Sometimes you want remote access to Home Assistant. Maybe it’s just so you can have a mobile app update your location, or so you can use some integration that requires it, or you want full access to the user interface.
Whatever the reason you’ve got three main choices:
- Use the (paid) Nabu Casa cloud service. This doesn’t require any port forwarding, and will work even if your ISP is using CGNAT or allocating out of the private IPv4 space. The use of these is normal if you’re using mobile internet services.
- Use your own domain with a Cloudflare tunnel. There are many good guides for that, including some on this forum.
- Configure your chosen DNS service, SSL provider, and port forwarding. This can be free (depending on your choices of DNS and SSL providers), and if done correctly is largely a “set and forget”. This is what we’ll cover here.
Before you begin
Log on to your router’s admin pages and check the WAN IP. You don’t want to see a value that begins with:
100.64.x.y
through to100.127.x.y
(CGNAT)10.x.y.z
(private IP space)172.16.x.y
through to172.31.x.y
(private IP space)192.168.x.y
(private IP space)
If you see any of these then you need to check to see if you have another router or modem and if so check the WAN IP there. If that has a “good” IP address then you’re ok, but you’ll need to forward any required ports from that to your router.
If you have mobile internet (LTE/5G/etc) then it’s almost certain that you’ll have one of the IP ranges above allocated by your ISP.
If you don’t have another router or modem, and you don’t have mobile Internet, then you’ll need to contact your ISP and see what the options are, if any.
SSL
You have a range of choices here from the free LetsEncrypt to paid certificates. Unless you already have paid certificates I’d suggest there’s little reason to use those.
Commercial provider
Download the certificates and manually copy them to your HA system.
LetsEncrypt
Using LetsEncrypt will either require that you forward port 80 to the host running the LetsEncrypt software (HTTP-01
) or that you’re using a DNS provider that supports the DNS-01
method.
Home Assistant OS or Supervised
The DuckDNS add-on (see below about DNS) can handle this for you, as can the LetsEncrypt add-on if you’re using another DNS provider.
Configure these according to their own instructions.
Home Assistant Container
You have many choices here, but one option is the linuxserver/letsencrypt Docker image. As well as allowing you to get and update SSL certificates, it also includes a reverse proxy (see below) that you can use.
Home Assistant Core
You can use certbot or dehydrated, and other tools. Dehydrated has the advantage that it supports the DNS-01
verification method, which certbot doesn’t.
All SSL types
If you’re not using a reverse proxy (see below) you now need to configure http
to have these certificates loaded. The following examples assumes that you’re using LetsEncrypt in some way. Update them to match the folders and file names you’re using.
Home Assistant OS or Supervised:
http: ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem
Home Assistant Container:
You’ll need to mount the location with your SSL keys and certificates to
/ssl/
in the container.http: ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem
Home Assistant Core:
http: ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem
After you check your configuration from the command line and then restart Home Assistant you’ll need to use https://
to access your system, even from your local network.
Now is a good time to check that you can access it using https://
- knowing it works will help you later if you run into issues.
DNS
If you don’t have a static (fixed) IP from your ISP you’ll need some form of Dynamic DNS provider. DuckDNS is a popular choice, but there are many out there. If you have your own domain many providers support dynamic DNS updates.
If you do have a static IP then any DNS provider will do.
One thing to consider is whether your DNS provider can be used with the LetsEncrypt DNS-01
verification method. If it does then you don’t need to set up port forwarding for LetsEncrypt.
Home Assistant OS and Supervised
There’s a DuckDNS add-on that can update your DNS records, and handle LetsEncrypt certificates.
Home Assistant Container
The linuxserver/duckdns Docker image will update your DuckDNS records for you. There’s also the DuckDNS integration.
If you’re using another DNS provider look at inadyn or whatever your DNS provider recommends.
Home Assistant Core
You can either use the DuckDNS integration or whatever software your DNS provider recommends. There are many choices here, including inadyn and DNS-O-Matic
Reverse Proxy (optional)
There are many reasons you may want to use a reverse proxy. Common reasons are that you don’t want to use SSL inside your network, or that you want to limit remote access to only webhooks. If you want more than remote access to the API and webhooks you’ll need to ensure the proxy is configured with websocket support.
You will also have to configure the http
integration for reverse proxies.
Home Assistant OS and Supervised
There’s an NGINX add-on.
Home Assistant Container
The linuxserver/letsencrypt Docker image includes NGINX so nothing more is required if you’re using it. Otherwise you can use the official NGINX image.
Personally I’m a fan of Traefij, not least of which is that it supports websockets and SSL without any effort.
Home Assistant Core
Install NGINX, or your other choice of reverse proxy, on your operating system and configure appropriately.
Port forwarding
Congratulations on getting this far without throwing your computer out of the window!
The next step is to forward a port. Port 443 is the default for HTTPS and if you use this then you’ll be able to use a URL without a port number. Of course, every scanner on the Internet will find your system, so you should consider enabling MFA on all the (user and administrator) accounts in HA.
If you’ve never done port forwarding before there’s a site that covers most popular routers. Follow the guide for your router there, and forward your chosen port to either your proxy (if you’re using one) or Home Assistant.
No proxy
- Forward your chosen port (default 443) to port 8123 on your Home Assistant IP
- If you’re using LetsEncrypt and the default (
HTTP-01
) verification method, forward port 80 too
Proxy
- Forward your chosen port (default 443) to port 443 on your proxy server
- If you’re using LetsEncrypt and the default (
HTTP-01
) verification method, forward port 80 too
Testing
You can check the port is forwarded with an open port checker and an SSL tester to confirm that everything is working.
Common problems include:
- Your ISP blocking inbound port 443
- Routers not wanting to forward the port used for their admin interface
- Routers not supporting NAT loopback - so the hostname only works from outside your network
- Using multiple routers and not forwarding through them all correctly
Final configuration
Now we need to set external_url
and internal_url
to match what will work. If you’re not using a proxy these will be the same thing. If you’ve forwarded port 443 then they’ll look like:
https://yourhost.example.org
If you forwarded another port - here for example we’re using the port 12345
, they’ll look like:
https://yourhost.example.org:12345
If you’re using a proxy server then your internal URL for Home Assistant on 192.168.0.42
will look like:
http://192.168.0.42:8123
Keep in mind that if you’re having Home Assistant handle SSL then all your URLs have to be https://
- and that https://192.168.0.424:8123
won’t work since the SSL certificate is for yourhost.example.org
. That means that your internal and external URLs will be identical.