I have an RPi3 and it runs ok.
I would give it a try on an older model but processing speed may be an issue. Separating it may be a good idea.
Things like VLANs, and self-hosted VPNs just really arenāt avaliable to regular users without advanced knowledge, and the trouble of maintaining complicated servers.
In short, the typical home owner either needs to start engaging with security issues at a really high level - or, the security industry needs to find ways of making it accessible and scaleable at the home level.
Iāve just written an article about the challenges of securing home automation networks using non-enterprise hardware. https://echoit.co.nz/securing-home-automation-networks/
itās easy: VPN
I think youāre right. My only remote access is via VPN, and it is somewhat limiting. For example, iOS push notifications are received whether or not Iām on my home network or connected via VPN. But images attached to those push notifications are only received when Iām on my home network or connected via VPN.
Another simple solution is on a recent HA Blog post. https://home-assistant.io/blog/2017/11/12/tor/
It took all of 10 minutes to set up.
Ideally, I would like to use a VPN to avoid exposing my HA to the outside world. However, things like Google Assistant require an external connection. Iāve read about using NGINX for this, but am not sure how NGINX and the VPN would work in tandem, since using NGINX would open ports to the web anyways. Am I mistaken? Is there a way these solutions can run in tandem?
VPN is great and it only requires one port to be open for the secure tunnel. NGINX can work as a reverse proxy. It uses port 443 and you can open port 80 as well so that http requests are redirected to the SSL port 443. Now you only have 3 ports open rather than a bunch of random ports for each application.
There is nothing preventing you from using both in tandem. If your router supports loopback you will still be able to use home-automation.raiderjoey.com whether or not you are connected via VPN.
OpenVPN uses some additional ports for administration and downloading user key files but these ports should not be opened to the internet or a brute-force password attack could compromise your VPN tunnel.
Are we talking about a home hosted VPN or one from a provider?
This would be a home hosted VPN. Provider VPNs are generally used to hide your IP address while you are browsing etc.
Just something I came across this morning.
Or
The TOR setup is simple and does not require open ports in the router. It takes all of 10 minutes to set up and is easy to use. https://home-assistant.io/docs/ecosystem/tor/
Could u use that voor GPS?
Hello!
I want to share with you my setup, which is a compromise between security and user-experience. I want to be able to access by home easily, on each device, even ones that do not support VPN (i.e. Kindle). On the other hand, the usual password security is not enough for me.
I decided to go with 2FA provided by Google, creating an OAuth2 proxy. The proxy sits on my Raspberry unit behind NGINX with ssl through Letās Encrypt, and then passes the traffic to HA.
The whole setup is described on my blog, feel free to check it out: https://blog.luciow.pl/automation/2018/02/10/dont-reinvent-the-wheel/
Cheers,
Mariusz
Looks interesting, good find.
Hi.
I just got a unifi usg / switch / ap. So Iāve been looking at your suggestion. Iām new to networking and Iāve only just recently learnt what a VLAN is.
I had some questions:
-
Why do we need VLAN 140 ā VLAN 110 Port 443 rule?
-
What kind of devices would we put on VLAN 140 ?
-
Can the devices on the default unfifi private corporate network initiate communication with a device on the VLANs
-
I was thinking instead of opening up 8123 to hass.io should I use a non default port, what port number (range) should I look at opening up?
-
Would it be ok to run unifi controller on the hass.io pi, or should I use another pi instead. I do have a free pi that I thought I could install both unifi controller and some sort of add blocking thing (i think itās called pi hole).
Thanks
Kiwi
-
This allows your laptop, computer, phone, etc. to access Home Assistant
-
All your normal devices that need internet, such as your computer, XBox, phones, etc.
-
This setup is designed to be in-place-of the default setup, not in-addition-to it.
-
Itās recommended to use SSL if you are opening up Home Assistant to the outside world. There are already many articles about how to do this in the documentation.
-
I ran my UniFi controller alongside my Home Assistant setup with no issues, however Iām not sure if itāll run on the HASS.IO operating system image. Itās worth a try though.
Safest way is tricky to define but things I think need in a secure(ish) setup:
- 1 non-standard vpn port facing the internet. All other ports locked tight
- VPN server only accepts clients with a certificate AND an password (to prevent someone stealing your phone accessing the network)
- Your VPN being a stand alone machine that can be physically removed from the network (powered down or remove network cable) to prevent any access when no desired.
- VPN server set up so no VPN clients can get a local IP (local = 192.168ā¦ VPN = 10.0ā¦)
- Ever server on the network is running ufw
- Configuration (SSH VNC etc) access restricted to only local IPs (or even singular machines).
- SSH/VNC login with certificates AND password.
- All systems such as HA etc (torrent, sickbeard etc) are behind a reverse proxy which runs lets encrypt
- Local network server/machines refusing (dropping) all connections from all client, except the reverse proxy machine. This prevents anyone sneaking round your reverse proxy
- All systems have a password
- Samba (either HA or general file server) is set up to accept only authorised users with passwords (this can be automated to prevent users loging in twice)
- Samba shares do not have execute access (especially for VPN clients)
- All the users on all the machines are changed from the defaults (eg donāt use user:pi pw:raspberry).
- If you are using raspberry pis on your network: Remove the user rights from the user PI and lock it.
- If you are using raspberry pis on your network: read this and do most if not all of this
https://www.raspberrypi.org/documentation/configuration/security.md
Probably a lot moreā¦