Guide : OpenVPN Access to Home Assistant

Thanks @Robbrad! I had setup Google Assistant before this was made available, so might be time to switch over. I see it’s free to use for now. I’d been avoiding any subscriptions like the plague, but one that supports this great platform and community might be worth breaking the rule! :slight_smile: And I suppose you can’t put a price on security!

1 Like

I had seen this and I was a little bummed it cost money - but HA has given me so much value it’s worth the money if it supports that - it also works very well eg - its FAST

1 Like

Couldn’t agree more!

I was really hoping not to have to ask anything else but I have hit a small problem. Perhaps you can help, perhaps it’s Pi thing?

When trying to build the certificate authority (Step 4) and after the source vars command I get:

No /home/pi/OpenVPN-ca/openssl.cnf file could be found
Further invocations will fail

the next line of output is the expected:

NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys



fails with the same file could not be found error.

I know you are not here to support the Digital Ocean docs but just in case it is something simple or obvious…
For the record, I have been through the process twice, both times with a fresh install of Raspbian.

WOnder if someone can weigh in and give their opinion on using the OpenVPN option on the router itself? Seems like I can set it up on my brand of router. Is it just as secure? or not as effective? Seems like it would be an easy choice and not have to spin off another box to host OpenVPN. Anybody using their router feature?

I think it could be good for simplicity - but im not sure how many updates you would get compared to running on a Linux distro - though running on a router would be better for your carbon footprint :slight_smile:

I have an ASUS Router that has OPENVPN built into the router itself. Any downsides to doing it this way for the VPN piece?

I looks nice and simple - though bear in mind you might lose a little bit of control over encryption standards and some firewall rules you might want. Its worth trying it out and seeing if it works for you, if you want more than go with your own install. Also see my last reply to berniebl - your router version of OpenVPN might be out of date - you should check the version.

Ha, totally missed what was basically the same question right above mine. :slight_smile:
Thanks I’ll check my version. Good info

1 Like

I saw the question already post above, but this solution would really remove the need for duckdns and SSL, wouldn’t it?

Only reason for DuckDNS is to point to your home which is no longer necessary, and the SSL is to encrypt the traffic to your system, which is now not necessary since you’re on the VPN.

Pros - Less Configuration with Home Assistant, better security, nothing exposed to the internet
Cons - Have to use OpenVPN to get to your setup if you’re away from home.

Question about things like iOS notifications? HASS will still be able to send notifications out, but you’d not be able to have actionable notifcations unless OPENVPN was running, is that right? What About Alerts? I’d assume the same for actionable alerts? What about GPS, reporting ZONES?

1 Like

I have my OpenVPN running on my pfsense box. We’ve had the VPN here at home for years specifically because there are services here at home that we don’t want to expose to the public. Mainly the ipCams. In fact, a couple years ago I actually sliced my network up into multiple VLANs because I didn’t want my cam’s on the same segment as everything else. I also don’t trust my cams because I don’t know why they’re phoning home. So by isolating them to their own vlan I shut down external access for them completely. Reason 2 was because they’re outside my house if someone were to compromise one of my cam’s they have a network cable right there that they could use to plug into my network. But with the cam’s now isolated on their own VLAN it would take a lot more leg work for them to get past the firewall.
So I also have VPNs that I pay for like AirVPN so not only are we secured when we’re remote we’re also secured while here at home. We never appear to be coming from our IP we always show up somewhere else :slight_smile:

Lastly I have a couple of these I use one in my truck for connecting multiple things and then we take one with us when we travel. We connect that little guy to the Hotel Wifi and since that little guy will also act as a VPN client, it connects back to my house now everything in our hotel room can connect to our travel router and it takes care of the rest. I also setup the SSID on the travel to be the same as the house so there is no special setup for us.


Wow amazing- vlan for non trusted devices is genius

Especially when you know they are calling home. Did you wireshark them and see?

The out of house hacking is a big deal, the one id be bothered about is powerline adapters and out door Sockets, without some pairing someone plugging in another adapter outside and they are on your lan

1 Like

For the calling home I just watched firewall traffic.

Yeah I don’t buy any wifi enabled smart devices for a few reasons.

  1. Power draw: Wifi devices require a little more energy than a zwave device does
  2. Why would I want to put a wifi device like that on my network. Goes back to the device calling home and the fact that most IoT devices aren’t updated on a regular basis. I know Zwave isn’t the most secure thing in the world but it gets the job done.

I actually have my HASSIO on my vlan for media devices. For a while it was being routed through London which was awesome because our TTS had a british accent. Then there was something that I enabled on the HASSIO that required me to sadly send HASSIO out over my regular WAN link and no more VPN for it for now. I’ll need to send it back out the VPN here again in the future (In fact right now I’m setting up a VPN server on my dedicated server from kimisuf) . A lot of services will block known VPN providers (bastards) i.e. amazon/netflix etc. So time to setup another VPN connection for PFSense to send traffic over :slight_smile:

1 Like

So I’m almost there, but still stuck.

BUT: then I’m not able to get any response on anything, local or remote. Can anyone help out getting over this final obstacle?

Do you really not get any response from “anything” or is it just not able to connect to your HA?

Can you go to other websites? Can you connect to other local IP addresses on your local network?

First point of call would be can the Pixel ping the VPN server?

Could be a UFW issue or an IT tables issue -forwarding packets.

No, nothing.

I don’t follow. Isn’t the fact that my openvpn client on my Pixel connects proof that I can reach the VPN server?

Here’s the screen shot.

Sorry - to explain. You connect to the VPN and can obviously connect to the public IP

But then you will get a private IP from the VPN server - the server will also have a private IP which you should be able to contact over the VPN. Eg when I connect mine is

Think of the vpn tunnel like a cable that you are connecting to a switch. You get an IP and a gateway. Make sense?

Yes, and I’m able to ping which is also my VPN ip. Thanks for helping, I’m a major nerd, computer engineer and as such utterly annoyed when I don’t get something working… :slight_smile: