How safe it is to expose HA on internet

Hi There

I have android system installed in my car, and want to track it using Traccar or some other app.
Problem is connecting to HA at home on internet. I have set up VPN but I have to manually connect to VPN from car which is not optimal solution. Has anyone done “connect to VPN when car start”.

If I expose my HA to internet byy opening port how risky it will be?


There’s always some risk.

Having said that the last known exploit was patched very quickly by home assistant. So the risk is pretty small if you keep Home Assistant up to date and keep up to date with Home Assistant news.

There are bad actors still attempting to use known (but patched) exploits any you may occasionally see a warning in your log that Home Assistant has blocked an attempt.

I had no issue for years when using DuckDNS (before switching to Nabu Casa). Just the occasional logged warning of a blocked attempt.

I will back up what @tom_l says here with one caveat - do it the right way.
Either deploy behind your own proxy with SSL using DuckDNS or something similar OR use Nabu Casa.

Absolutely NEVER EVER EVER expose a bare unsecured SSL HAport:8123 to the open internet without security or you’ll be owned faster you can unplug the cat 5 cable.

1 Like

@NathanCu Would you mind explaining what you mean by “bare unsecured SSL”? Wouldn’t having SSL mean that it was secure?

My setup is as follows:

   router with port 443 open
        nginx with SSL cert from Lets Encrypt with DuckDNS domain
            HASS running in Docker

From a conceptual standpoint, would that qualify as secured for HASS?

Sorry. Bare connection… SSL is ‘secure’ but don’t mistake what is secure about SSL. The authentication and the traffic inside your conversation is encrypted and secure. It’s better than no SSL. But it doesn’t inherently protect you from a determined bad actor beyond making the stuff in the conversation impossible to see.

Better than that, is some kind of reverse proxy that terminates SSL and evaluates the calls coming in and dumps any invalid traffic before it makes it to your install. But that means the reverse proxy understands what its looking at.