Remote access - best method?

i want to connect the mobile app to my home assistant. what’s the best method?
i tried the duckdns and letsencrypt method, but that is not an option because it has proven to be HIGHLY unreliable. the only way i can control my home assistant from my phone is when it is connected to my wifi. but when i’m out and about, i CAN NOT connect, which makes the whole thing rather pointless. so what method would you recommend?
BTW, compatibility with google home, alexa or siri is NOT required.

I’d recommend a Cloudflare account with a ZeroTrust tunnel connected via Cloudflared. I set up my own domain via Cloudflare and its only 10 dollars a year.

Other may have a different opinion, but after trying Nabu and Duck I landed with this method.

2 Likes

Why not consider subscribing to Nabu Casa for secure remote access? Not only do you solve the problem but you also support the development of Home Assistant?

5 Likes

I second Wheeler’s suggestion. However, what are you looking for by “test best”. Reliability, ease of setup, security?

DuckDNS + Let’s Encrypt is rock solid. There must be some configuration problem with your setup.

Another alternative is a VPN tunnel through Cloudflare or Nabu. The only downside is that they will be decrypting your traffic, if you care about that. There’s also Tailscale VPN.

1 Like

Another vote here for Cloudflare tunnel. Free, rock solid and relatively simple to run.

It also solves problems like your ISP having CGNat where you wouldn’t normally be able to accept incoming connections.

1 Like

If Nabu Casa is not an option for whatever reason, I vote for Tailscale.

Basically zero setup:

  • Register account for free
  • Install addon
  • install VPN app on phone
  • Done

Most importantly, you and only you (or the ones you select) can access your HA instance from internet.

Cloudflare is only enforcing security between them and your instance, it doesn’t prevents:

  • Anyone in the world knowing the URL to reach your HA instance and
  • Abuse any known or unknown vulnerability of your HA instance

So it just provides a sensation of additional security :wink:

2 Likes

DuckDNS have had some issues with being blocked.
It is really not DuckDNS’s fault, but the malware filters at some ISPs have detected suspect traffic from that domain and then block the entire domain.
There have been a few thread about it on this forum with some mobile ISPs.

1 Like

You don’t need to use DuckDNS, you can can use any of the supported dns servers. And then if your provider is not on the list,you can use it, but you need to resolve the authentication challenge somehow.

Not sure if you use HTTPS (or need it), if not you could just use you IP address :thinking:, then you don’t need anything except opening a port on your router :wink:

And by the way, a strong advantage of using a VPN tunnel (like Tailscale) is that you don’t have to open (forward) ports on your router.

My router has build in vpn functionality…so another option :+1:t4:

Unfortunately, port forwarding bypasses VPN security in a lot of instances and UPnP poses even more security risks.

There are ways to set up a VPN and secure port forwarding, but I think we are also discussing the ease of the setup as well as security.

The number of blocked Bot hits I get from Russia, Ukraine, China and Singapore are significant and why I promoted the Cloudflare method.

1 Like

Point is that you don’t need port forwarding at all with a VPN

I don’t disagree, I was just making a point. I’ve seen folks set up router base VPNs and enable port forwarding.as well. VPNs are only as good as the settings that are enabled.

I think we both agree enabling port forwarding is not a good suggested option for this topic.

1 Like

YMMV but for me, security (and reliability!) is way more important than ease of setup.

Just to be clear.
A Cloudflare tunnel is just a port forwarding too.
It is just a moved point of intersection, so it is not at the router, but at the cloudflare server.

VPN connections can also be made with the point of intersection on the router, by running the service locally or the point of intersection can be moved to the tailscale server on the internet.

Cloudflare do, AFAIK, not provide any extra authentication security layers, it is just a tunnel.
VPNs provide an extra authentication layer that i important to get a defense in depth.

It should be! Network security is probably the most misunderstood aspect of HA. With an open forum I was suggesting that others folks read this they should understand that point.

What’s the most secure setup with a difficulty rating for the setup?

Agreed, but we could argue these points all day. Cloudflare ha WAF, bot management…etc

@koying suggestion of Tailscale is a great option as well.

Heck, you can set WAF rule that only allows your IP addresses to have access. With a dedicated IP VPN I wouldn’t see an issue.

1 Like

In the professional world, definitely, but in this case, you don’t have a clue what the IP address of the 4G/5G phone connection is / will be…

agreed, if you’re not using a dedicated VPN on your phone as well.

I never actually had a need for it, but Tailscale actually implements ACL’s that allows you to tell which machine has access to what, very much like a firewall.