The 2FA etc is only when accessing remotely via open vpn. Locally it just works like your on the LAN
How much stuff do you do remotely? Or off-site
The 2FA etc is only when accessing remotely via open vpn. Locally it just works like your on the LAN
How much stuff do you do remotely? Or off-site
It was an add-on in hassio when I tried it last year.
Ah, ok.
But I just looked and I can’t see it on the official list of add-ons of the community add-ons.
It must have been pulled. Which is a shame.
Thanks anyway.
I’m pretty sure you can add repos
Yes, but how would you find out which one to add??
I love that you use 2fa and VPN, I personally use them together too but not to access HA. It seems like the ”hassle” kills the user experience.
This is what I’ve settled for:
This provides for me, a level where I can use my services comfortably but securly. A couple of users have contacted me regarding setting up 2FA, you’re more than welcome to set up a guide that I can point at.
I personally use them together too but not to access HA. It seems like the ”hassle” kills the user experience.
How do you access HA remotely then?
When I access HA on LAN I have no auth, just need to be on my trusted device Wi-Fi, when I’m out and about and I want to get into HA I VPN in.
I find my remote activity on HA doesn’t have to be so seamless as local activity, so I can sacrifice a bit of usability from a connection stand point, also once connected I’m connected, no need to re auth, unless my phone screen locks.
Cloudflare + nginx reverse proxy w. Letsencrypt + 2FA + fail2ban on top of hass usual password is what I rely on for hass. This way the 2FA is stored in a cookie, I use the bitly oauth_proxy and you don’t have to enter the 2FA every time you enter hass (from a known device) due to the cookie.
I use the iOS app, and some type of notifications require external access otherwise I’d need vpn on all the time (which kills the battery on my phone).
That sounds cool, how many ports are open in your router to achieve that setup?
So 4, but I may reduce it to 3. Since all ports needs 2FA and additional security, I’m comfortable with having 3. I used to run VPN for everything and only had 1 before.
That’s where I get hung up, appreciate the 2FA and f2b etc is all running, but I don’t want too expose to many services to the World, and the fact I must have a certificate to get in is a big plus for me, but then that’s what works for me. I think it’s a shame notifications rely on being ‘local’ to the server. Be nice if this was an external push service. (Key secured )
I don’t have f2b running on my vpn - nice suggestion
Maybe we should collate all these options in a single guide, I could do the open vpn one to death, but apart from in work I haven’t setup a reverse proxy at home.
Everybody should only use as much security as they are comfortable with. I may be using your setup too in the future.
50/50 The current setup passes the WAF, adding more complexity doesn’t help
Some nice security ideas here but let’s not lose sight of the fact that there is a component in hassio which out of the box is insecure and the fix is insanely easy - turn off guest access
There has been an update almost a day ago: https://github.com/home-assistant/hassio-addons/commit/072498cd84f7b576269f2c4399b92f796b7135aa
By default access is now only allowed from RFC 1918 networks. That way enabled guest access isn’t such a big problem anymore.
Guest should default to false once the pull request below is merged…
Actual issue is UPNP that opened the port.
Guest:true is secondary after that.
Or was their someone with this issue that did not have UPNP enabled?
I say this only because if UPNP still enabled this will likely cause user further issues. Also likely that not upgrade router firmware since many router have update that turn UPNP off I thought?
Allow hosts was in my config, it’s there by default it still didn’t stop this guy getting in.
Yes UPnP opened the port but that would not have been a problem if guest wasn’t enabled. This is the out of the box config:
{
“workgroup”: “WORKGROUP”,
“name”: “hassio”,
“guest”: true,
“map”: {
“config”: true,
“addons”: true,
“ssl”: false,
“share”: true,
“backup”: true
},
“username”: “”,
“password”: “”,
“interface”: “”,
“allow_hosts”: [
“10.0.0.0/8”,
“172.16.0.0/12”,
“192.168.0.0/16”
]
}
Hassio is bound to be installed in a lot of home environments and a lot of home environments have UPnP enabled routers. If too many installs get hacked because of this flaw, HA will get a reputation as an insecure system.
FYI
Hi @cogneato,
It seems you haven’t yet signed a CLA. Please do so here.
Once you do that we will be able to review and accept this pull request.
Thanks!