Of course it depends on what you want to do. If you want to access multiple hosts with just one login, it makes sense using a VPN. It’s just that I’m rather paranoid, and when possible I prefer to limit the accessible content of my network as far as I can. Which in case of a reverse proxy generally is HTTP(s), and only the targets I specify.
OpenVPN can of course be configured to be very restrictive, only pushing the routes to certain hosts. And using certificates for authentication is a great bonus. But the average user will probably not limit the accessible resources. Maybe even keep the .ovpn file on the desktop. Now all it would take to get that would be to make you leave your laptop without locking it. I don’t have kids, but I imagine that if they would be in danger the last thing I would think of is locking my device. Criminals know that and may leverage that. A few seconds with a prepared USB stick and they may have enough critical data.
Not sayin’ all that is likely. But I have to think about such scenarios in my job. Hence the paranoia.
I understand what you mean. The reason for me to have vpn is to be able to access my pi, computer and mediaserver. The rest are not important thus it doesn’t make sense to restrict the access.
And even if the .ovpn-file is stolen or used from my computer, then they need a password to enter.
But I get your point, vpn is as secure as the user let’s it to be.
Personally, I think if it’s just HA you’re accessing opening up the port is fine. Using SSL to encrypt the traffic so nobody can snoop the password, and using a decent password covers sufficient bases for me.
I wrote the guide because it seemed like most users were getting stuck trying to set up things like NGINX and just wanted an uncomplicated solution that’s ‘fairly secure’. I think adding anything else on top for an ‘average’ user is just more things to go wrong and then struggle to find a solution for when it does.
Security always depends on your threat level, and I think that saying having open ports on your network is a massive security risk is a bit tin-foil-hat tbh. If you need a VPN because you want to contact various devices on your network by various protocols then obviously that’s the solution for your threat level. If you’re just using HA then an open port for HA and an open port for SSL certificate renewals is unlikely to cause you any security concerns imo.
(edit to clarify)…
An open port isn’t the vulnerability, it’s what an attacker can do to exploit whatever is answering on that port. Generally these things get patched pretty quickly, and if somebody tries to hack me, finds a vulnerability in HA and switches my lights off, hopefully they’ll be the kind of people who report the exploit so it can be patched
Thanks much for all the feedback on this thread! Much to think about!
Just to clarify - has anybody found ways of protecting their public IP?
I know that TOR does, but then you have to connect to the TOR network prior to accessing your HA instance.
VPNs can protect your public IP address, but that takes a (paid) VPN service that forwards your traffic, right? Anybody have one of those to recommend?
I suppose my long term goal is thinking about next Christmas and how I’ll host a publically accessible HA instance without compromising my home network or public IP address.
I did a little writeup here. Using CloudFlare and authenticated origin pulls will protect your home address from being disclosed. Best Way to Protect from Hackers?
Hi Ben, I have used tasker for a long time. This led me to your videos with tasker and home assistant which has gotten me on the home assistant train!
Not sure if this is any help but I have pivpn set up on a spare raspberry pi. This uses openvpn which is free and gives me access my home network and home assistant.
I’m using my routers built-in VPN (AVM Fritz!Box) which works fine. Together with a iOS profile which automatically opens the VPN connection it even works with the iOS app without exposing anything else to the open wild.
I use OpenVPN on my router, but have used standalone packages such as Zentyal and OpenVPN server as downloaded from their website. If you can configure Home Assistant and have survived YAML, the text file for OpenVPN is easy. I have this thing about paying for cloud based 3rd party VPN’s that still control half your authentication scheme. When you self-host, you manage and control all of it.
One option I would highly recommend would be to use VLANs on your home network, utilizing a firewall to route/block traffic between the networks. This way, you can have your HASS instance in one VLAN, your devices in another one or two VLANs, and your non-HA stuff in another. Should your HASS instance be compromised, it would have no access to your non-HASS items.
VLAN 110 = HASS instance (192.168.110.x/24)
VLAN 120 = HA items needing internet access (192.168.120.x/24)
VLAN 130 = HA items not needing internet access (192.168.130.x/24)
VLAN 140 = Non-HA items needing internet access (192.168.140.x/24)
Firewall rules:
Outside to VLAN 110: Only port 443 to HASS IP
VLAN 110 to VLAN 120: Only the required ports from HASS IP to specific device IP (for each device)
VLAN 110 to VLAN 130: Only the required ports from HASS IP to specific device IP (for each device)
VLAN 140 to VLAN 110: Only port 443 to HASS IP (no reverse rule, as firewalls will automatically allow reverse traffic)
You can then choose whatever methods you want to secure things externally.
As for the Christmas tree, I’d do the same thing, but put the tree lights and HASS instance in a separate VLAN from all other items. Consider using HTTPS with a password on your Christmas tree HASS instance as well, which will prevent most script-kiddie-hackers and IP scanning bots from targeting your setup.
Seems that the best answer here lies in a combination of several answers. Segregating your networks, physically and logically, will go a long ways towards providing some peace of mind on the local front. There are excellent comments above from security experts as well as excellent advice here and here.
As to your specific question raised above - how do you mask your public IP address?? I use a combo of Cloudflare (the free version) with DNS-O-MATIC. It works as long as you have the HTTP proxy (CDN) active for the relevant A records.
In my case, if you ping, dig, tracert or search my URL on whatsmydns, you see the public IP for the cloudflare account. There is no visibility of my “real” public IP. I would be curious as to others experience with Cloudflare and if there are tools that allow you to snoop the real IP from that service.
Of course, these are only two services, there are others and possibly better options. YMMV.
My setup involves OpenResty (NGINX + Lua) along with an OAuth2 proxy. This allows me to setup roles in which different users have access to different services. I honestly don’t think I could easily replicate my setup, as I have changed soooo many things to get it working the way it does right now.
The only drawback I’ve faced with this is that iOS webapps and apps do not work with the Google OAuth implementation.
New vulnerabilities are announced daily and some exploits hang around for years before they’re made public and patched. The latest NSA leaks are proof of that. The safest (simple) setup right now is VPN.
Just remember that security is relative - I would not trust somebody telling me that “this solution” is 100% secure.
Risk assessment is key here.
Personal I would tend to use a VPN over running a web server. But if you have to run your own webserver like in the Christmas tree example, then I would spend an afternoon firing up something like Kali Linux, and see if the server was vulnerable to the most basic script kiddy attacks (just to ease my mind).
I like ssh, so I use ssh tunneling.
There are multiple iPhone/Android apps that support ssh tunneling, where you setup a ssh connection to your Home Assistant server and tunnel some local-port to the port on which HA is running. Then you connect with your browser to http://localhost:local-port.
Off course, this means that you need to open ssh to the world. I would recommend changing the port sshd on your HA server as an additional security trough obscurity measure.
Here is the actual ssh command
forward local port to HA’s port on your home server
I wonder in which case one would need the ‘safest’ configuration? I would think if you have door lock’s, camera’s and maybe presence detection?
As there is no such thing as true security, for me it’s about how difficult do you want to make it for the intruder?
First the intruder has to know you have Home Assistant in your home, secondly isn’t there an easier, old fashion, way to intrude/break in.
Isn’t a strong password and ssl encryption enough? I just started with Home Assistant about a month ago, so if I’m totally naïve in this I’d love to hear.
I do like the idea of 2 factor authentication mentioned above.