Brother from another mother… if you havent tried pihole + openVPN setup from here
My setup:
RPi 3
Linux debian jessie
LAMP
pihole + openvpn
mqtt
zoneminder
You probably have the most videos about security ever! (i have asked a couple of times here and there for help…thank you!) Let me know if this is something you would be interested, I have several step by step guides (pretty much I write everything I do, so I can reproduce if everything goes south…has happened a couple of times with the RPi1… )
Things like VLANs, and self-hosted VPNs just really aren’t avaliable to regular users without advanced knowledge, and the trouble of maintaining complicated servers.
In short, the typical home owner either needs to start engaging with security issues at a really high level - or, the security industry needs to find ways of making it accessible and scaleable at the home level.
I think you’re right. My only remote access is via VPN, and it is somewhat limiting. For example, iOS push notifications are received whether or not I’m on my home network or connected via VPN. But images attached to those push notifications are only received when I’m on my home network or connected via VPN.
Ideally, I would like to use a VPN to avoid exposing my HA to the outside world. However, things like Google Assistant require an external connection. I’ve read about using NGINX for this, but am not sure how NGINX and the VPN would work in tandem, since using NGINX would open ports to the web anyways. Am I mistaken? Is there a way these solutions can run in tandem?
VPN is great and it only requires one port to be open for the secure tunnel. NGINX can work as a reverse proxy. It uses port 443 and you can open port 80 as well so that http requests are redirected to the SSL port 443. Now you only have 3 ports open rather than a bunch of random ports for each application.
There is nothing preventing you from using both in tandem. If your router supports loopback you will still be able to use home-automation.raiderjoey.com whether or not you are connected via VPN.
OpenVPN uses some additional ports for administration and downloading user key files but these ports should not be opened to the internet or a brute-force password attack could compromise your VPN tunnel.
I want to share with you my setup, which is a compromise between security and user-experience. I want to be able to access by home easily, on each device, even ones that do not support VPN (i.e. Kindle). On the other hand, the usual password security is not enough for me.
I decided to go with 2FA provided by Google, creating an OAuth2 proxy. The proxy sits on my Raspberry unit behind NGINX with ssl through Let’s Encrypt, and then passes the traffic to HA.
I just got a unifi usg / switch / ap. So I’ve been looking at your suggestion. I’m new to networking and I’ve only just recently learnt what a VLAN is.
I had some questions:
Why do we need VLAN 140 → VLAN 110 Port 443 rule?
What kind of devices would we put on VLAN 140 ?
Can the devices on the default unfifi private corporate network initiate communication with a device on the VLANs
I was thinking instead of opening up 8123 to hass.io should I use a non default port, what port number (range) should I look at opening up?
Would it be ok to run unifi controller on the hass.io pi, or should I use another pi instead. I do have a free pi that I thought I could install both unifi controller and some sort of add blocking thing (i think it’s called pi hole).
This allows your laptop, computer, phone, etc. to access Home Assistant
All your normal devices that need internet, such as your computer, XBox, phones, etc.
This setup is designed to be in-place-of the default setup, not in-addition-to it.
It’s recommended to use SSL if you are opening up Home Assistant to the outside world. There are already many articles about how to do this in the documentation.
I ran my UniFi controller alongside my Home Assistant setup with no issues, however I’m not sure if it’ll run on the HASS.IO operating system image. It’s worth a try though.
Safest way is tricky to define but things I think need in a secure(ish) setup:
1 non-standard vpn port facing the internet. All other ports locked tight
VPN server only accepts clients with a certificate AND an password (to prevent someone stealing your phone accessing the network)
Your VPN being a stand alone machine that can be physically removed from the network (powered down or remove network cable) to prevent any access when no desired.
VPN server set up so no VPN clients can get a local IP (local = 192.168… VPN = 10.0…)
Ever server on the network is running ufw
Configuration (SSH VNC etc) access restricted to only local IPs (or even singular machines).
SSH/VNC login with certificates AND password.
All systems such as HA etc (torrent, sickbeard etc) are behind a reverse proxy which runs lets encrypt
Local network server/machines refusing (dropping) all connections from all client, except the reverse proxy machine. This prevents anyone sneaking round your reverse proxy
All systems have a password
Samba (either HA or general file server) is set up to accept only authorised users with passwords (this can be automated to prevent users loging in twice)
Samba shares do not have execute access (especially for VPN clients)
All the users on all the machines are changed from the defaults (eg don’t use user:pi pw:raspberry).
If you are using raspberry pis on your network: Remove the user rights from the user PI and lock it.
If you are using raspberry pis on your network: read this and do most if not all of this