Hi, I want to secure my network and am thus running everything behind a VPN. So great: nothing can access my network unless I got my VPN running. But then, I wanted to integrate Google Assistant (without Nabu Casu). And it needs access to my Home Assistant. So I temporarily fixed this by forwarding my Home Assistant port through my VPN but this, of course, creates a security hole. How can I best fix this security hole? Also, any other good ways to help further secure the network?
To put this simply, if you want Google Assistant to access (and you DON’T want to use Nabu Casa) you need a port open to your Home Assistant. That’s just the nature of how the internet works.
@flamingm0e but can’t I say set up IPSec between my home and gcp site, then no even any ports need to be externally exposed? Or et least expose one secure udp port for something like wireguard or openvn instead of exposing to the world the home assistant port? I guess that was the main point of the OP… Please let me know if I got it wrong…
I bought a wildcard-certificate for my domain, and the open port in my router points at an Apache reverse proxy. Only a specifiy (very cryptic) hostname forwards the request to Home Assistant. All other hostnames just end up at a dummy-site.
Even though that’s more like security by obscurity, I haven’t seen a single request from unknown sources that ended up in the access log for the HA-host in the past years I’ve been doing it like that.
I bevlieve the wildcard-certificate is quite important though, as otherwise the valid hostname(s) would be part of the certificate, and thus available to the attacker. Also it would show up on crt.sh.
1 Like
I do a similar thing here, but using nginx and generating a separate Let’s Encrypt certificate for each ‘obscured’ subdomain.