Is external access necessary?

Hi all I’m JECaine. I’m brand new to HA. I have an HA VM running on proxmox and so far it’s internal only. Sorry if this question has been asked a million other times, but I’m wondering if I need to have my HA server exposed to the public Internet in order to run certain automations.

I want to create a few location based automations but even though I have associated my family’s phones with their user profiles, and verified the location services, sensors etc are on, my location based automations are not working. So I’m wondering if HA needs external access in order to stay connected to my devices while off the network.

I checked the history logs of my services and it’s seeing significantly location changes, and I can look at gps info for my wife’s iPhone, but for my Pixel, it’s seeing me leave the house but says my location hasn’t changed. I’ve also checked the conditions of my automations where at least 1 person needs to be home when we’re both home and it says the conditions haven’t been met. So I’m wondering what I am doing wrong.

Any advice would be appreciated.

Is it necessary to expose your installation? No. Is it necessary to read external data? If the service requires it.

If you can get the location data internal and have HA read that you haven’t exposed the HA service to the outside world, but you have exposed some service.

Also, if you’re trying to do 1 person or the other being at home, use a group. If 1 person is home the group is home. Its much easier than trying to logic it all out through boolean conditions and if statements.


Thank you. I’m unsure what exactly I have exposed to outside since I’m getting conflicting information.

Also where do I create groups? I’m assuming you’re referring to groups similar to ADDS security groups, but where do I find that?

So far I have only looked on the companion app.


There are ways to do location based automations without exposing your instance to the internet, but you’ll have a [kind of] difficult road to do it. There are device trackers that you can use that leverage your router and things like that along with 3rd party services like Google maps and such.

The much easier way is to use a nabu casa subscription (which also helps fund development of HA). Then you just use the companion app and it will track your device(s) as long as they have an internet connection. Nabu casa is also very secure.

You can create groups in Settings > Devices and Services > Helpers. However, a person group still needs to be defined in YAML in your configuration.yaml file.

Groups are internally set

I still have the old groups because, well, I’ve been running HA for so long now and it just works.

I don’t use/understand companion apps or the different setups because I’ve always run bare metal until a few weeks ago and I moved to docker. So I may not be the best to answer all your questions.

Don’t know what you’re running, but look in to Owntracks. Its an app that reports back to something HA can read. I use MQTT just because. This reads defined locations and runs automations based on those. When people return home automations fire as well.

1 Like

Some how, some way if you are trying to interface with things not on your own internal network you will need to give your HA instance access to the outside world thru your routers firewall.

There are more or less secure and more or less easy ways of doing it.

the easiest way is to use Nabu Casa as suggested above. You don’t need to open router ports since HA will establish and maintain the encrypted connection to NC for you. But it’s not fully secure since NC opens ports on their end. There was a big security announcement about it a few months back.

The most secure is something like a VPN that requires a client certificate to gain access to the VPN. But you need to manually open ports on your router for it to talk. Not a big deal typically since even if the port is open without the client certificate the VPN should block access.

I think… I’m not a security expert.

1 Like

I’ve seen people go the VPN route and while it is more secure, it also requires running the VPN connection for the entire time you are away from your home network (if you want regularly updated GPS pings at least). This can lead to weird configs like split tunnels and other oddities that are a pain to deal with.

Lately I have been steering people away from pure VPN connections and pushing them towards zero-trust/zero-config networking (Tailscale, etc). Not just for HA but for secure access to their home network in general. Personally, I use Teleport through my UDM-Pro. Literally 1 click of a button and all my mobile traffic routes through my home network for as long as I want it to (which is pretty much anytime I am mobile).

1 Like

I’ve never heard of Teleport.

I run a Unifi USG. Do you know if that supports Teleport or not? Do you have a link that explains it.

I don’t know if I would use it for HA but I would use it for other uses if it’s more secure than my VPN.

I don’t think it’ll work with USG. :pensive:

It’s not “more secure” per se. Just MUCH easier to setup and maintain. It uses wireguard under the covers, but it’s built on zero-trust networking.

1 Like