Hi there. I wanted to seek advice on remote access. I know there are many posts, and I have read them all. However, for all the options there seems to be a plethora of discord including dire security warnings. Most solutions or addons are constrained to some abstract or constrained to HA specific walled garden type implementation.
I basically have one use case currently. I want my mobile device (companion app) to report location for geofencing automation (namely arming my Bosch Alarm - I have the HA Integration installed and working).
Other companion app features are a nice-to-have. Currently when I leave my house I loose connection and the geofence is not properly triggered. I am aware of the below options…
Cassa/Remote paid - Overkill for me, and I’d rather build something myself.
Direct port forward - Rather not expose my WAN IP.
Coming in through Cloudflared tunnel - This is the most viable since I already have one set up.
Addons like NGINX, DuckDNS, Letsencrypt - These seem specific to HA and I don’t really need the features these provide as I have it covered elsewhere on my network. I must say doco for these hasn’t been great. Just some basic yaml config with no real explanation how they dovetail into a remote setup. I don’t think I need yet another NGINX proxy. Lets encrypt add-on seems broken. Cloudflare API doesn’t validate and there’s no HTTP pathway to my HAOS for HTTP validation - at least not permanently.
SD Networking like ZeroTier as a VPN, or a VPN like WireGuard - This would be good but the client apps don’t turn on automatically very well when you’re away from home or you have to set up a VPN server, plus they use phone battery and are not easy to transparently set up on other family member’s phones.
Connecting directly to the Bosch Cloud API directly
My real main question here is… How do I best/safely get the companion app working remotely on my existing home web-server setup (see background below)? I can figure out the Cloudflared/firewall/HTTPS side I just need to know where to configure HAOS.
Do I just point at the HAOS IP port 8123? Setting up SSL with a custom IP has been challenging for me in HA as everything is abstracted away. Seems silly having another local NGINX proxy - is it not safe to use the existing HAOS webserver and force TLS? How do you do that?
Background
I host a couple of other websites through a Cloudflare tunnel and dedicated Proxmox Container running a dedicated reverse NGINX proxy on the same CT, and the websites are on separate virtual machines/containners… much like my HAOS.
I have a few HAOS sites and none of them are exposed to the internet.
I have the edge router or firewall provide WireGuard or OpenVPN VPN. I have HA companion app on my laptop and my mobile phones. I just pick which site to connect to, then fire up the app like I was on site.
This works for me as some of the sites are only up temporarily, have intermittent internet connection, or the internet connection have to be set up manually.
Setup works occasionally, however, I am finding HA a bit unreliable deciding when I’m “Away”. I drove away and nothing happened for 10 minutes. Then I unlocked my phone and opened the HA Companion app and it said I was home. After interacting with it quite a bit it finally changed to Away. It had been over 15 minutes.
I have the companion app with full battery, do not optimise, GPS high accuracy, background data.
Can the companion app expose what SSID I’m connected to? I feel like whether I’m on home wifi or not for some threshold would be a better indicator of whether I’m home or away.
Another option you didn’t list for remote access is Tailscale. IMO for something like this where you don’t need/want to tunnel all the traffic over the VPN it’s a really good solution.
Cloudflare tunnels are (IMO) a great option if you’re already using it. My own setup includes CF tunnels, which like yours connect to a reverse proxy (Traefik) that then handles the connections.
Sure, but some blueprints and integrations expect a device_tracker, rather than a simple sensor. For instance you can link a person only to device_trackers.
I link my person to that “fake” device tracker to determine home/away, then I can use the state of zone.home to see how many people are home.
As far as I know, this very much depends on how you set up your user account. Go to Settings --> People --> [select the user using the phone] in question.
On the bottom you will see Slect the devices that belong to this person. This is where “Away” comes from. Using those things are how HA figures out if you are Home or Away. I use multiple items, e.g., the cell phone, BT watch, wifi connection on the network by the cell phone (device tracker). It works well enough for my needs, about 60 to 180 seconds.
Hi,
after a 2 years period using DDNS and nginx, I switched to Tor addon.
It’s amazingly easy to setup, very reliable (never had a disconnection on tor network, while on ddns I did more than sometimes, probably also for not so easy setup procedures) and it’s absolutely private. If you want you can also install ssl certificates on your orbot VPN (the app you have to install on your android phone to be able to connect to tor network) and prevent anyone to even see your istance on the network.
As I mentioned, I use android, I don’t know about the IOS alternative or if there’s one, however I’m very happy with that. The only con I can think of is that using orbot VPN with a constant connection drains some battery. In my case I don’t use persistent connection, so not a problem for me, but it could be an issue in many cases.
Interesting! Is there any tutorial for setting up Tor and remote access?
I have been using HA quite some time, and didnt know that is possible to use this method to access HA from the outside without redirecting ports apart of HA Cloud.
I forgot to mention that another pro of this addon is that you don’t need a NAT loopback capable router, which is required for DDNS and nginx to work, which IMO is the reason why so many people, including me untill tor, is still experiencing connection issues as of today.
For home and away automations I placed a smart switch inside the house near the entrance door and made its state ON trigger a “Home” automation and its state off trigger an “Away” one. When I enter or leave, I just push the button. That’s the most safe, easy and reliable way I found.