Hi everyone,
my first post on here, so please correct me if necessary.
I am trying to set up a Home Assistant green in my dorm room, but stumbled into issues with the provided network. After speaking with the Nabu Casa Support and the people managing the network, it seems like the only way of getting the green to work is via a cloud/vpn?
I have loads of questions:
The Home Assistant Cloud and Tailscale seem to been the best options?
Is this possible and practical?
How to set up with no option to reach the green via the network?
What other limitations are there, that i am not yet aware of? (planning to use a ZBT-2 and Thread)
It was suggested to set up my own network, but I am not allowed to do so.
I am hoping to set up a way to reach the green.
As suspected, due to the client isolation every device can see it self and the internet. Running fully local isnât an option.
But if both can see the Internet, there could be a âplaceâ (thought of the Nabu Casa Cloud) where they communicate, allowing me to reach the green.
In my understanding, the same prinziple as a Remote Access, but in this case, it would the standard, even when home.
The network requires all devices to be registered via the MAC-address. I did so (found it by hooking the green up to a display, using the command line), but couldnât reach the green via App or http://homeassistant.local:8123. This seems to be due to the client isolation, the devices donât see each other.
If youâre using a Green, there is ET wiring involved((?) The âold schoolâ remedy is to get your own router⌠a router that lets you manually override its MAC address. Configure the router with the MAC address that campus IT is currently allowing for you into the router. Plug in the green and or wifi connect other âthingsâ to that.
I used to manage IT for call centers and this was discovered⌠a lot. And sometimes removed when discovered for plugging the router LAN/WAN cables in backwardsâŚ
Correct. You would have to setup your own network behind your own router then connect THAT to the port and internetâŚ
Something like tailscale works technically but then EVERYTHING you connected (like all of it) would need to support itâs own independent tailscale client as well as handle firewall traversal (get through your university outbound and then connect to your⌠(I hope you see how thatâs not happeningâŚ))
Something like Tailscale would work for the green? How would the setup be? Would home assistant cloud work too? Are there other options?
I plan on using the ZBT-2, so the âthingsâ would work without wifi. This will limit to Zigbee/thread devices, but thatâs better than no home assistant.
Sorry, Wrong⌠THe HA box supports something like tailscale (read theres plenty of optiosn for allowing it on a vpn)
This is friendly advice⌠I understand the ask, and the HA box isnt your issue. Itâs EVERYTHING else. Dont go down that path. It leads to lots of pain. As a former network engineer, a campus IT engineer, a vendor who supports campus OIT, and speaks TCP - you donât want to do this, lest you become your campus ITâs enemy #1. OK, #3 behind the dude who is running the pirate radio he thinks nobody knows about and the dude spewing viruses off hislaptop like a plague site.
Put all your stuff behind your own NAT router then connect THAT to campus outbound and do whatever you want behind your router. (Yes, I just read the no router - which thatâs a problem, also you MAC spoof and encrypt the tunnel, they canât tell, but I digress. No, I will not tell you how.) Start banging the hell out of campus networks for OT devices, you WILL get a visit. (45 individual ot tunnels v 1 tunnel that barely speaks outbound except for bursty am traffic⌠) If they dont just shut your port off first. (My network rules would have, then asked questions later)
Would a Z-Wave based approach work in this environment? Build out your own Z-Wave network that doesnât touch/depend on the campus one. Plus it would be (relatively) portable when moving to the next dorm room or apartmentâŚ
You can pick something completely local and Internet free like zwave or insteon. Nothing , including HA will get updates, that would have to be done manually somehow
Or, add a router that can let your current MAC address be used, or firewalla, pfsense etc
Perhaps try a cloudflare tunnel? A Cloudflare Tunnel works by having your Home Assistant server initiate an outbound connection to Cloudflareâs servers. Since the server is talking to the internet, not another local device, client isolation might not stop the tunnel from forming.
Youâre actually in a pretty dang âclient isolation dorm networkâ situation â and youâve already done the right thing by checking with both Nabu Casa support and the network admins.
Given that theyâve essentially confirmed no local LAN access is possible, your assumption is correct: you need either cloud relay or a VPN-style overlay network.
Best practical solution: Tailscale
In your case, I would strongly recommend focusing on Tailscale rather than cloud access.
Why:
Works even in heavily restricted dorm networks
No need for router changes or admin rights
Bypasses client isolation completely
Feels like local access once connected
Free for personal use
Home Assistant Green only needs outbound internet â Tailscale builds the secure tunnel over it.
How it works in your setup
Once installed:
Home Assistant connects outward to Tailscale
Your phone/laptop joins the same Tailscale network
We already discussed why this is not the answer above - THey are NOT trying to get remote access to eh HA box they waned a network to conenct iot devices to. Campus networks are isolated on purpose so the default lan is nogo. NORMAL solution is - install nat rounter gateway.
Op wanted to give access to IOT devices - for this (TailScale or ANY VPN solution) to work they would ALL need to be TS clients and tunnel individually WHICH would get the port shutdown post haste. Without a router the op is limited to pretty much non wifi standardds - meaning Zigbee, Matter, Zwave.
Because Dorm - 2.4G space will be crowded. Zwave is therefore the bezst bet if at all. Cloudflare tunnel Tailscale - it dont matter whoâs tunnel - you cant punch that many tunnels out and back in the campus net. Not happening.
I think weâre actually talking about two different network models.
Youâre right that campus networks are isolated and that you generally need a NAT/router layer to build your own subnet for IoT devices Iâm not disputing that. A small travel router / NAT gateway is usually the clean solution for creating that isolated IoT LAN.
Where I disagree is the assumption that Tailscale (or similar VPNs) would require every IoT device to be a client and individually tunnel out. Thatâs not how it has to be used.
You can run Tailscale (or any VPN) on a single gateway device acting as a subnet router, and then expose a whole local IoT network behind it. The IoT devices themselves donât need any VPN client at all. They just sit behind NAT on that local segment.
That said, I do agree with your core point: in a dorm/campus environment, relying on per-device VPN tunneling or anything that looks like multiple outbound tunnels is likely to get flagged or blocked quickly. So in practice, a proper NAT router/gateway creating a local IoT subnet is the correct base design.
And I also agree that for constrained RF environments (crowded 2.4GHz), Zigbee or Z-Wave is often the more reliable direction than Wi-Fi IoT.
So basically NAT gateway is required either way VPN is optional and only useful if you want remote access to that isolated subnet, not as the primary networking solution for each device.
Yeah, fair if the idea is to use Tailscale (or any VPN) as the actual network substrate for all IoT traffic, then I agree with you, thatâs not realistic on a campus network and would definitely get flagged.
My point was more that it can still be useful on top of a proper setup (like a NAT router) for management/access not as a replacement for the local network itself.
So weâre basically aligned:
NAT/router = required for IoT network in a dorm
VPN/Tailscale = optional, only for access/management
Not viable as the primary transport layer for all devices
If they dont just shut your port off first. (My network rules would have, then asked questions later)