Home Assistant Add-on: Autossh (Cloud/VPN alternative)

Hey Community!

I want to share a solution to get your Home Assistant System hooked up to a public domain (or public IP). This solution works without portforwarding or a public IP for your home. You need a publicly available server though, i.e. for website hosting or your own mail server.
I decided to use an SSH tunnel instead of a VPN or one of the supported cloud services. The solution has a tiny footprint and has been rock solid so far.

Simple sense check: If you had little contact with “SSH servers” so far, this add-on is probably not for you :smiley:

The addon can be found in my repository at:

GitHub - ThomDietrich/home-assistant-addons: AutoSSH Home Assistant Addon - alternative to cloud or VPN: Permanent port forwarding

Development Status

The add-on has been running smoothly for almost two years.

At the time of this writing, no bug is known to me.

Audience

To be clear: This add-on is useful for you if you own a public server with an SSH service. This is also great in combination with a domain name, as you can then reach your home automation UI via e.g. https://ha.mydomain.com.

Counterpart Security

On the public server you link your setup to, an SSH server needs to be accessible and credentials must be provided to your Home Assistant instance. As this is a significant security risk by itself, I suggest a docker based solution to containerize the SSH-to-publicly available-IP task. A docker-compose.yaml is provided with the repository.


I hope you enjoy the add-on and please do not hesitate to drop me a ticket or a PR.
Happy Automating!

4 Likes

Just fyi,
I just set up a new Home Assistant instance and this addon is still doing what it’s supposed to. Reliable on three instances for up to a year. Cheers

You make my day @ThomDietrich This works perfect and very easy to setup. I use Home assistant in my motorhome with mobile WiFi and tried to get this working by setting up a VPN tunnel between my home router and the motorhome route. This works but all traffic uses this link which slows down my MSteams meeting (sometimes work form my motorhome :wink: )
Splitting proved to be difficult and this setup worked in 15 minutes.

A tip who uses a linux server managed by Webmin: You can create an additional user with no login rights and paste the public key directly in the SSH Public key box

image

1 Like

Hi @ThomDietrich ,

thabks for the great work!

Sorry for the noob question. Can I use your add-on on the other direction? I mean, I’m not interested to be able to access my HA. I pretend to establish a SSH tunnel between HA and a cloud server in order to allow secure mysql comunication. It is possible with your addon?

Thanks,

Luis

Hey, I am not sure, it really depends on a few technical limitations I would need to look at first. Generally you are able to define any of the ssh tunnels through the configuration of the addon. What I am not sure about is whether the forwarded mysql port would then be accessible to your purpose, despite the docker environment. You need to play around with that.

Thanks @ThomDietrich ,

I will try (meanwhile I adopted another tunnel solution)

@ThomDietrich i am trying to use a pem private key downloaded from AWS. can i replace the content of private key used by the addon?

Hey,
this function is not provided through the container. You should be able to write to the mounted storage volume but I can’t tell you where that is located. You might need to explore a bit.

Or hack yourself a version of the addon that accepts a key as config input. I would accept a PR

i tried forking and add a string input for the pem private key but somehow when bash read config value into a variable and echo output > to the keyfile, the newline chars are not output correctly. After meddling for few hours, i gave up. Just use the pubkey generated by the addon.

Thank you for creating this addon.

1 Like

Hey all,
I’ve updated the README in the repository with a docker based counterpart SSH server to fully encapsulate and decouple the solution. I believe this might be useful to many.

Three years and another update. Just a quick reminder that this Addon is still doing great work.
A couple of improvements were recently added by contributors and I have just released a new update.

Version 1.3

  • You can now replace the obsolete remote forwarding setting by dedicated remote socket settings
  • Added a more streamlined and intuitive way to define the forwarding local/remote sockets: #16
  • Check the connectivity of the local socket, thanks to @hnykda
  • Wrapped the main command in an infinite loop to survive temporary connection issues (#17): Rjevski#1

Learn more: home-assistant-addons/autossh/DOCS.md at e89afe406fd4746b023ed93a3daaeff345914794 · ThomDietrich/home-assistant-addons · GitHub

Hi - short review … First I Made my remotes manually - since 3 years I use your add-on on several systems. Great and easy.
Still yesterday I updated 2 systems from 1.2.1 to 1.3.3 … 1.3.4
After update I got on both HA-Systems 502 Bad Gateway …
My nginx - server I was coming from told me in the log:

“GET /config/dashboard HTTP/2.0” 502 157 “https://hassio.xyzmydomain.com/sw-modern.js” "Mozilla/5.0 (Mac …
Here in the log I can see the 502 - Bad gateway …

Short solution for me_. Backup install Version 1.2.1.

Now nginx-Log shows and is working
“GET /api/hassio/addons/5da1ffb2_autossh/icon HTTP/2.0” 200 3619 “https://hassio.xyzmydomain.com/config/dashboard” "Mozilla/5.

So downgrading fixed my 502-gateway problem immediately …

Can you imagine what happens when doing the update to 1.3.3 or .1.3.4 - where is the change , getting 502-Bad gateway …

So that’s my thing with 1.3.3 and 1.3.4 Versions - not working - still on 1.2.1 at the moment.
I hope this log is helping fixing the issue - or is it only me having this ?
Thanks and Regards
Frank

Sorry for the noise - I was able to fix it. It was a configuration fault with multiple servers on one machine. Everything is working now.
So the update 1.3.3 and 1.3.4 are ok

1 Like

Thank you for this extension. I am having some trouble with keys. On the initial run I force key generation and get the notification:

Generating public/private ed25519 key pair.
Your identification has been saved in /data/ssh_keys/autossh_rsa_key
Your public key has been saved in /data/ssh_keys/autossh_rsa_key.pub

But I can not find these files and in future runs I get the message:

debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory

I am running home assistant OS on a raspberry PI and have a debian server with fixed IP and URL through an NGINX reverse proxy to a docker instance on the other end where I have placed the public key from the log in the authorized_keys file. Can you help?

Hey Wilfred,
you don’t have to find the keys. They are hidden behind the scene on purpose. You also do not have to force a key generation. That happens on initial run automatically.
All you need to do is run the app once and find the public key which is presented in the logs. The relevant line is:

[12:25:08] INFO: The public key used by this add-on is: ssh-rsa ...

I am running home assistant OS … Can you help?

That sounds exactly as intended. Help me understand what you need help with please.


Regarding this message:

known_hosts2: No such file or directory

That is a normal warning, however I have taken note of it in Remove debug warnings about non-existing ssh known_hosts files · Issue #30 · ThomDietrich/home-assistant-addons · GitHub
This is not related to your issue and you can ignore it.

Thank you. The problem is that something is stopping the app from connecting with the server. Here is a longer piece of the log:

debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[alhambra.opencommons.org]:2222' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Will attempt key: /data/ssh_keys/autossh_rsa_key ED25519 SHA256:<I removed this so as not to expose keys> explicit
debug1: Offering public key: /data/ssh_keys/autossh_rsa_key ED25519 SHA256:<I removed this so as not to expose keys> explicit
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,keyboard-interactive).
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Can you point me at what I am doing wrong?

I see. Well it looks like your server does not accept the login attempt. Could you check the SSH server log? From the addon log alone it’s difficult to understand the reason.

What surprises me is the fact, that the preparation steps are supposed to catch issues like that beforehand. In the log some lines above you would have seen lines like these:

[10:56:26] INFO: If not done so already, please add the key to '~/.ssh/authorized_keys' on your remote server
[10:56:26] INFO: Testing Home Assistant socket '172.30.32.1:8123' on the local system... Web frontend reachable over HTTP
[10:56:27] INFO: Testing SSH service on 'alhambra.opencommons.org:2222'... SSH service reachable on remote server

If you are not able to solve this looking at the logs, could you please open a ticket over on Github, including a full (redacted) config yaml export and full (redacted) log? Thanks!