New User Remote Access Security Questions

I recently switched over to HA from Smartthings (so glad I did!) and have everything working extremely well. But I keep wondering if my system is really secure from someone trying to hack into it remotely.

I currently have HassOS 4.15 installed on a pi4 and am using the DuckDNS Add-on with Lets-Encrypt. Port 8123 is forwarded in my router to 8123 internally. I also have 2-factor authentication enabled. Both my internal and external URL’s are http, not https (http://xxxxxxxxx.duckdns.org:8123).

My limited understanding is that anyone in the world could point a browser at my network, either by using my ISP’s IP or the DuckDNS IP, along with the 8123 port, and be presented with the HA logon screen. But with the 2-factor authentication they would be unlikely to be able to log in. My understanding of the Let’s Encrypt feature is that it would just encrypt the traffic between my iPhone’s HA app and HA itself, which protects against the unlikely event that anyone tries to sniff the packets to get my password when I’m accessing the system remotely.

So my questions are: Is this secure enough or is there something else I should be doing? Is there some other way someone could hack the open/forwarded port to gain access? I did try enabling HTTPS, but ran into an issue where I could no longer access the system using the app on iPhone, so I reverted it back to to http. My understanding of https is that just like Let’s Encrypt, it’s simply encrypting the traffic when I access it remotely, but does nothing to prevent an attack on the port?

Thanks in advance!

if you are not encrypting the tunnel I would not access anything remotely. I have a VPN on my router, so my phone can connect to my internal network fully encrypted and there are no extra open ports, I would suggest checking out the Wireguard addon

No. You need to use https.

If you are using http you don’t actually have letsencrypt set up correctly and your password can easily be sniffed.

I use a non-standard port with a reverse Proxy (Caddy) and also only an AAAA record for the server… as well as 2FA and https.

What does Let’s Encrypt encrypt? I thought it was supposed to encrypt the traffic, although I don’t see how it can if I’m using http protocol.

I did once enable OpenVPN on my router, so I could try using that. OpenVPN would encrypt from the iPhone to the router, where Wireguard would encrypt from the iPhone thru the router to the HA web page itself?

Even with no other source of encryption, isn’t my 4G data encrypted? I never use public wifi, so it seems to me that any encryption is nice to have, but the chances of someone stealing my credentials is close to zero, and less than that if I use 2-factor authentication.

I’m thinking the open/forwarded port is the greater risk, but I don’t know how much of a risk. Aren’t you exposing a port with any sort of remote access, including a VPN? Not trying to be argumentative here, just trying to access the actual risk and how far to go to lessen it.
Thanks.

OK - That’s what I thought…

In the duckdns addon configuration have you set accept conditions to true?

Yes, but as tom_l mentioned, without using https: I’m not sure it’s doing anything. I can get to my HA instance using the http:duckdns URL and don’t see any errors in the logs:
lets_encrypt:
accept_terms: true
certfile: fullchain.pem
keyfile: privkey.pem
token: axxxxx1-8xfx-4xxx-88xx-axxxx1a8xxxxc
domains:

• xxxxxxxx.duckdns.org
  aliases: []
  seconds: 300

Have you added the certificates to the http section of your configuration.yaml file?

I must have missed that part! It says to add an http entry to config.yaml. Will that allow a secure connection using a certificate without actually using a https: URL? I’m going to add that now and test it out…
Thanks!

No, nothing will allow a secure connection over http. A secure connection IS https.

But yes, confusingly it goes under the http: section in your config.yaml file.

Only over the air, and possibly on the backbone to your provider’s gateway to the internet. As soon as it hits that gateway it is unencrypted again, unless you are using https.

I added the certs entry to config.yaml and restarted, and now I’m back to where I was when I had tried to enable https before. I can no longer connect using HTTP: locally with Chrome on Windows, and when I use HTTPS get an error: Your connection is not private NET::ERR_CERT_COMMON_NAME_INVALID - This server could not prove that it is 192.168.0.115; its security certificate is from xxxxxxx.duckdns.org.

If I proceed I can connect, but the URL bar says the connection is not secure.

On the iPhone HA app I also can connect remotely using the DuckDNS and https: URL, but can no longer connect locally using https: - I get an error stating that the cert for this server is invalid - you might be connecting to a server that is pretending to be xxx-xx-xxxx. If I select the option to “use anyway” it shows the same error and fails to connect.

I do have the fullchain.pem and privkey.pem files in the /ssl folder. Am I supposed to install a certificate in my browsers to get this to work?

That is expected. The certificates are for the duckdns domain, not the local IP address. You know this is the correct address. You can trust the local connection exception.

Just use the https duckdns address in the app. You router should recognise this as being internal to the network and redirect you there without going outside your network when you are home.

The alternative to both is to set up a reverse proxy so you can use http locally and https on public networks. I don’t bother.

maybe if it allows hairpin NAT or in my case I have to allow it specifically for my domain.

That works! I will use the DuckDNSs URL for both the app and locally from now on.

I wasn’t intending this to be a DuckDNS troubleshooting question, but thank you for helping with that.

I think that the security aspects are the hardest for folks like me that don’t have a background in it. So now I’ll be using https with my HA app on the phone, and I’ll be encrypted even if I forget to launch an OpenVPN session first. I suppose it’s better to stop any unauthorized requests at the router with OpenVPN rather than at the HassOS using WireGuard. If I use the VPN I’ll actually be triple-encrypted (https, VPN and 4G encryption)!!! I did a port check on both my HA 8123 port and the port used by OpenVPN, and only the 8123 port showed as open, so the router must be able to not respond on the VPN port unless it’s the OpenVPN client making the request.

Encryption, certificates, VPN’s, reverse proxy’s, AAAA records! And I thought I had a learning curve with just HA!

This can also be done with the Nginx reverse proxy addon if you want everything running on the HA
Then you can access with https outside of the network and with http on the Lan network.
But then you might have to add “home wifi” in the app with internal and external URL.