And the most important question is: are you using iPhone? I don’t think self-signed certificates will work there 
I have been using the OpenVPN client on my iPhone (my router supports OpenVPN) and, until the most recent release of the homeassitant iPhone app, it has worked flawlessly. I access my Axis IP cameras too via vpn.
I am off to find out what has changed in the phone app such that it will no longer connect when I am connected using OpenVPN.
VPN’s add encryption to all traffic making all files a tad bit larger (depending on encryption type this can be huge). The problem with using a VPN is that you can not use the ios app to do device tracking. (I’m not sure about push notifications, as I have read this is still possible, but seems unlikely to me).
VPN’s can theoretically drain your devices battery pretty fast (depending how it is set up, but if you set it to route all traffic through the vpn server than you can bet on an empty phone very fast). I only use VPN on my phone if I absolutely need to.
@stone if you want device tracking without exposinf HA to the internet you could look at owntracks or geofency. They work pretty good. I personally prefer having my lovelace setup available at all times from any device in the world without having to configure vpns on those devices first. But that is probably just me.
This isn’t quite correct. With an on-demand VPN on iOS, it will connect when something tries to connect to a certain URL. In my case, I have given my HA instance a DNS entry that is internal to my home network so that when the HA app tries to connect to it, the VPN spins up and can send the location update. The VPN then terminates after a timeout period. I’ve been using this type of setup for a few months now. I haven’t noticed any battery drain on my phone.
I’ve documented the on-demand setup I use on my blog. The only real difference from that entry is that I have 1 entry on OnDemandRules and that is:
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>Domains</key>
<array>
<string>homeassistant-internal.example.com</string>
</array>
<key>RequiredURLStringProbe</key>
<string>https://pihole-internal.example.com/admin/</string>
</dict>
</array>
</dict>
This entry sees if it can connect to my internal pi-hole instance (any internal URL that will return a 2xx if it can successfully connect; pages that require authentication will fail and my pi-hole instance has no authentication) and if it can’t connect, the VPN is started. I have a 5 minute idle timer so it disconnects when not needed.
As for push notifications, they come from Apple and not from HA directly. They work fine with or without the VPN.
Ah yeah I thought I had read that somewhere about the notifications. I didn’t know you could do that with VPN (certainly not on ios). Good to know though. Might try it out one day.
In my case when I use my OpenVPN setup it will stay connected until I manually disconnect it. And because I use my VPN mainly to circumvent portblocks etc I route all traffic through the tunnel. Probably not the best way to do it, but hey it works. Though it takes a massive hit on my battery though. My question is though, do you really do not notice a drain in battery? Because I have used the icloud component in HA before and I never noticed how much it actually drained my battery until I stopped using it, giving me back over 6 hours of battery life which the icloud component drained on me every day as I have started using the component the same day I got my phone I never noticed it until it was gone.
Thanks for the tip though, still want to try this as this sounds like a great solution.
Edit: having read a bit on your blog it says it is useful for known wifi networks. What if I am always using 4G except when I am at home? I hate wifi as it is terrible in 90% of the places.
Battery drain, of course, is going to vary with so many factors. I don’t have a great test to show that battery life is impacted. I charge my phone everyday and always when in the car (I use CarPlay all the time and it is wired). I guess you could give it a try and maybe set a low idle disconnect on the VPN to see what happens. I don’t know how often the HA iOS app works, but I’d love to be able to control it such that it only updates the location based on region monitoring.
In my current VPN setup, I use an SSID match for disconnect and the URL test to connect. Here’s the full block. I only use WiFi at home, as well.
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>SSIDMatch</key>
<array>
<string>My Home Network</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>Domains</key>
<array>
<string>homeassistant-internal.example.com</string>
<string>grafana-internal.example.com</string>
</array>
<key>RequiredURLStringProbe</key>
<string>https://pihole-internal.example.com/admin/</string>
</dict>
</array>
</dict>
<dict>
<key>Action</key>
<string>Ignore</string>
</dict>
</array>
Feel free to ask more questions; I’m still experimenting with presence detection so I’ve been actively looking at this. I wouldn’t even think of exposing HA to the world even with DuckDNS/SSL/etc.
Hi sgruby,
I use VPN on Demand too. Is the presence detection working for you?
That’s a good question. I’ve been playing with presence detection as I want a notification to popup when I arrive home giving me options. If I drive home and only use the app for presence (with a 50 m radius in my home zone), it works great. If I walk the dog (about a .5 mile loop), I never get notified.
So, I think for the purposes of VPN on demand, yes it is working. For my use case, it isn’t completely working as the app (as indicated in the Event Log) never shows me as exiting and entering my home zone when I walk the dog. I’m experimenting with adding the UniFi presence detection to see if it detects me coming home from a walk. So far, I get alerted that I’m home right after I left (by car) as the app tells HA that I exited the region, but I guess UniFi says I’m still here right after I leave.
Hmm…could be that your “Dog-Walk-Zone” has such a small radius that it’s not recognized as a zone change.
The thing with UniFi/Wifi Presence detection is that the iPhone drops out of WiFi in deep standby.
But at least you got a presence detection. For me it’s not working and I really don’t know why
The dog walk zone was in the home zone, so I started looking at the UniFi presence detection. I’m also experimenting with Bluetooth LE beacons (I have a few of those floating around). Nothing is quite there, yet, but isn’t all of home automation about experimentation? 
It absolutely is 
The WAF is sometimes a little bit annoyed but hey…at least she doesn’t have to hit buttons on the wall anymore 
Ha! My wife has lately told me that she likes what I’ve done especially the voice control of lights. I have no intention of asking her to install the app for presence detection as it isn’t a big deal for her.
BTW, I think I may be getting closer with presence detection using Node-RED and checking the timeSinceChangedMs field to basically scrub bad data (from the UniFi scanner). We shall see how it goes.
Quick question: can I used IP addresses for the above instead of actual domain names? For example:
192.168.0.240
and
http://192.168.0.240:8123/
I don’t see why you couldn’t use IP addresses. As long as you have a valid URL, it should be fine.
Trust me if your wife takes her phone with her every time she goes out, she will love it. Maybe not the app itself, but creating automations that automatically turn off all the lights/devices when no one is home and/or automatically turning some back on when one of you arrives home. Trust me she will love it, my wife even asked me to make more stuff and buy more sensors so stuff gets done automatically. (But then again my wife uses the app frequently, as I tried to make it wife friendly).
But really, the automations done by device tracking is probably the best feature of all. We never turn off any light/device when leaving the house as this will all be done automatically. (Granted my wife has her phone on her almost 24/7 and she wouldn’t leave the house without it).
I need to get things working perfectly before I’d even ask her to install the app! So far my presence detection when we come home from walking the dog isn’t quite working, so she’s not impressed. She is impressed with having the lights be on when I drive up, though.
How do you get your connection to terminate when done sending?
I just can’t get it to work, it keeps reconnecting when the screen turns on if the connection has ever been established.
You can change your idle timeout, but that is for no network traffic, not just VPN traffic. I don’t mind the connection saying up as it can’t really hurt (except speed wise) to run all my traffic through my VPN.
So I cant really get it to drop the connection as long as something is using the network?
My plan was to only send HA trafik through the VPN to save battery life.
Anyone have a solution to my problem?
Which is, my phone connects on demand to my VPN when a certain domain is being reached. It then drops the connection when the screen has been locked for some amount of time. So far so good. The problem occurs when the phone is woken up again, it then reconnects to the VPN even tho the triggering domain is not trying being reached.
Any way to stop it from reconnecting?