things as root.

1 Like

Thanks.
And I’m doing it on separate unused Pi so nothing to back up!

1 Like

A fantastic write up - thank you for taking the time to do it! I’m particularly interested in the 2FA aspect of this and look forward to setting that up.

One question from me on the below. I believe this means that you’ll still then need a port forward straight to HA for some components then correct? Which still leaves us open to someone finding the login page as you described in the OP? In other words, to “lock it down” but still retain remote access, one would need to forgo the use of any services that need pointed at home assistant directly, i.e. Google Assistant. And I realize that “lock it down” and “retain remote access” inherently contradict each other a bit lol. Apologies if this isn’t the right place for the question, the conversation just led me to consider this.

No worries man!

How is the Google Assistant configured? - do you current forward a port on your router to HA for Google to access your HA server?

UPDATE I just read the component page for Google Assistant - that’s really not the best, shame it works in that way. Let me do some more reading - it might be ok, or maybe there is another way this component can connect

UPDATE2: Check out https://www.home-assistant.io/cloud/google_assistant/ - this uses Home Assistant Cloud - so no need to open ports on your router! happy days

I recently set up Alexa and it seems to operate the other way round - so no need for me to open any ports on my router

1 Like

Part of setting up the component involves entering your URL, so it points to my.domain.com which is fed via port forward to HA. In my case I have nginx in the middle of that, but I think the concept is still the same. Any component that requires you to enter your HA URL I am assuming isn’t going to work through a VPN and thus still require an open port straight to HA. Again, don’t mean to derail here, just wanted to make sure it’s clear and I’m not missing anything. I feel like I’ve seen a handful of components that work like this, but Google Assistant is the one that stands out and I’m sure is fairly widely used.

1 Like

Check my edit out but you can bypass this need if you use HACloud

And then follow

This would mean you could ditch the reverse proxy and shut down the port forward for that service

1 Like