Is anyone using iOS app with OpenVPN into your home network?

i have ZERO desire to open a port on my router for the web GUI to be exposed to the whole world.

however, i already have OpenVPN setup and regularly VPN into my home network. so i created a user and setup the OpenVPN app and i can connect and all that from the iPhone.

so my concern is, that the iOS app will only be able to connect to my HA when the VPN on my iPhone is enabled. will this affect my location tracking?

i suppose i could leave my VPN connected all the time, but that seems like it would kill my data usage when not on wi-fi.

If you do not expose HA to the internet and can only access via VPN, then it will affect your ability to use the app as designed. The app must be able to “phone home” with the location data and if VPN connection is required to do so, it must be enabled when the app tries to make the request.

I don’t see how simply having the VPN enabled at all times would increase your data usage, but I’ve never used VPN on my phone.

I have everything behind my VPN but am running into issues because iOS shuts off the VPN to save battery or whatever. I have recently setup my own Certificate Authority[0] (so I can sign my own SSL certs and load my public root CA key into my boxes so those certs can be trusted) and went through the process of configuring nginx to only respond with my app if the client submits a key that has been signed by my CA [1]. The result is nginx only responding with hass only if the client supplies the correct certificate[2].

I have been very happy with this setup so far.

[0] https://jamielinux.com/docs/openssl-certificate-authority/
[1] http://blog.nategood.com/client-side-certificate-authentication-in-ngi
[2] https://home.xekm.com PLEASE READ THE UPDATE BELOW

4 Likes

Maybe this https://github.com/simonguest/simonguest.com/blob/master/contents/articles/on-demand-vpn-using-openvpn-for-ios/index.md help you. Unfourtunately, the author Simon Guest closed his original homepage and this is all I found. It is the original article.

I was able to implement the openvpn server part and the profile on my ios devices. Every time I open the home-assistant app on my ios device and my ios device is not in the home network it connects via openvpn to my home network.

1 Like

What are the pros/cons of this approach vs using nginx or traefik with certbot/letsencrypt?
If using a letsencrypt certificate can you still use the client side cert checks?

What are the pros/cons of this approach vs using nginx or traefik with certbot/letsencrypt?

This is only the server side cert generation. and none for client, and the security depends on having the root certificate so that each client cert can be checked against the root cert

If using a letsencrypt certificate can you still use the client side cert checks?

Yes but that is just for the server side checks. You will still need to become your own CA and issue client certs signed by that.

doesn’t your CA need to be internet accessible?

I’m not really sure I understand your question

you are creating a new cert authority. doesn’t the client box (outside your network) need to be able to validate certs against your new CA?

I am using VPN all the time to access home assistant. I just configured my VPN connection to be used on demand whenever iOS tries to connect to my HASS instance in my local network. I need to do some testing tomorrow with the app but for the web frontend it works just fine.

cgtobi

i dont see any option for on-demand in the OpenVPN app or in the iPhone settings. lame.

I used this guide (it’s in german and with a AVM fritz!box in mind) to do it. It was pretty straight forward. Basically you have to build a profile for VPN and add some code to provide that on-demand feature along with rules when to use the VPN connection. In my case it is everything ending with .fritz.box or .local. So whenever I navigate to hass.local or use the new iOS app my iPhone initiates the VPN connection and everythings works as expected.

Ah gotcha - yeah, if they don’t have my root CA then they will see the site as insecure. But the sites I plan on exposing (hass for instance) are too personal for me to trust the common root CA, so I rolled my own (with the added benefit of client-auth!). Even if someone finds my site and accepts the security warning, they won’t have the keys needed to auth against nginx.

1 Like

Do you use openvpn for this. Im using openvpn and I need to manually switch it on/off. Will be lookin into your link.

No. I’m using the vpn my fritzbox is providing. But I assume this is achievable with openvpn as well.

I thought about implementing just the same but as I’m not expert with certificate matters I went with the vpn solution. I’d love to hear more on that client-authentication solution.

I wanted to briefly update this and say that due to (what I believe to be) a bug in iOS/Mac OS, Safari does not send the certificate along for websocket connections. Both Safari MacOS and iOS fail trying to initiate a wss:// connection to hass. Up until Sunday, all my testing was in Chrome MacOS which worked.

I have submitted this issue to Apple (and they have since reached out to me for more info) so I hope they will fix this (though I am not sure they will)

I’ve used Apple Configurator and this guide
to autoconnect my VPN. So when I open up the ios HA app, the VPN automatically connects. Pretty nice.

2 Likes

Great. It make me feel safer using rather than exposing HA to the evil internet. :wink:

Yep, i dont like to open any ports. What I cant find out is how to have several vpn on-demand. As of now, this needs to be chosen in the vpn-list to be activated.

Next step is to have multiple vpn ondemand, with automatically changes.

Edit: Doesn’t seem to be possible, here’s what I did. I have two servers with two different public IPs. Both have openvpn server. One server has HA and the other has plex etc.
I connected the HA server throught VPN to the plex server. In the settings for both im only routing the local IPs for both systems throught the vpn.

The VPN is on all the time on my phone and since the servers are now connected following happens:

  • Generic internet browsing eg. google.com -> no route throught vpn
  • checking HA -> route throught vpn
  • check plex -> route throught vpn
  • ssh HA config.yaml -> route throught vpn

This is handled by the settings automatically.

1 Like