Safest Home Assistant Configuration Setup Possible?

Essentially it boils down to how strong the authentication is that protects the exposed resource. In that regard a VPN already is very effective. The downside though is, that once you have logged in you have access to pretty much anything in the network (depends on the configuration).

What I plan on doing is still relying on NGINX as a reverse proxy (so only one particular resource is accessible from the outside), but adding 2 factor authentication. As far as I can tell this should be possible using an OpenID plugin (this one), which then could be configured to require my Google login (for which I have 2FA), plus additionally the authentication of HASS itself. Without that strengthenend security I won’t expose my HASS to the outside at all, which is why I use VPN currently as well.

@danielperna84 Two factor auth would be cool!

What VPN service(s) do you guys like? How is the user experience?

So, for example, if you want to control your HA instance from your phone you connect to the VPN. Does that forward all your phone web traffic through the VPN server as well?

Yeah, I just hope to find the time to tackle 2FA. But maybe I’ve inspired someone to go ahead and showing everybody else how to do it. :slight_smile:

In my case it’s the internal IPsec VPN server of my router (FritzBox, popular router in germany). A widly used alternative is OpenVPN, for which you would need an extra client App on your phone.

And yes, essentially using a VPN is as if you are in your home network as soon as you have connected. So in my mobile Chrome I just browse to 192.168.1.21:8123 and have direct access to the HASS gui.

I use openvpn, and you can route the traffic as you want.

For example my internet traffic only goes thought the vpn-tunnel if I surf on 192.168.1.* but it doesn’t go through it if I visit a webpage.
This way you can leave the VPN all the time, and have access to HA all the time.

Why is it a downside to have access to you lan when you’re connected with VPN? This is pretty much the purpose of VPN?
I mean, as long as you use a good VPN with a strong encryption I can’t see the downside of this. It’s like being in the lan.

Let me know if this is not correct, since I’m not resticting the access to a certiain device in my lan.

Another option is to use TOR

which does not open a port on your computer.

Of course it depends on what you want to do. If you want to access multiple hosts with just one login, it makes sense using a VPN. It’s just that I’m rather paranoid, and when possible I prefer to limit the accessible content of my network as far as I can. Which in case of a reverse proxy generally is HTTP(s), and only the targets I specify.

OpenVPN can of course be configured to be very restrictive, only pushing the routes to certain hosts. And using certificates for authentication is a great bonus. But the average user will probably not limit the accessible resources. Maybe even keep the .ovpn file on the desktop. Now all it would take to get that would be to make you leave your laptop without locking it. I don’t have kids, but I imagine that if they would be in danger the last thing I would think of is locking my device. Criminals know that and may leverage that. A few seconds with a prepared USB stick and they may have enough critical data.

Not sayin’ all that is likely. But I have to think about such scenarios in my job. Hence the paranoia.

I understand what you mean. The reason for me to have vpn is to be able to access my pi, computer and mediaserver. The rest are not important thus it doesn’t make sense to restrict the access.

And even if the .ovpn-file is stolen or used from my computer, then they need a password to enter.

But I get your point, vpn is as secure as the user let’s it to be.

Personally, I think if it’s just HA you’re accessing opening up the port is fine. Using SSL to encrypt the traffic so nobody can snoop the password, and using a decent password covers sufficient bases for me.

I wrote the guide because it seemed like most users were getting stuck trying to set up things like NGINX and just wanted an uncomplicated solution that’s ‘fairly secure’. I think adding anything else on top for an ‘average’ user is just more things to go wrong and then struggle to find a solution for when it does.

Security always depends on your threat level, and I think that saying having open ports on your network is a massive security risk is a bit tin-foil-hat tbh. If you need a VPN because you want to contact various devices on your network by various protocols then obviously that’s the solution for your threat level. If you’re just using HA then an open port for HA and an open port for SSL certificate renewals is unlikely to cause you any security concerns imo.

(edit to clarify)…

An open port isn’t the vulnerability, it’s what an attacker can do to exploit whatever is answering on that port. Generally these things get patched pretty quickly, and if somebody tries to hack me, finds a vulnerability in HA and switches my lights off, hopefully they’ll be the kind of people who report the exploit so it can be patched :wink:

1 Like

Thanks much for all the feedback on this thread! Much to think about!

Just to clarify - has anybody found ways of protecting their public IP?

I know that TOR does, but then you have to connect to the TOR network prior to accessing your HA instance.

VPNs can protect your public IP address, but that takes a (paid) VPN service that forwards your traffic, right? Anybody have one of those to recommend?

I suppose my long term goal is thinking about next Christmas and how I’ll host a publically accessible HA instance without compromising my home network or public IP address. :stuck_out_tongue:

3 Likes

I’ve been pretty happy with SlickVPN. Inexpensive, good coverage and bandwidth, good support resources. I used them for about two years now.

I did a little writeup here. Using CloudFlare and authenticated origin pulls will protect your home address from being disclosed. Best Way to Protect from Hackers?

PS: Awesome channel!

2 Likes

Hi Ben, I have used tasker for a long time. This led me to your videos with tasker and home assistant which has gotten me on the home assistant train!

Not sure if this is any help but I have pivpn set up on a spare raspberry pi. This uses openvpn which is free and gives me access my home network and home assistant.

Keep up the good work!

I’m using my routers built-in VPN (AVM Fritz!Box) which works fine. Together with a iOS profile which automatically opens the VPN connection it even works with the iOS app without exposing anything else to the open wild.

That’s some setup!

I use OpenVPN on my router, but have used standalone packages such as Zentyal and OpenVPN server as downloaded from their website. If you can configure Home Assistant and have survived YAML, the text file for OpenVPN is easy. I have this thing about paying for cloud based 3rd party VPN’s that still control half your authentication scheme. When you self-host, you manage and control all of it.

1 Like

That’s gotta be the next HA merchandise offered…

###“I SURVIVED YAML AND ALL I GOT WAS THIS LOUSY T-SHIRT.”

6 Likes

One option I would highly recommend would be to use VLANs on your home network, utilizing a firewall to route/block traffic between the networks. This way, you can have your HASS instance in one VLAN, your devices in another one or two VLANs, and your non-HA stuff in another. Should your HASS instance be compromised, it would have no access to your non-HASS items.

VLAN 110 = HASS instance (192.168.110.x/24)
VLAN 120 = HA items needing internet access (192.168.120.x/24)
VLAN 130 = HA items not needing internet access (192.168.130.x/24)
VLAN 140 = Non-HA items needing internet access (192.168.140.x/24)

Firewall rules:
Outside to VLAN 110: Only port 443 to HASS IP
VLAN 110 to VLAN 120: Only the required ports from HASS IP to specific device IP (for each device)
VLAN 110 to VLAN 130: Only the required ports from HASS IP to specific device IP (for each device)
VLAN 140 to VLAN 110: Only port 443 to HASS IP (no reverse rule, as firewalls will automatically allow reverse traffic)

You can then choose whatever methods you want to secure things externally.

As for the Christmas tree, I’d do the same thing, but put the tree lights and HASS instance in a separate VLAN from all other items. Consider using HTTPS with a password on your Christmas tree HASS instance as well, which will prevent most script-kiddie-hackers and IP scanning bots from targeting your setup.

6 Likes

Seems that the best answer here lies in a combination of several answers. Segregating your networks, physically and logically, will go a long ways towards providing some peace of mind on the local front. There are excellent comments above from security experts as well as excellent advice here and here.

As to your specific question raised above - how do you mask your public IP address?? I use a combo of Cloudflare (the free version) with DNS-O-MATIC. It works as long as you have the HTTP proxy (CDN) active for the relevant A records.

In my case, if you ping, dig, tracert or search my URL on whatsmydns, you see the public IP for the cloudflare account. There is no visibility of my “real” public IP. I would be curious as to others experience with Cloudflare and if there are tools that allow you to snoop the real IP from that service.

Of course, these are only two services, there are others and possibly better options. YMMV.

2 Likes

My setup involves OpenResty (NGINX + Lua) along with an OAuth2 proxy. This allows me to setup roles in which different users have access to different services. I honestly don’t think I could easily replicate my setup, as I have changed soooo many things to get it working the way it does right now.

The only drawback I’ve faced with this is that iOS webapps and apps do not work with the Google OAuth implementation.