I want to share a solution to get your Home Assistant System hooked up to a public domain (or public IP). This solution works without portforwarding or a public IP for your home. You need a publicly available server though, i.e. for website hosting or your own mail server.
I decided to use an SSH tunnel instead of a VPN or one of the supported cloud services. The solution has a tiny footprint and has been rock solid so far.
Simple sense check: If you had little contact with “SSH servers” so far, this add-on is probably not for you
The add-on has been running smoothly for almost two years.
At the time of this writing, no bug is known to me.
Audience
To be clear: This add-on is useful for you if you own a public server with an SSH service. This is also great in combination with a domain name, as you can then reach your home automation UI via e.g. https://ha.mydomain.com.
Counterpart Security
On the public server you link your setup to, an SSH server needs to be accessible and credentials must be provided to your Home Assistant instance. As this is a significant security risk by itself, I suggest a docker based solution to containerize the SSH-to-publicly available-IP task. A docker-compose.yaml is provided with the repository.
I hope you enjoy the add-on and please do not hesitate to drop me a ticket or a PR.
Happy Automating!
Just fyi,
I just set up a new Home Assistant instance and this addon is still doing what it’s supposed to. Reliable on three instances for up to a year. Cheers
You make my day @ThomDietrich This works perfect and very easy to setup. I use Home assistant in my motorhome with mobile WiFi and tried to get this working by setting up a VPN tunnel between my home router and the motorhome route. This works but all traffic uses this link which slows down my MSteams meeting (sometimes work form my motorhome )
Splitting proved to be difficult and this setup worked in 15 minutes.
A tip who uses a linux server managed by Webmin: You can create an additional user with no login rights and paste the public key directly in the SSH Public key box
Sorry for the noob question. Can I use your add-on on the other direction? I mean, I’m not interested to be able to access my HA. I pretend to establish a SSH tunnel between HA and a cloud server in order to allow secure mysql comunication. It is possible with your addon?
Hey, I am not sure, it really depends on a few technical limitations I would need to look at first. Generally you are able to define any of the ssh tunnels through the configuration of the addon. What I am not sure about is whether the forwarded mysql port would then be accessible to your purpose, despite the docker environment. You need to play around with that.
Hey,
this function is not provided through the container. You should be able to write to the mounted storage volume but I can’t tell you where that is located. You might need to explore a bit.
Or hack yourself a version of the addon that accepts a key as config input. I would accept a PR
i tried forking and add a string input for the pem private key but somehow when bash read config value into a variable and echo output > to the keyfile, the newline chars are not output correctly. After meddling for few hours, i gave up. Just use the pubkey generated by the addon.
Hey all,
I’ve updated the README in the repository with a docker based counterpart SSH server to fully encapsulate and decouple the solution. I believe this might be useful to many.
Three years and another update. Just a quick reminder that this Addon is still doing great work.
A couple of improvements were recently added by contributors and I have just released a new update.
Version 1.3
You can now replace the obsolete remote forwarding setting by dedicated remote socket settings
Added a more streamlined and intuitive way to define the forwarding local/remote sockets: #16
Check the connectivity of the local socket, thanks to @hnykda
Wrapped the main command in an infinite loop to survive temporary connection issues (#17): Rjevski#1
Hi - short review … First I Made my remotes manually - since 3 years I use your add-on on several systems. Great and easy.
Still yesterday I updated 2 systems from 1.2.1 to 1.3.3 … 1.3.4
After update I got on both HA-Systems 502 Bad Gateway …
My nginx - server I was coming from told me in the log:
So downgrading fixed my 502-gateway problem immediately …
Can you imagine what happens when doing the update to 1.3.3 or .1.3.4 - where is the change , getting 502-Bad gateway …
So that’s my thing with 1.3.3 and 1.3.4 Versions - not working - still on 1.2.1 at the moment.
I hope this log is helping fixing the issue - or is it only me having this ?
Thanks and Regards
Frank
Sorry for the noise - I was able to fix it. It was a configuration fault with multiple servers on one machine. Everything is working now.
So the update 1.3.3 and 1.3.4 are ok
Thank you for this extension. I am having some trouble with keys. On the initial run I force key generation and get the notification:
Generating public/private ed25519 key pair.
Your identification has been saved in /data/ssh_keys/autossh_rsa_key
Your public key has been saved in /data/ssh_keys/autossh_rsa_key.pub
But I can not find these files and in future runs I get the message:
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
I am running home assistant OS on a raspberry PI and have a debian server with fixed IP and URL through an NGINX reverse proxy to a docker instance on the other end where I have placed the public key from the log in the authorized_keys file. Can you help?
Hey Wilfred,
you don’t have to find the keys. They are hidden behind the scene on purpose. You also do not have to force a key generation. That happens on initial run automatically.
All you need to do is run the app once and find the public key which is presented in the logs. The relevant line is:
[12:25:08] INFO: The public key used by this add-on is: ssh-rsa ...
I am running home assistant OS … Can you help?
That sounds exactly as intended. Help me understand what you need help with please.
Thank you. The problem is that something is stopping the app from connecting with the server. Here is a longer piece of the log:
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[alhambra.opencommons.org]:2222' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Will attempt key: /data/ssh_keys/autossh_rsa_key ED25519 SHA256:<I removed this so as not to expose keys> explicit
debug1: Offering public key: /data/ssh_keys/autossh_rsa_key ED25519 SHA256:<I removed this so as not to expose keys> explicit
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,keyboard-interactive).
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
I see. Well it looks like your server does not accept the login attempt. Could you check the SSH server log? From the addon log alone it’s difficult to understand the reason.
What surprises me is the fact, that the preparation steps are supposed to catch issues like that beforehand. In the log some lines above you would have seen lines like these:
[10:56:26] INFO: If not done so already, please add the key to '~/.ssh/authorized_keys' on your remote server
[10:56:26] INFO: Testing Home Assistant socket '172.30.32.1:8123' on the local system... Web frontend reachable over HTTP
[10:56:27] INFO: Testing SSH service on 'alhambra.opencommons.org:2222'... SSH service reachable on remote server
If you are not able to solve this looking at the logs, could you please open a ticket over on Github, including a full (redacted) config yaml export and full (redacted) log? Thanks!
)