secure the communication, maybe installing VPN on HA Green (maybe tailscale?)
But what is important for me is to receive notification if something happens. For example if there is a water leak, etc.
I understand that if I use VPN, each time I want to use the app, I need my phone to be connected to the VPN… and that’s probably not the way to got. It won’t be forever connected to the VPN.
How can I receive notification if something happens at home whilst being “secure” in the internet? What kind of configuration (free of charge) do you suggest?
Use SLL secured access to your HA instance. This will work with the native app and you can have notifications on the app as well. Traefik could be a good candidate to handle this for example home-assistant-addons/traefik/DOCS.md at 39a0e4d189e7fe1fc6396df50125c6a56bcdbc41 · alex3305/home-assistant-addons · GitHub
This requires port forewarding for port 443 on your modem/router to the device running Traefik. You can configure a (D)DNS to point to your modem. Some modems support DDNS services theirselves. It is recommended to configure a firewall (UFW) to start with that blocks all incoming traffic to your traefik device except 443
VPN… I doubt I want it. From my knowledge a VPN is something I have to configure on all my devices and each time I want to use the app or browser I need to connect to the VPN.
I want some solution that will allow my phones native apps HA to connect and receive notifications normally, without the need to connect to VPN.
Port forwarding is not a problem for me I can configure it. Of course I would prefer to change the port numbers. To hide 443 externally and have for example 666 => 443.
I personally have a dedicated VPN that I use at time, but that is not my 1st preference.
My system is set up with it’s own domain through cloudflare and a zero trust tunnel with WAF rules. Tailscale would be my suggestion for what you want, but it’s your choice.
HA offers 500 remote notifications per day for free. (Local notifications are unlimited and are also tied to you specifying the wifi name that HA passes to the OS which then manages when should you have local push service running, so won’t really work through vpn)
I use Tailscale for remote access and also have a HomePod mini that could be a backup in case Tailscale outage or something.
I use tailscale as a pure host-to-host VPN, not a typical “everything goes through it” VPN.
That means that only the traffic I expressly wants to go through the VPN does so, e.g. the HA traffic. All the rest follow the normal route. Indeed, the VPN is opened at all time, but it doesn’t seem to drain the battery of my phone.
To do so, in the companions app, just put http://<tailscale address of HA>:8123. No dusckdns/letsencrypt certificate/port forwarding or whatever.