How safe it is to expose HA on internet

Hi There

I have android system installed in my car, and want to track it using Traccar or some other app.
Problem is connecting to HA at home on internet. I have set up VPN but I have to manually connect to VPN from car which is not optimal solution. Has anyone done “connect to VPN when car start”.

If I expose my HA to internet byy opening port how risky it will be?

Thanks

There’s always some risk.

Having said that the last known exploit was patched very quickly by home assistant. So the risk is pretty small if you keep Home Assistant up to date and keep up to date with Home Assistant news.

There are bad actors still attempting to use known (but patched) exploits any you may occasionally see a warning in your log that Home Assistant has blocked an attempt.

I had no issue for years when using DuckDNS (before switching to Nabu Casa). Just the occasional logged warning of a blocked attempt.

I will back up what @tom_l says here with one caveat - do it the right way.
Either deploy behind your own proxy with SSL using DuckDNS or something similar OR use Nabu Casa.

Absolutely NEVER EVER EVER expose a bare unsecured SSL HAport:8123 to the open internet without security or you’ll be owned faster you can unplug the cat 5 cable.

4 Likes

@NathanCu Would you mind explaining what you mean by “bare unsecured SSL”? Wouldn’t having SSL mean that it was secure?

My setup is as follows:

internet
   |
   router with port 443 open
        |  
        nginx with SSL cert from Lets Encrypt with DuckDNS domain
            |
            HASS running in Docker

From a conceptual standpoint, would that qualify as secured for HASS?

Sorry. Bare connection… SSL is ‘secure’ but don’t mistake what is secure about SSL. The authentication and the traffic inside your conversation is encrypted and secure. It’s better than no SSL. But it doesn’t inherently protect you from a determined bad actor beyond making the stuff in the conversation impossible to see.

Better than that, is some kind of reverse proxy that terminates SSL and evaluates the calls coming in and dumps any invalid traffic before it makes it to your install. But that means the reverse proxy understands what its looking at.

Using an nginx reverse proxy with SSL termination which simply hands requests to the internal instance does not give you any considerable security advantages in comparison to exposing a HA installation using SSL. Depending on your risk tolerance, both kinda dangerous.

Until today, my HA setup was like this

  • HA Core running in RPi 4 (second authentication method is required to access it)
  • Nginx as reverse proxy
  • Router with port 443 open
  • Domain proxied through Cloudflare
  • Internet access through Cloudflare Access (with only specific email addresses being allowed)

Unfortunately, to allow the integration with Google Assistant, today, I had to disable the Cloudflare Access option.

Hopefully I won’t regret this action…

Did you end up regretting it?

1 Like

Bumperboy, did something ever happen, or is the system safe in it self?

So far, I can’t say that I had issues after removing the Cloudflare Access part.

Probably my setup is not as secure as it should be but it works well.

I was considering opening my HA to the internet for ease of use for my family (VPN isn’t super trainable for my wife).
I’d run my subdomain via cloudflare proxy to my open port 443 on my firewall. I have a traefik container port forwarded to 443 on my firewall. Traefik passes all requests for non-dockerized servers to nginx proxy manager that ultimately sends traffic to the correct server. Also using strong passwords and MFA. Does this seem like a secure option?

I’m using Tailscale for accesing it outside of my network. It is a VPN, but I was able to train my wife to use it :slight_smile: