Ok, I am going to try and set aside some time to do this, it seems like I have nothing to lose - until I open that port!
So I am reading the guide again and I have a question (and I am only at the pre-requisites!!!) but I think it is a simple one. It points you to a guide for creating the appropriate user (I told you Linux wasn’t my thing!) and setting up the firewall but that guide also talks about adding public key authentication. Is that appropriate in this case?
No problem - depending on where you plan to do this - as long as your not logging in as root you probably already have a SUDO user - and it will be the user you use for your PI. If not and it is root (scary) then - login as root and do the following
use commands : adduser <username>
Follow the wizard then do usermod -aG sudo <username>
That’s all you need to do - SSH key exchange isn’t required at this stage nor is the firewall stuff
I would then login as this user and use for all activity on the PI from that point - don’t do things as root.
A fantastic write up - thank you for taking the time to do it! I’m particularly interested in the 2FA aspect of this and look forward to setting that up.
One question from me on the below. I believe this means that you’ll still then need a port forward straight to HA for some components then correct? Which still leaves us open to someone finding the login page as you described in the OP? In other words, to “lock it down” but still retain remote access, one would need to forgo the use of any services that need pointed at home assistant directly, i.e. Google Assistant. And I realize that “lock it down” and “retain remote access” inherently contradict each other a bit lol. Apologies if this isn’t the right place for the question, the conversation just led me to consider this.
How is the Google Assistant configured? - do you current forward a port on your router to HA for Google to access your HA server?
UPDATE I just read the component page for Google Assistant - that’s really not the best, shame it works in that way. Let me do some more reading - it might be ok, or maybe there is another way this component can connect
Part of setting up the component involves entering your URL, so it points to my.domain.com which is fed via port forward to HA. In my case I have nginx in the middle of that, but I think the concept is still the same. Any component that requires you to enter your HA URL I am assuming isn’t going to work through a VPN and thus still require an open port straight to HA. Again, don’t mean to derail here, just wanted to make sure it’s clear and I’m not missing anything. I feel like I’ve seen a handful of components that work like this, but Google Assistant is the one that stands out and I’m sure is fairly widely used.
Thanks @Robbrad! I had setup Google Assistant before this was made available, so might be time to switch over. I see it’s free to use for now. I’d been avoiding any subscriptions like the plague, but one that supports this great platform and community might be worth breaking the rule! And I suppose you can’t put a price on security!
I had seen this and I was a little bummed it cost money - but HA has given me so much value it’s worth the money if it supports that - it also works very well eg - its FAST
I was really hoping not to have to ask anything else but I have hit a small problem. Perhaps you can help, perhaps it’s Pi thing?
When trying to build the certificate authority (Step 4) and after the source vars command I get:
No /home/pi/OpenVPN-ca/openssl.cnf file could be found
Further invocations will fail
the next line of output is the expected:
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys
but
./build-ca
fails with the same file could not be found error.
I know you are not here to support the Digital Ocean docs but just in case it is something simple or obvious…
For the record, I have been through the process twice, both times with a fresh install of Raspbian.
WOnder if someone can weigh in and give their opinion on using the OpenVPN option on the router itself? Seems like I can set it up on my brand of router. Is it just as secure? or not as effective? Seems like it would be an easy choice and not have to spin off another box to host OpenVPN. Anybody using their router feature?
I think it could be good for simplicity - but im not sure how many updates you would get compared to running on a Linux distro - though running on a router would be better for your carbon footprint
I looks nice and simple - though bear in mind you might lose a little bit of control over encryption standards and some firewall rules you might want. Its worth trying it out and seeing if it works for you, if you want more than go with your own install. Also see my last reply to berniebl - your router version of OpenVPN might be out of date - you should check the version.
I saw the question already post above, but this solution would really remove the need for duckdns and SSL, wouldn’t it?
Only reason for DuckDNS is to point to your home which is no longer necessary, and the SSL is to encrypt the traffic to your system, which is now not necessary since you’re on the VPN.
Pros - Less Configuration with Home Assistant, better security, nothing exposed to the internet
Cons - Have to use OpenVPN to get to your setup if you’re away from home.
Question about things like iOS notifications? HASS will still be able to send notifications out, but you’d not be able to have actionable notifcations unless OPENVPN was running, is that right? What About Alerts? I’d assume the same for actionable alerts? What about GPS, reporting ZONES?
I have my OpenVPN running on my pfsense box. We’ve had the VPN here at home for years specifically because there are services here at home that we don’t want to expose to the public. Mainly the ipCams. In fact, a couple years ago I actually sliced my network up into multiple VLANs because I didn’t want my cam’s on the same segment as everything else. I also don’t trust my cams because I don’t know why they’re phoning home. So by isolating them to their own vlan I shut down external access for them completely. Reason 2 was because they’re outside my house if someone were to compromise one of my cam’s they have a network cable right there that they could use to plug into my network. But with the cam’s now isolated on their own VLAN it would take a lot more leg work for them to get past the firewall.
So I also have VPNs that I pay for like AirVPN so not only are we secured when we’re remote we’re also secured while here at home. We never appear to be coming from our IP we always show up somewhere else
Lastly I have a couple of these http://a.co/2gnlM19 I use one in my truck for connecting multiple things and then we take one with us when we travel. We connect that little guy to the Hotel Wifi and since that little guy will also act as a VPN client, it connects back to my house now everything in our hotel room can connect to our travel router and it takes care of the rest. I also setup the SSID on the travel to be the same as the house so there is no special setup for us.
Wow amazing- vlan for non trusted devices is genius
Especially when you know they are calling home. Did you wireshark them and see?
The out of house hacking is a big deal, the one id be bothered about is powerline adapters and out door Sockets, without some pairing someone plugging in another adapter outside and they are on your lan
For the calling home I just watched firewall traffic.
Yeah I don’t buy any wifi enabled smart devices for a few reasons.
Power draw: Wifi devices require a little more energy than a zwave device does
Why would I want to put a wifi device like that on my network. Goes back to the device calling home and the fact that most IoT devices aren’t updated on a regular basis. I know Zwave isn’t the most secure thing in the world but it gets the job done.
I actually have my HASSIO on my vlan for media devices. For a while it was being routed through London which was awesome because our TTS had a british accent. Then there was something that I enabled on the HASSIO that required me to sadly send HASSIO out over my regular WAN link and no more VPN for it for now. I’ll need to send it back out the VPN here again in the future (In fact right now I’m setting up a VPN server on my dedicated server from kimisuf) . A lot of services will block known VPN providers (bastards) i.e. amazon/netflix etc. So time to setup another VPN connection for PFSense to send traffic over