I personally use them together too but not to access HA. It seems like the ”hassle” kills the user experience.
How do you access HA remotely then?
When I access HA on LAN I have no auth, just need to be on my trusted device Wi-Fi, when I’m out and about and I want to get into HA I VPN in.
I find my remote activity on HA doesn’t have to be so seamless as local activity, so I can sacrifice a bit of usability from a connection stand point, also once connected I’m connected, no need to re auth, unless my phone screen locks.
Cloudflare + nginx reverse proxy w. Letsencrypt + 2FA + fail2ban on top of hass usual password is what I rely on for hass. This way the 2FA is stored in a cookie, I use the bitly oauth_proxy and you don’t have to enter the 2FA every time you enter hass (from a known device) due to the cookie.
I use the iOS app, and some type of notifications require external access otherwise I’d need vpn on all the time (which kills the battery on my phone).
SSH (But as I said, this is secured according to this post)
So 4, but I may reduce it to 3. Since all ports needs 2FA and additional security, I’m comfortable with having 3. I used to run VPN for everything and only had 1 before.
That’s where I get hung up, appreciate the 2FA and f2b etc is all running, but I don’t want too expose to many services to the World, and the fact I must have a certificate to get in is a big plus for me, but then that’s what works for me. I think it’s a shame notifications rely on being ‘local’ to the server. Be nice if this was an external push service. (Key secured )
I don’t have f2b running on my vpn - nice suggestion
Maybe we should collate all these options in a single guide, I could do the open vpn one to death, but apart from in work I haven’t setup a reverse proxy at home.
Some nice security ideas here but let’s not lose sight of the fact that there is a component in hassio which out of the box is insecure and the fix is insanely easy - turn off guest access
Actual issue is UPNP that opened the port.
Guest:true is secondary after that.
Or was their someone with this issue that did not have UPNP enabled?
I say this only because if UPNP still enabled this will likely cause user further issues. Also likely that not upgrade router firmware since many router have update that turn UPNP off I thought?
Hassio is bound to be installed in a lot of home environments and a lot of home environments have UPnP enabled routers. If too many installs get hacked because of this flaw, HA will get a reputation as an insecure system.
Personally, WAF and complexity are not an issue when it comes to security. If my wife stopped using something because it was to complex vs our network being secure - then I accept that and I’d need to decide what is an acceptable risk to balance the usability factor accordingly - But I don’t run many external facing services.
If I wanted to run the HASS image - I would be checking which ports/services are listening on that device - I do the same for all devices running on my LAN -how do I know my SKY box isn’t running something? - I run a regular NMAP scan of my own network from my HA server to check open ports and devices on my LAN - alerting me to something I don’t recognise is there, or a service that I don’t want.
Command to do this nmap -oX output.xml -T4 -A 192.168.0.1-254 xsltproc output.xml -o network.html
I would not trust SAMBA/Home Assistant/a third party service to manage how people interact with my network.
I’d trust (a little more) a service which was designed to securely connect to my LAN
OpenVPN or a Reverse proxy might be initially complex to setup but once running are more secure than port forwarding to a service which its primary focus isn’t networking security - running 2FA is belts and braces, but not a necessity.
In places where users can shoot themselves in the foot, make it super clear (the page on port forwarding, is really easy to glance over the dangers here)
IMHO this should be in docs rather than the forum. Forum posts tend to get swamped by replies, or lost amongst the dross.
Again IMHO you should write it in markdown and put it on github, then perhaps post a link to the howto in the forum and let people ask questions in the forum.
I found myself just copying the Digital Ocean guide (which was the one I followed) - then stopping and just linking to it in the end - but to be honest was more than adequate and well written.
I was wondering if people wanted to have a go at setting it up using those guides and I’d be happy to answer questions / support any issues people might run into as best I can.
Both should be treated equally bad. It is not a good security practice to allow guest access to sensitive information and your HA configuration files is a sensitive information. Even if the passwords are hashed (which they currently not) even access to those should be minimized and definitely not allowed for guest level access.
)