How to set up Tailscale Funnel to securely access Home Assistant from anywhere for free

Below are the instructions for setting up Tailscale Funnel with Home Assistant.

This guide is specifically about Tailscale Funnel, a free service that lets family, visitors and everybody else securely access your Home Assistant instance without installing an app or connecting to a VPN on their devices. If you are willing to connect your devices to Tailscale VPN you don’t need this guide, instead please see the Tailscale add-on docs.

There’s also Home Assistant Cloud, which not only lets you access your home from anywhere with zero manual setup, you’ll also be able to easily connect to voice assistants, get peace of mind with seamless backup and restore, and support the development of Home Assistant, all while not depending on any third parties like Tailscale, Cloudflare or Google.

Steps

1. Sign up for Tailscale.
2. In Home Assistant, install the Tailscale Addon from the add-on store.
3. In the add-on configuration, under Share Home Assistant with Serve or Funnel, select the funnel option. Don’t start the add-on yet.
4. Add this to your Home Assistant configuration.yaml for it to accept the traffic from the Tailscale proxy:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

5. Log in to your Tailscale admin panel. In the DNS section, choose a randomly-generated domain name.
6. Scrolling down the same page, enable HTTPS certificates.
7. In the Access controls page, add the following to your ACL config file, after other rules. It should still be inside the top-level brackets (i.e. it should be surrounded by one level of brackets).

	"nodeAttrs": [
		{
			"target": ["autogroup:member"],
			"attr":   ["funnel"],
		},
	],

8. Start the Tailscale add-on now. Go to logs page.
9. In the logs, you’ll find a log in link to log in the device to your tailnet. Open it and follow instructions.
10. Go to your Tailscale admin console. Click on the three-dot menu of the newly connected homeassistant device. Choose Disable key expiry.
11. You can also rename your device from this menu. You’ll access it by <device_name>.<your-tailnet-name>.ts.net.

That’s it. Don’t forget that anybody will be able to access your Home Assistant instance from your tailscale domain link, so always use strong auto-generated passwords securely stored in your password manager for your Home Assistant user logins.

There’s indeed much room for improvement in the setup process of the Tailscale add-on.

FAQ

I’m an average Joe and not a network engineer, what’s the risk here?

Why not just open a firewall port on my home router?

Why not directly use the Tailscale VPN?

How to set up multiple subdomains with this?

# Untested, I have no idea whether this would work at all!

server {
    listen 80;
    server_name your.funnel.domain;

    location /ha/ {
        rewrite ^/ha(/.*)$ $1 break;
        proxy_pass http://127.0.0.1:8123/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /immich/ {
        rewrite ^/immich(/.*)$ $1 break;
        proxy_pass http://127.0.0.1:8181/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Feel free to publish any parts of this guide in the official addon docs, suggest improvements or fixes, and comment whether this worked for you or not. I’ll try to update this post as feedback comes.

1. Funnel will only expose the standard HTTPS port 443. This port will be exposed not on your local network but on their Funnel relay servers, which will then be forwarded to your HA port 8123 through the VPN. ↩︎

2. (technical) The one difference is Funnel servers communicate with HA through a VPN instead of HTTPS. ↩︎

I don’t use Tailscale Funnel, but I do use Tailscale to access my HA from my phone from anywhere. I installed Talscale on my RPi/HA and on my phone. I have forgotten the details but it was simple to establish the connection from my phone to HA. The instructions seemed idiot proof (I succeeded!). If you simply open a port on your home router some hacker will discover it with a port scan and have access into your network. That isn’t a good idea. Tailscale is secure and reliable. The only problem that I have with it is that it often looses the connection and spends 1-2 minutes re-connecting. Other than that it is great.

I can access Home Assistant via Tailscale without enabling Funnel and Proxy (for the past 2 years). My phone is a trusted member of my tailnet. In other words, secure remote-access is possible without having to create an external facing URL that leads to port 8123 of the Home Assistant server (which is what Funnel does).

It’s my understanding that you need Funnel only if you want to expose your Home Assistant instance to an external client or service that is not a member of your tailnet.

Thanks for the feedback! I clarified the point that this guide is specifically about Tailscale funnel.

Indeed you can access HA by connecting your device to Tailscale VPN (aka. tailnet), however that gets can possibly get very cumbersome very quickly when you have to manage all your family’s devices. Not to mention, Android can be flaky with VPNs because of aggressive power saving measures and while iOS doesn’t have this problem, check out how much battery Tailscale app uses in the background in the settings. It depends, but that several percent can add up to slightly faster battery degradation.

I haven’t encountered any cumbersome management issues in the past two years of operation for my family’s devices.

I have an Android phone and haven’t experienced stability issues, or excessive battery drain, with the Tailscale app.

I appreciate the fact your guide is explicitly for using Funnel. I believe potential users of this approach should understand that the sole advantage is a free, internet-facing URL; it exposes one’s Home Assistant instance directly to the internet (and provides no other security beyond Home Assistant’s user login; it’s like redirecting port 8123 port on one’s router).

Thank you so much! @parhelion !! I haven’t been able to get this working before your guide. ACL config file was the missing peace. Not very easy to find this documented, at least I haven’t seen it anywhere else.

Thanks to @parhelion 's guide, I have the funnel running. Now my family/friends can access HA remotely without requiring the Tailscale app. This for me is a big win.

You claimed the following:

it exposes one’s Home Assistant instance directly to the internet (and provides no other security beyond Home Assistant’s user login; it’s like redirecting port 8123 port on one’s router).

For an average Joe who’s not a network engineer (aka me), what’s the risk here exactly? Are you saying it’s not 100% safe to open the url and login to HA when connected to some random airport/restaurant/public WiFi? Let’s say for eg. I’m in a restaurant - I’m connected to this free, open WiFi network called “Restaurant WiFi Free”. I login to HA using tailscale remote funnel to control my appliances. Now what? How can another person on this same network know what my HA url, username and password is - what’s the worst that can happen when a. I login to HA as admin or b. my girlfriend logins into HA using a non-admin id when we’re at the restaurant? I ofc. will have non admin HA accounts for friends/family and when operating my admin account I for sure will avoid shady wifi networks. I’m just trying to understand the risk here.

Thanks

It’s good you’re inquiring because the technique described in this topic, although easy, is not without risk.

Exposing any device to the internet is a calculated risk. The connection is as secure as its weakest link.

The risk is what I explained in my previous post. You now have a device on your local network that is always accessible to the internet via port 8123.

The only thing that prevents unauthorized access is Home Assistant’s authentication system and the strength of your chosen password … and the assumption that there are no existing security vulnerabilities (like the one discovered in 2023).

If you have other questions like how can your IP address be easily discovered then you should familiar yourself with automated port scanning and how it is commonly used to discover potentially vulnerable assets.

FWIW, I use Tailscale to access my Home Assistant server but via its VPN and not its Funnel feature; the server is not continuously exposed to the internet via port 8123. That’s my “comfort level”, especially after CVE-2023-27482.

EDIT

I’ll go out on a limb and say that this technique is probably no less secure than what you get with a Nabu Casa subscription.

Nabu Casa dialogue with HA is all encrypted but with the tailscale funnel it’s not, I assume. What I’m thinking this means is, if some random hacker on the same network somehow looked into your HA’s traffic, they would know what password/ username you typed if you used ts funnel vs seeing encrypted random text for credentials over Nabu Casa comm. (at least that’s how chatgpt explains it)

Good thing HA has MFA though - totally forgot about that. Hoping they come up with a feature soon that let’s us delete refresh tokens through developer actions. Then I’d totally auto delete tokens every couple hrs

I suggest you review Tailscale’s Funnel documentation.

The irony is that a username and password wasn’t even needed to exploit the aforementioned vulnerability. Everyone had assumed their internet-facing server was protected by Home Assistant’s authentication system.

For an average Joe who’s not a network engineer (aka me), what’s the risk here exactly?

With the Tailscale Funnel setup described in the post, there are no real risks to be concerned about. There are exactly three potential risks:

1. Your phone connects to Funnel servers using TLS encryption. The world runs on TLS. If TLS was compromised, the entire world would go up in flames, so you don’t have to worry about it.
2. Funnel servers connect to your Home Assistant instance using Wireguard. The world also runs on Wireguard (to a lesser degree), so same as above, you don’t have to worry about it.
3. The security of the Home Assistant login page and Supervisor. This is the only realistic source of risk here. Even then, as a HA user, there is no reason to be concerned about it.

Home Assistant is the biggest open source project in the world (by contributor count) and many people’s lives heavily depend on it. The vulnerability @123 mentioned was immediately fixed after it was discovered in March 2023.

It was a professional cybersecurity researcher who found the vulnerability. It appears he wasn’t even paid to audit HA. He likely found it because presumably he was a user of HA and decided to take a look.

Since then, Home Assistant has grown more than 2.5 times to over 500.000 confirmed installations. The analytics are opt-in, the estimated real count is ~2.2 million. Github Security Labs and others, some of them unpaid volunteers, have audited and/or discovered vulnerabilities in HA which were all then promptly fixed.

There is not a single reason you shouldn’t trust Home Assistant developers, users and the broader community to keep HA secure.

The “official” way to access HA remotely, Home Assistant Cloud, doesn’t require you to use a VPN. Furthermore, it has the same architecture as Tailscale Funnel^[1]. With both solutions, everybody who knows the remote access link will be able to access your HA instance.

Despite what @123 claims, you wil not have a device on your local network that’s always accesible via port 8123^[2]. Automated port scanning software won’t be able to detect that you are running Home Assistant based on the port number, and the IP address of your home network will remain totally private.

Yes, using a VPN would be even more secure, preventing anybody not connected to the VPN from ever seeing the login page of HA. Including yourself and your wife. Is that worth it? Are you using HA to automate the doors of your nation’s secret military bases? Otherwise, I highly doubt it.

1. The one difference is tunnel servers communicate with HA through a VPN instead of HTTPS ↩︎

2. Funnel will only expose the standard HTTPS port 443. This port will be exposed not on your local network but on their Funnel relay servers, which will then be forwarded to your HA port 8123 through the VPN. ↩︎

If you’re saying it’s not accessible then it contradicts what you wrote here:

A remote browser connecting to https://home-assistant.my-tailnet.ts.net is automatically redirected to the local network’s Home Assistant server via port 8123.

True but moot; most ISPs assign dynamic IP addresses to residential users.

Tailscale Funnel, like Nabu Casa, provides a fully qualified domain name (FQDN). Once you have the FQDN, knowing its IP address is moot.

Tailscale will provide something like https://mychosenstring.my-tailnet.ts.net whereas Nabu Casa provides https://randomalphanumericstring.ui.nabu.casa. In either case, there are tools for listing sub-domains so it’s not difficult to list everything attached to nabu.casa or ts.net.

Like I said previously, this is no less secure than Nabu Casa’s remote-access service; it shares the same strengths and weaknesses.

In my case, it is worth it.

I prefer to open a remote connection to my HA server only when I need access to it. Leaving it open all the time, even when I am not using it, only serves as a candidate for penetration testing. I prefer to mitigate that risk and Tailscale allows for it with ease and transparency (without its Funnel service).

If you read the footnote (click the three dots), you can see that I wrote:

I agree, that’s also what I said.

That’s quite an intense level of security you got there. It seems many (most?) people don’t share the same preferences.

Exactly. All traffic is directed to 8123. The URL (and port 8123) is accessible to anyone at all times; the Home Assistant server is fully internet-facing.

The irony is that this level of exposure to the internet is unnecessary to provide remote-access. Tailscale already provides secure remote-access for all members of one’s Tailnet.

Seems like you may be one of the few who have the opposite idea.

Tailscale provides one with a private Tailnet where its members get secure access to the Tailnet’s services. Virtually every feature in Tailscale is designed to provide/manage services for a Tailnet’s members.

Tailscale’s Funnel feature was introduced later and is meant to expose a Tailnet’s resource to non-members of one’s Tailnet (i.e. directly to anyone on the internet). It’s inherently less secure because non-members, quite obviously, are not authenticated by one’s Tailnet.

The irony here is you have provided instructions for people to create a Tailnet and then have them not use its full potential.

• Robust user-authentication
• Extensive user-access control
• Connect to Home Assistant remotely without exposing it directly to the internet

Instead, they are instructed to use Tailscale to get remote-access to their Home Assistant server by exposing it directly to the internet (even though Tailscale already provides a secure way to get remote-access to Home Assistant without direct internet exposure).

To put it another way, once you have created a Tailscale account and installed the Tailscale Add-on, no further steps are needed (like enabling the Funnel feature to expose Home Assistant drectly to the internet) to get remote-access to Home Assistant.

Dude, I don’t have any idea what you’re trying to say here.

Yes, the post is about Tailscale Funnel. I struggled to set up Tailscale Funnel, the docs were scattered between 3 places, so when I succeeded I put them in here properly so that other people can set it up too. Yes, this isn’t about setting up Tailscale VPN, because the official addon docs are completely sufficient and clear for that.

You say:

I explicitly say in the very third sentence of the post:

What? I’m not forcing anybody.

Your instructions for remote-access needlessly expose Home Assistant directly to the internet. Needlessly, because Tailscale is able to provide remote-access without direct exposure. Enabling Funnel is an additional step that loses some of Tailscale’s beneficial security features.

I am mentioning it here to inform users of what they’re losing when choosing to use Funnel to access Home Assistant instead of via their Tailnet (the same Tailnet they must create in order to enable the Funnel service).

1. Your phone connects to Funnel servers using TLS encryption. The world runs on TLS. If TLS was compromised, the entire world would go up in flames, so you don’t have to worry about it.
2. Funnel servers connect to your Home Assistant instance using Wireguard. The world also runs on Wireguard (to a lesser degree), so same as above, you don’t have to worry about it.

Thanks @parhelion for this info. and also @123 for your insights.

Just so you know @123, the original thread has 8 likes and this one 4 and growing, so there def. exists an audience for the funnel - probably because this doesn’t require you to install the Tailscale app on every device you want to remote access HA from. I’d say it’s personal preference at the end of the day, whether someone wants to use the funnel or no - this thread is merely a guide for those who do. Prior to this post, there was 0 documentation on the HA+funnel setup. OP doesn’t seem to be insinuating in any way that this is better than the conventional tailnet setup or is more secure.

I am much less comfortable with direct public exposure of my Home Assistant Authentication system than with that system only exposed within a VPN.

While I too put a massive amount of trust in the open source development of Home Assistant (volunteers and staff), it seems the priority is not security and access control. (this is not suggesting it’s insecure!). e.g. if Home Assistant natively supported OIDC etc for authentication I could deploy a authentication service that was purpose built and vetted for public exposure.

Without that, I’d personally recommend keeping access from within the Tailnet only, without Tailscale Funnel.

All that said, it looks like a good guide, and for those who have evaluated the risks and determined their risk tolerance supports this approach, I’m sure it’s appreciated, so thank you for the contribution.

Which is fine and even better if the audience is made aware of what using Funnel does not provide.

As for measuring interest by metrics of likes, posts, views, etc, then there are large audiences for other methods such as DuckDNS/reverse-proxy, Cloudflare tunnel, etc.

I agree; preferably an informed decision based on all available facts.

True but a novice might be led to believe this is the most secure way of doing it in Tailscale but it’s not. It’s as secure as DuckDNS/reverse-proxy or Nabu Casa’s remote-access service (both expose Home Assistant directly to the internet).

It’s less secure than some other methods (Cloudflare/Tailscale/Zerotier) because they provide an additional layer of authentication and don’t expose Home Assistant directly to the internet.

FWIW, the only reason I would use Funnel on my Tailnet is to expose Home Assistant to an Internet-based resource that cannot become a native member of my Tailnet. For example, if you wanted to connect Home Assistant to Amazon’s Alexa service (via the Amazon Alexa integration). It requires direct access to one’s Home Assistant server and the long-standing way of doing it is with DuckDNS/reverse-proxy.

Having said that, I have used Matter Hub to “Alexa-enable” my devices which is simpler than using Funnel and the Amazon Alexa integration (and more local).

In the addon configuraiton, enable both Tailscale Funnel and Tailscale Proxy options. Don’t start the add-on yet.

I don’t see any Proxy configuration option in the addons settings, but it works.

Unfortunately it is pretty unstable and always logging me out from HA after a few minutes.