Safest Home Assistant Configuration Setup Possible?

I’m using my routers built-in VPN (AVM Fritz!Box) which works fine. Together with a iOS profile which automatically opens the VPN connection it even works with the iOS app without exposing anything else to the open wild.

That’s some setup!

I use OpenVPN on my router, but have used standalone packages such as Zentyal and OpenVPN server as downloaded from their website. If you can configure Home Assistant and have survived YAML, the text file for OpenVPN is easy. I have this thing about paying for cloud based 3rd party VPN’s that still control half your authentication scheme. When you self-host, you manage and control all of it.

1 Like

That’s gotta be the next HA merchandise offered…

###“I SURVIVED YAML AND ALL I GOT WAS THIS LOUSY T-SHIRT.”

6 Likes

One option I would highly recommend would be to use VLANs on your home network, utilizing a firewall to route/block traffic between the networks. This way, you can have your HASS instance in one VLAN, your devices in another one or two VLANs, and your non-HA stuff in another. Should your HASS instance be compromised, it would have no access to your non-HASS items.

VLAN 110 = HASS instance (192.168.110.x/24)
VLAN 120 = HA items needing internet access (192.168.120.x/24)
VLAN 130 = HA items not needing internet access (192.168.130.x/24)
VLAN 140 = Non-HA items needing internet access (192.168.140.x/24)

Firewall rules:
Outside to VLAN 110: Only port 443 to HASS IP
VLAN 110 to VLAN 120: Only the required ports from HASS IP to specific device IP (for each device)
VLAN 110 to VLAN 130: Only the required ports from HASS IP to specific device IP (for each device)
VLAN 140 to VLAN 110: Only port 443 to HASS IP (no reverse rule, as firewalls will automatically allow reverse traffic)

You can then choose whatever methods you want to secure things externally.

As for the Christmas tree, I’d do the same thing, but put the tree lights and HASS instance in a separate VLAN from all other items. Consider using HTTPS with a password on your Christmas tree HASS instance as well, which will prevent most script-kiddie-hackers and IP scanning bots from targeting your setup.

6 Likes

Seems that the best answer here lies in a combination of several answers. Segregating your networks, physically and logically, will go a long ways towards providing some peace of mind on the local front. There are excellent comments above from security experts as well as excellent advice here and here.

As to your specific question raised above - how do you mask your public IP address?? I use a combo of Cloudflare (the free version) with DNS-O-MATIC. It works as long as you have the HTTP proxy (CDN) active for the relevant A records.

In my case, if you ping, dig, tracert or search my URL on whatsmydns, you see the public IP for the cloudflare account. There is no visibility of my “real” public IP. I would be curious as to others experience with Cloudflare and if there are tools that allow you to snoop the real IP from that service.

Of course, these are only two services, there are others and possibly better options. YMMV.

2 Likes

My setup involves OpenResty (NGINX + Lua) along with an OAuth2 proxy. This allows me to setup roles in which different users have access to different services. I honestly don’t think I could easily replicate my setup, as I have changed soooo many things to get it working the way it does right now.

The only drawback I’ve faced with this is that iOS webapps and apps do not work with the Google OAuth implementation.

New vulnerabilities are announced daily and some exploits hang around for years before they’re made public and patched. The latest NSA leaks are proof of that. The safest (simple) setup right now is VPN.

You’re presuming there’s not a decade-old exploit in your VPN :stuck_out_tongue:

True. Inherently VPN has a smaller attack footprint than an entire os though so I would gauge the risk lower.

Just remember that security is relative - I would not trust somebody telling me that “this solution” is 100% secure.

Risk assessment is key here.

Personal I would tend to use a VPN over running a web server. But if you have to run your own webserver like in the Christmas tree example, then I would spend an afternoon firing up something like Kali Linux, and see if the server was vulnerable to the most basic script kiddy attacks (just to ease my mind).

2 Likes

I like ssh, so I use ssh tunneling.
There are multiple iPhone/Android apps that support ssh tunneling, where you setup a ssh connection to your Home Assistant server and tunnel some local-port to the port on which HA is running. Then you connect with your browser to http://localhost:local-port.
Off course, this means that you need to open ssh to the world. I would recommend changing the port sshd on your HA server as an additional security trough obscurity measure.

Here is the actual ssh command

forward local port to HA’s port on your home server

ssh -f -N -L <local-port>:127.0.0.1:<remote-port> <user>@<server>

2 Likes

I wonder in which case one would need the ‘safest’ configuration? I would think if you have door lock’s, camera’s and maybe presence detection?

As there is no such thing as true security, for me it’s about how difficult do you want to make it for the intruder?
First the intruder has to know you have Home Assistant in your home, secondly isn’t there an easier, old fashion, way to intrude/break in.

Isn’t a strong password and ssl encryption enough? I just started with Home Assistant about a month ago, so if I’m totally naïve in this I’d love to hear.

I do like the idea of 2 factor authentication mentioned above.

1 Like

I very much agree with you this is THE way it should be setup.

But what I’ve found out so far is that in real life you run into too much problems …for instance:

  • Only devices in the subnet of your HASS device will be discovered.
  • Wake on Lan will only work on devices in the same subnet as your HASS
  • I’ve got a Daikin airco with wifi adapter…the Daikin App works great but only if you use it in 1 subnet because the App does some weird broadcast to detect the airco and that udp broadcast doesn’t work over vlans.

Only thing in my house that does seem to work well in this setup is Google Nest protect.
So far I’ve not been brave enough to connect my HASS to the internet, I use OpenVPN with password and OTP which gives me more security but I in return I can’t use the HASS IOS App for presence detection :frowning:

So we have have a long way to go to find the right balance between security and usability.

The safest is to buy a router that can accept DD-WRT as a operating system then set it up behind a VPN. Most phones can easily be set up to automatically connect to that VPN.

I use a netgear nighthawk 8000 and installed DDWRT to it. then set up the VPN account. The other advantage here is that you are not subject to typical router backdoors and security holes that hackers use.

If you need publically accessible services, then you pay for an external web server at a service and then you set up youy HASS system to connect to that external server and pull information back and push information out. but that would only be if you want everyone in the world to have access like a halloween display and let them turn lights on and off.

To me really it’s security by obscurity. We are low payoff targets. So we generally won’t be targeted directly. So that leaves automated scripts in the wild. These go for the simplest options (most bang for the buck). They target standard vnc/ssh/telnet ports with common passwords. I have multiple ports open web/vnc/ssh/ha/mediaportal etc… I employ ‘fail2ban’ to prevent bruteforce attacks (most common in scripts). Then just use decent passwords. Frankly if someone is keen enough to start scripting against 8123 and happens to get a hit on my external ip and then cracks/bruteforces into my ha assistant instance, they can screw with my lights and tv (oh boy…). Then i’ll notice the invalid attempts and change the password…

1 Like

Another obscurity step would be to change the port forwarding to have say 58123 on the WAN side forward to 8123 on the LAN side. Ports above 32k are regularly opened and closed by apps, browsers etc. so there isn’t much point in scripting a scan on those.

3 Likes

Yep, same goes for all common ports. I leave them as defaults because I have a few cases that expect the standard port and I can’t change away from it.

If someone got into your HASS box more than likely they’ll sit there for weeks and pull your usernames/passwords from your local network. They’ll probably use your box on a botnet too. Don’t give someone direct access to HASS from the internet. It’s simple to apply basic security principles and prevents most intrusions. Don’t join the IOT botnet. :slight_smile:

Sorry, no idea what you are talking about with regards to my post…