HA Security. Consensus?

Indeed, DNS is a convenience element helping you (and others) find and connect to your IP, offering very little in the way of security.

Encryption prevents the sniffing packets and passwords getting picked up while traveling from your remote device to your server.

That does nothing to protect your server when accessed directly by someone else. You need a decent password and IPban as a minimum to prevent a simple brute force attack.

but that does nothing to stop people using any backdoor or exploit (known or not).

Simple.

Dont expose your home network to the outside world.

Poll the data you need to your systems from the outside.

Sure it is safer to just don’t expose anything to the outside, maybe I misunderstand your idea, but how do you poll anything from the outside if there is no way to do so?

You can use a number of systems to grab the data from an outside server. You do this every time you open a browser or have HA get the weather.

A better question would be to ask why do you need to open up HA to the outside? What is it you are wanting to do?

Use the Tor service on HA. There is also an Hasio addon. No ports to open and with the stealth mode your HA is invisible.

A far better solution would be a VPN. Client to server, end to end fully encrypted and encapsulated on all ports and services, not just HTTP.

That way ( unless it’s your vpn software ) even if there are exploits in the service you run it doesn’t matter because your only exposing a VPN service to the outside world - which needs a certificate not just a password.

I’m sorry, but I still can’t make sense of your answer. What has using a web browser to browse the internet to do with exposing a local port on your LAN to the WAN? To grab data from the so called cloud, aka. web servers you don’t need to expose anything to the WAN. Outbound traffic is no problem. It is the inbound traffic that has to be secured properly.

There are plenty of reasons to be using HA from outside your LAN. Being able to control certain devices, check web cams, reading values. So, the question is not why to use it, but rather, how to make is “bullet proof”. And there are plenty of options that have already mentioned in this thread.

I’m trying to work out if you’re being deliberately facetious or not with this

People want to control their HA install when they aren’t at home. You seem to know of a way of doing this by a polling method. If you do, please explain it to the group.

Correct. By using VPN, TOR (I think) or an SSH tunnel you don’t have to expose HA’s port to the outside which makes it a lot more secure. You just have to make sure that your authentication mechanisms are set up correctly to ensure nobody but you (and whoever you consider) can access your local network.

I’m not sure how Tor works. SSH you would need the port open for this and would need to have user and password, unless you setup key exchange between the client and the device, making it password less. Only setback on that is an ssh tunnel needs to have one per port/ service.

I want to access lots of my home services, HA, open energy monitor, grafana, phpmyadmin, my nas, my router etc. VPN gives me all of the connections I need in one connection open on my router. Plus I can browse the internet via my home lan without the local network knowing what I’m doing.

Haven’t tried tor but to be honest it would take something pretty amazing to top vpn, for me.

You can use an SSH tunnel as a proxy, that way you’d be browsing pretty much like when you’re at home. Pre-shared keys are a must in my opinion. But I use it only if I can’t use VPN which I prefer as well. I have yet to find a reason to expose the HA port to the outside world.

Agreed. Have a president to only expose services which are designed with security as their primary objective.

Now there’s an idea. Have an intermediary service which can be polled from HA.

I think HA cloud works like that - the dev team have some big plans for it. I’m very much looking forward to Alexa shopping list integration.

Facetious??.. Just trying to understand what is trying to be achieved by presenting HA to the world? Since there will be better options.

Unless you know and understand what your doing, know how to test. Do not present anything from your internal network to the world. If your on a forum asking how to do this - the answer is simple - Don’t

cgtobi3h
You can use an SSH tunnel as a proxy, that way you’d be browsing pretty much like when you’re at home. Pre-shared keys are a must in my opinion. But I use it only if I can’t use VPN which I prefer as well. I have yet to find a reason to expose the HA port to the outside world.

I agree with this…

However, people must understand what it is they are doing before putting there entire network at risk…even with implementing VPN or SSH

Yeah, facetious, because you act like you have no idea why people want external access to their system when it is patently obvious, and claim to have a way to access homeassistant via a polling method, but clearly you do not otherwise you would have told us what it was.

yawn

???

I was asking what the OP was specifically after from his HA in the outside world? Then it would have been easier to give an answer. I think you miss-understood or miss-read my responses.

I have not claimed anything - please slow down, calm down and re-read.

@anon59013933

OP here.
I want to be able to (amongst other things) control my garden irrigation when I’m on holiday and see where people are on the map. Yes, the location bit can be achieved without HA.

At the moment I accept that I can’t. I am just trying to clarify in my mind whether I should expect to be able to. Most here seem to think I shouldn’t because I am (still) a long way from understanding network security to the level that I am told I need to.

Evening klogg,

There are a few ways to do what you want of the top of my head and I am sure many, many others off the top of others…

I quite like using Apple Home app to use services outside my home. But this will depend on if you have an iPhone and a old iPad (iOS 10.x) or Apple TV (one below 4k) / Apple TV 4k (You will need an iPad/Apple TV to use the Home App outside your home)

I use a raspberry pi to run “Homebridge” and there are some nice simple guides to setting it up… Link

This will also give you feed back to what is turned on / off / state etc depending on if you have exposed it to home bridge… the advantage of this is it’s behind Apple authenticated through your secure iCloud and quite a nice app to use.

As also mentioned above. VPN could also be a good option for you… This will give you your HA as it exists now…
However only enable it when you need to (your away) - your router will most likely have an option for this… please understand the risks behind doing this and the protocols being used, its very easy to fall into a trap of false security because your using VPN - If you go don this route… think about DNS. There are several free options but you dont want to go away and find your IP changes - but you can always get HA to ping you your new IP…

Using an MQTT broker (i.e. CloudMQTT) your HA can then pull your message and act (i.e. turn on / off run automation) - I do this a lot but use Node Red to do the automation routine…You can then get a MQTT message back to say x, y has been run / stopped / state or a notification. There are several MQTT publishing apps you could use from your phone… Its a very fast, lightweight way of reliably getting info back and forth… since I know zero about irrigation… you could send message for the status of your irrigation… then get a notification back to your phone “Needs water” and send a message to water - sorry thats the extent of my knowledge on irrigation.

Using calendar services is a way to automate a schedule but there are several others. One advantage of a calendar is that you use your phone to set the event to start and stop with a moments notice depending how you setup HA/NodeRed etc… However it has the downsides with schedules.

You don’t say how you get the data position of mapping people… iCloud, Owntracks etc?

I mostly use NodeRed to run most things and use HA and a source for devices. Do you use any other services or just HA?

Why is it not a automated function though? Needs water -> water -> enough water -> stop water -> send notification “Watered whatever - used 3.4 litters of water - time started 2:30pm time stopped 3:30pm”

One more thing… what happens if there is a power cut? do all your services power on correctly? will you know? using something to monitor your systems (raspberry pi’s are good for this) and restart services etc - UPS / NUT … Super important if you use Docker especially on some NAS systems.

Dont want to see you go on holiday to find all your systems are down 2 days later

Evening
Wow… there’s a lot there. Thank you.

Immediate thoughts are that I don’t have anything Apple!

I use MQTT - Mosquitto on hassio - to control most of the things I have automated (especially Sonoffs) and it works well. I use OwnTracks for location which also seems to work well for me but since closing the router port I am trying to Bridge Cloudmqtt but I can’t get Mosquitto to read my conf file (a separate post exists for this so please if anyone knows how to make this work, tell me!! Did I say please?)

Specifically, the irrigation is weather dependant so unattended fixed watering durations don’t really work and despite many hours of research there is no reliable way to get rainfall info into HA (trust me on this, I know it sounds unlikely but I am not alone in having tried!). My own rain sensor would do it of course but currently I don’t have one.

Finally for now, much if what you suggest I do I am already doing using Telegram and I do plan to implement much more. It just seems a shame to have to effectively write a whole front end to HA when it already has a perfectly good one.

Oh yes, finally, finally, I have indeed set up a VPN server on a Pi (thanks to help from @Robbrad) but I got cold feet about implementing it for the very reasons you give. I would be putting blind faith in it as I do not (yet) fully understand what I have created!

EDIT: yes power cuts… thankfully very rare here.
And I forgot to mention that I’d love to use some calendar integration but I use MS Outlook and that doesn’t seem to be an option with HA and no, I don’t really want to run a parallel Google calendar.