What is everyone using to connect to their HA instance via the iOS app that doesn’t require an open port?
Currently I have port 8123 open on my router which I would like to get rid of.
I run PFsense for my router and a VPN or reverse proxy should be doable but im not sure how that would work with the iOS app. I would like to make the process automatic/invisible as my wife uses the app.
Any help or guides would be great.
L2TP/IPSEC VPN on my Ubiquiti Unifi USG. Everything works great.
Just leave a port open with nginx in front of HA doing SSL termination. I have a VPN but rarely use it to connect to home.
I use HAproxy for the SSL termination pointing to HA as a backend. Works well - and we use it at work heavily so something I already knew.
NGINX seems way too heavy to use just for SSL termination…
I use nginx for a lot more than just SSL, it does all kinds of routing for other apps on the network. HAProxy is also great though!
Just went ahead and setup VPN On Demand (needed to set up my VPN again anyway since getting new iPhone X). It’s okay thus far. I configured the rules as follows:
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>MyWifi</string>
<string>MyWifi 2.4GHz</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>Domains</key>
<array>
<string>mydomainname.com</string>
<string>*.mydomainname.com</string>
</array>
<key>RequiredURLStringProbe</key>
<string>https://vpn.nerd.one/my.ip.address</string>
</dict>
</array>
</dict>
</array>
I figured out how to write the rules from here. I already had the rest of the profile created via Apple Configurator. I have pfSense and use IKEv2/IPSec so I just searched for “pfsense ios ikev2” and found a couple of good guides on how to initially set it up.
This setup will cause my VPN to automatically activate whenever Home Assistant tries to connect. Should work nicely for anyone that can run a VPN on their network.
Cool, but be aware the VPN likes to drink the battery 
Yeah that’s why I set it up as VPN On Demand. I also set the idle timeout to 60 seconds, so hopefully when it does connect it only stays that way for a minute at most.
But what about sending location updates? Does that not need to connect to HA? For the incoming notifications I understand it goes via Apple’s infrastructure.
If everything works nicely then a location update should cause the VPN to activate. I’m seeing similar behavior already when using actionable notifications which also requires a callback request. It takes a few seconds longer than normal so that the VPN can connect first.
Following your post, I decided to give it a try and potential is there.
I was also wondering if it would be possible to disconnect the VPN connection when not needed anymore, which I suppose was your goal with this idle timeout.
Edit: I found it here (https://github.com/nerd-one/VPN-OnDemand/blob/master/VPN%20OnDemand.mobileconfig), just not sure if it applies also to IPSec, I need to test, as I don’t seem to find it described in configuration (https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html).
Btw, congrats on the great iOS app for Home Assistant.
Thanks in advance.