Reverse tunnel for Home Assistant (no public IP, firewall/router config required)

Share your Projects!
, ,
21

It would be interesting to see your project, don’t just abandon it if doesn’t look right from the start :slight_smile: I have abandoned too many projects but some like https://github.com/keel-hq/keel and webhookrelay brought me a lot of fun. Although from your supported addon repo it seems that you have already plenty of responsibilities.

While I agree that webhookrelay as it is now is not the perfect fit for HA and from the feedback I think I need to:

  • Add TLS pass-through so you can use HTTPS on your HA and get there directly through the TCP connection so the service even if it wanted couldn’t intercept the traffic. (I only have postgres database so probably it would die if I wanted it to do it)
  • Whitelist destinations on the client side, as in this use-case destinations are static and wouldn’t change much.

Thank you for this feedback and appreciate the trolls as well.

As for your project, I am really interested in solutions for this remote access that don’t require cloud services or anything installed on the HA side. I think ideal solution that people might want and that would be cheap to host maybe somehow tunnelling HTTP protocol over WebRTC and using public service just for signalling and the initial connection establishment?

22
  • Webhook requests: 150
    Each time I open the public subdomain is a webhook request?

It always need something running on a server, isn’t it?

23

Hi, no. That’s for webhook forwarding (https://webhookrelay.com/blog/2017/12/26/receiving-stripe-webhooks-localhost/). Webhook forwarding is a one-way traffic where the producer doesn’t get any response from the destination. It’s a simple and secure way to pass webhooks into your internal network, although cannot be used to expose web servers due to the lack of responses.

Tunnel related features are:

  • number of tunnels
  • custom subdomains
  • HTTPS

Currently I am full-time contracting for another company and helping integrate tunnels in their core product. I am, however, planning to introduce HTTPS pass-through feature so all the traffic would be encrypted from the service as well.

24

What are the limitations of the free version?

25

I wouldn’t recommend using it without HTTPS, it’s only meant to demo your websites or do some prototyping as all the traffic over HTTP in theory can be intercepted if you are logging in from internet cafes.

No other important limitations are there (except getting a random subdomain instead of choosing your own).

There are free open source alternatives such as https://github.com/fatedier/frp where you run it on a public service and connect to it from your home :slight_smile:

26

It looks like your solution…

I can’t understand why expose a port no my home server need to be less secure than someone expose it on a public server…

27

It’s not less secure if done correctly. It’s built for the cases where you need to expose something ad-hoc or receive webhooks/expose services that are in internal network and can’t be easily exposed through a load balancer.

If you have a static IP, domain and a reverse proxy such as nginx then definitely go for it :slight_smile: Here’s another great tool: https://github.com/bitly/oauth2_proxy

28

Thanks for sharing,

How is this any different than ngrok?
Thanks

29

The tunnelling part is similar, but I guess the main difference is the one-way webhook forwarding where your service doesn’t get exposed to the internet while still being able to receive webhooks.

Probably another difference is the API driven configuration where you could script your node-red to only create a tunnel when you leave the house and tear it down once you are at home :slight_smile:

1 Like
30

Seems overcomplicated and a security risk,
Spend 10 bucks on a noip domain and set it and forget it.

1 Like
31

I want to access my hassio from work place which only allow me to browse standard port and
I can’t run my hassio on port 80, because it seems my isp block that port.
Is this webhookrelay my solution?

32

yes, if you encounter any problems setting it up, please let me know :slight_smile:

Also, now it’s a lot easier to do this by using this add-on: https://github.com/webhookrelay/home-assistant

Detail instructions on using it can be found here: https://webhookrelay.com/blog/2018/10/12/hassio-tls-tunnels-duckdns/

33

Remote access add-on version 2.1.0

Hi guys, just wanted to share an update. Current remote access add-on is 2.1.0. Most of the work went into making TLS tunnels as smooth as possible. Fixed issues:

  • After changing tunnel hostname in the config.json, it wouldn’t delete & recreate the tunnel. This now has been fixed and the add-on does the cleanup automatically.
  • There was an issue with TLS termination for Configurator and Node-RED add-ons. Connections were hanging after the initial loading of the static files. This has been fixed now.

About add-on

Architecture is quite simple: add-on uses DNS challenge together with DuckDNS to retrieve a certificate for your domain and then performs TLS termination on any incoming traffic from the tunnel. This way traffic is fully encrypted between your browser and the add-on.

image
image880×630 121 KB

Add-on also allows you to have your own certificates and your own domain (if you don’t want to use *.webrelay.io or *.duckdns.org).

There’s even a video now on setting it up:

https://www.youtube.com/watch?v=WSVX-LRP1ZI

Future work

I plan to add Cloudflare support for DNS control and TLS certificate retrieval, this way you will be able to use any domain without much effort.

34

Add-on Webhookrelay is complaing that I can not use subdomain. DuckDNS has subdomains only. So what´s the point of free service?

35

I’ve been working on a similar service for Home Assistant the past few weeks

Hey, buddy I know it’s been a while, I just wanted to pop in and ask about this? Did you succeed? I am currently trying to get a bit of external access but I have a little NAT issue.

Thanks in advance for any help.

36

Hello. I have set this up as per instructions on first post. It looks like it is getting the requests, as the website actually loads, but to a blank page. Also I get these entries in the add-on’s log:

2021-11-27 20:29:53.830	ERROR	GET http://127.0.0.1:8123 request failed: Get http://127.0.0.1:8123: EOF
2021-11-27 20:29:54.387	ERROR	GET http://127.0.0.1:8123/favicon.ico request failed: Get http://127.0.0.1:8123/favicon.ico: EOF

And from the terminal add-on within home assistant I get:

~ curl http://127.0.0.1:8123
curl: (52) Empty reply from server

So I’m not sure what’s next.

37

You might need a configuration entry in your home assistant yaml:

http:
  # ...
  # Your other settings
  # ...
  use_x_forwarded_for: true
  trusted_proxies:
    - 0.0.0.0/0
38

Now curl response is no longer empty, thank you.
However visiting via public endpoint is still giving me a blank page and I get this in the log:

2021-11-28 06:59:01.817	INFO	webhook request relayed	{"destination": "http://127.0.0.1:8123", "method": "GET", "bucket": "ha", "status": "200 OK", "retries": 0}
2021-11-28T06:59:01.918Z	ERROR	failed to send webhook request status	{"error": "rpc error: code = InvalidArgument desc = bucket metadata missing, update your client", "destination": "http://127.0.0.1:8123", "method": "GET", "status": 200}
2021-11-28 06:59:02.005	INFO	webhook request relayed	{"destination": "http://127.0.0.1:8123/favicon.ico", "method": "GET", "bucket": "ha", "status": "404 Not Found", "retries": 0}
2021-11-28T06:59:02.091Z	ERROR	failed to send webhook request status	{"error": "rpc error: code = InvalidArgument desc = bucket metadata missing, update your client", "destination": "http://127.0.0.1:8123/favicon.ico", "method": "GET", "status": 404}