How to access HAOS instance through VPN (OpenVPN client inside HAOS)?

Third party integrations
,
1

Hi everyone,

I’ve recently had to migrate from Home Assistant Supervised to Home Assistant OS (HAOS) because of the deprecation (sic!) and support limitations of the Supervised installation method.

In my previous setup (running on Debian), I had OpenVPN installed directly on the host system.
This setup allowed my Home Assistant instance to automatically connect to my private VPN network after boot, and I could securely access the HA web interface from within the VPN at:

http://10.8.1.100:8123

After moving to HAOS, I realized that I no longer have SSH or OS-level access, so I can’t install or run the openvpn service directly on the host like before.

I noticed that there’s an OpenVPN Client add-on available in the add-on store, but as far as I can tell it only tunnels traffic from within the add-on container itself, not from the entire HAOS host or the Home Assistant web interface.
So it doesn’t seem to provide a way for the whole system to appear as a VPN client with its own internal VPN IP (like 10.8.1.100 in my old setup).

I’d like to ask:

  1. Is there any way to install or run an OpenVPN (or WireGuard) client directly on HAOS so the entire system appears inside my VPN network?
  2. If not, what’s the recommended approach to achieve the same result — for example, making the HAOS instance reachable inside my private VPN, ideally with a fixed internal VPN IP?

Any advice, best practices, or examples from people who’ve solved a similar issue would be really appreciated.

Thanks in advance!

2

Does your router offer any VPN capability?

Mine has OpenVPN built into it so I set that up and can now use the HA app as if at home.

3

I use the Wireguard Add-On.
It provides access to my Home Assistant setup through my local IP, just as if I were at home, as well as the rest of my network.

I also use an app called WG Tunnel on my Android phone; it pretty reliably sets up the Wireguard connection when I leave my Home WiFi, no matter if I’m connected through the mobile network or another WiFi. It even allows me to use a ‘split tunnel’ setup so that some apps, that have cause issues in the past, are not routed through the tunnel.

4

@Orange-GT3 I have a more complex setup — we can assume it’s cloud-hosted, so it needs to connect to a VPN where it can discover some local devices.

@chairstacker I’ll try using the WireGuard Add-on, but it’s not exactly what I was planning to do. The WireGuard add-on works as a VPN server, so I’d still need to set up a tunnel somewhere between the WireGuard HA VPN and my intranet VPN network.

Another possible solution would be tunneling all HAOS traffic through another machine configured as an OpenVPN client, but that would also introduce additional tunneling and make management more complicated.