Home Assistant Add-on: Autossh (Cloud/VPN alternative)

ThomDietrich · December 14, 2020, 8:48pm

Hey Community!

I want to share a solution to get your Home Assistant System hooked up to a public domain (or public IP). This solution works without portforwarding or a public IP for your home. You need a publicly available server though, i.e. for website hosting or your own mail server.
I decided to use an SSH tunnel instead of a VPN or one of the supported cloud services. The solution has a tiny footprint and has been rock solid so far.

Simple sense check: If you had little contact with “SSH servers” so far, this add-on is probably not for you

The addon can be found in my repository at:

GitHub - ThomDietrich/home-assistant-addons: AutoSSH Home Assistant Addon - alternative to cloud or VPN: Permanent port forwarding

Development Status

The add-on has been running smoothly for almost two years.

At the time of this writing, no bug is known to me.

Audience

To be clear: This add-on is useful for you if you own a public server with an SSH service. This is also great in combination with a domain name, as you can then reach your home automation UI via e.g. https://ha.mydomain.com.

Counterpart Security

On the public server you link your setup to, an SSH server needs to be accessible and credentials must be provided to your Home Assistant instance. As this is a significant security risk by itself, I suggest a docker based solution to containerize the SSH-to-publicly available-IP task. A docker-compose.yaml is provided with the repository.

I hope you enjoy the add-on and please do not hesitate to drop me a ticket or a PR.
Happy Automating!

ThomDietrich · June 5, 2021, 2:01pm

Just fyi,
I just set up a new Home Assistant instance and this addon is still doing what it’s supposed to. Reliable on three instances for up to a year. Cheers

taste · June 25, 2021, 5:48am

You make my day @ThomDietrich This works perfect and very easy to setup. I use Home assistant in my motorhome with mobile WiFi and tried to get this working by setting up a VPN tunnel between my home router and the motorhome route. This works but all traffic uses this link which slows down my MSteams meeting (sometimes work form my motorhome )
Splitting proved to be difficult and this setup worked in 15 minutes.

A tip who uses a linux server managed by Webmin: You can create an additional user with no login rights and paste the public key directly in the SSH Public key box

lmar · October 10, 2021, 9:48pm

Hi @ThomDietrich ,

thabks for the great work!

Sorry for the noob question. Can I use your add-on on the other direction? I mean, I’m not interested to be able to access my HA. I pretend to establish a SSH tunnel between HA and a cloud server in order to allow secure mysql comunication. It is possible with your addon?

Thanks,

Luis

ThomDietrich · October 13, 2021, 8:02am

Hey, I am not sure, it really depends on a few technical limitations I would need to look at first. Generally you are able to define any of the ssh tunnels through the configuration of the addon. What I am not sure about is whether the forwarded mysql port would then be accessible to your purpose, despite the docker environment. You need to play around with that.

lmar · October 13, 2021, 3:08pm

Thanks @ThomDietrich ,

I will try (meanwhile I adopted another tunnel solution)

zeliant · January 13, 2022, 8:45am

@ThomDietrich i am trying to use a pem private key downloaded from AWS. can i replace the content of private key used by the addon?

ThomDietrich · January 13, 2022, 8:50am

Hey,
this function is not provided through the container. You should be able to write to the mounted storage volume but I can’t tell you where that is located. You might need to explore a bit.

Or hack yourself a version of the addon that accepts a key as config input. I would accept a PR

zeliant · January 15, 2022, 6:17am

i tried forking and add a string input for the pem private key but somehow when bash read config value into a variable and echo output > to the keyfile, the newline chars are not output correctly. After meddling for few hours, i gave up. Just use the pubkey generated by the addon.

Thank you for creating this addon.

ThomDietrich · March 28, 2022, 9:38am

Hey all,
I’ve updated the README in the repository with a docker based counterpart SSH server to fully encapsulate and decouple the solution. I believe this might be useful to many.

github.com

ThomDietrich/home-assistant-addons/blob/21a4c2b7e0dae09fe7d36dbd237bc1465465f0ae/autossh/DOCS.md#docker-based-solution=

# Home Assistant Add-on: Autossh

Use SSH to make ports of your local Home Assistant setup available at or through a remote system.
This forms yet another way to make the Lovelace UI and other services accessible from another network or the public internet.
If you do not have the authority to open ports into your local network, and a VPN solutions seems overkill, this add-on might just be the solution for you.

The solution is only useful to those with access to a publicly available SSH server and some administrative privileges on that system.

Autossh is a well known tool to establish an SSH connection and keep it connected over hours and months.
SSH is known for its high security and the ability to set up port forwardings in both directions through the SSH connection.
In combination, this add-on offers tunneled port forwarding functionality.

The solution works reliably and without disruptions.

## TL;DR;

Set `hostname` and `username`, start once to generate a key pair, copy key pair over to remote server, start again, check log for success or error messages.

## Setup

This file has been truncated. show original

ThomDietrich · October 15, 2024, 11:43pm

Three years and another update. Just a quick reminder that this Addon is still doing great work.
A couple of improvements were recently added by contributors and I have just released a new update.

Version 1.3

You can now replace the obsolete remote forwarding setting by dedicated remote socket settings
Added a more streamlined and intuitive way to define the forwarding local/remote sockets: #16
Check the connectivity of the local socket, thanks to @hnykda
Wrapped the main command in an infinite loop to survive temporary connection issues (#17): Rjevski#1

Learn more: home-assistant-addons/autossh/DOCS.md at e89afe406fd4746b023ed93a3daaeff345914794 · ThomDietrich/home-assistant-addons · GitHub

fraban · October 21, 2024, 11:04am

Hi - short review … First I Made my remotes manually - since 3 years I use your add-on on several systems. Great and easy.
Still yesterday I updated 2 systems from 1.2.1 to 1.3.3 … 1.3.4
After update I got on both HA-Systems 502 Bad Gateway …
My nginx - server I was coming from told me in the log:

“GET /config/dashboard HTTP/2.0” 502 157 “https://hassio.xyzmydomain.com/sw-modern.js” "Mozilla/5.0 (Mac …
Here in the log I can see the 502 - Bad gateway …

Short solution for me_. Backup install Version 1.2.1.

Now nginx-Log shows and is working
“GET /api/hassio/addons/5da1ffb2_autossh/icon HTTP/2.0” 200 3619 “https://hassio.xyzmydomain.com/config/dashboard” "Mozilla/5.

So downgrading fixed my 502-gateway problem immediately …

Can you imagine what happens when doing the update to 1.3.3 or .1.3.4 - where is the change , getting 502-Bad gateway …

So that’s my thing with 1.3.3 and 1.3.4 Versions - not working - still on 1.2.1 at the moment.
I hope this log is helping fixing the issue - or is it only me having this ?
Thanks and Regards
Frank

fraban · October 21, 2024, 3:11pm

Sorry for the noise - I was able to fix it. It was a configuration fault with multiple servers on one machine. Everything is working now.
So the update 1.3.3 and 1.3.4 are ok