Safest Home Assistant Configuration Setup Possible?

aelg305 · October 10, 2017, 3:43pm

I have an RPi3 and it runs ok.
I would give it a try on an older model but processing speed may be an issue. Separating it may be a good idea.

wingers1290 · November 15, 2017, 10:17pm

Things like VLANs, and self-hosted VPNs just really aren’t avaliable to regular users without advanced knowledge, and the trouble of maintaining complicated servers.

In short, the typical home owner either needs to start engaging with security issues at a really high level - or, the security industry needs to find ways of making it accessible and scaleable at the home level.

I’ve just written an article about the challenges of securing home automation networks using non-enterprise hardware. https://echoit.co.nz/securing-home-automation-networks/

Ciquattro · November 16, 2017, 3:16pm

it’s easy: VPN

johnnyletrois · November 16, 2017, 6:25pm

I think you’re right. My only remote access is via VPN, and it is somewhat limiting. For example, iOS push notifications are received whether or not I’m on my home network or connected via VPN. But images attached to those push notifications are only received when I’m on my home network or connected via VPN.

zarthan · November 19, 2017, 5:28pm

Another simple solution is on a recent HA Blog post. https://home-assistant.io/blog/2017/11/12/tor/

It took all of 10 minutes to set up.

raiderjoey · November 20, 2017, 8:34pm

Ideally, I would like to use a VPN to avoid exposing my HA to the outside world. However, things like Google Assistant require an external connection. I’ve read about using NGINX for this, but am not sure how NGINX and the VPN would work in tandem, since using NGINX would open ports to the web anyways. Am I mistaken? Is there a way these solutions can run in tandem?

titan · December 3, 2017, 8:17am

VPN is great and it only requires one port to be open for the secure tunnel. NGINX can work as a reverse proxy. It uses port 443 and you can open port 80 as well so that http requests are redirected to the SSL port 443. Now you only have 3 ports open rather than a bunch of random ports for each application.

There is nothing preventing you from using both in tandem. If your router supports loopback you will still be able to use home-automation.raiderjoey.com whether or not you are connected via VPN.

OpenVPN uses some additional ports for administration and downloading user key files but these ports should not be opened to the internet or a brute-force password attack could compromise your VPN tunnel.

VGE · December 18, 2017, 10:30pm

Are we talking about a home hosted VPN or one from a provider?

zarthan · December 18, 2017, 10:54pm

This would be a home hosted VPN. Provider VPNs are generally used to hide your IP address while you are browsing etc.

Corey_Johnson · December 19, 2017, 1:54pm

what about GitHub - StreisandEffect/streisand: Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

Just something I came across this morning.

Corey_Johnson · December 19, 2017, 3:50pm

Or

zarthan · December 19, 2017, 3:55pm

The TOR setup is simple and does not require open ports in the router. It takes all of 10 minutes to set up and is easy to use. https://home-assistant.io/docs/ecosystem/tor/

VGE · December 19, 2017, 4:59pm

Could u use that voor GPS?

mariuszluciow · February 17, 2018, 7:52pm

Hello!

I want to share with you my setup, which is a compromise between security and user-experience. I want to be able to access by home easily, on each device, even ones that do not support VPN (i.e. Kindle). On the other hand, the usual password security is not enough for me.

I decided to go with 2FA provided by Google, creating an OAuth2 proxy. The proxy sits on my Raspberry unit behind NGINX with ssl through Let’s Encrypt, and then passes the traffic to HA.

The whole setup is described on my blog, feel free to check it out: https://blog.luciow.pl/automation/2018/02/10/dont-reinvent-the-wheel/

Cheers,
Mariusz

Robert · March 4, 2018, 11:38am

Looks interesting, good find.

kiwijunglist · July 8, 2018, 4:37am

Hi.

I just got a unifi usg / switch / ap. So I’ve been looking at your suggestion. I’m new to networking and I’ve only just recently learnt what a VLAN is.

I had some questions:

Why do we need VLAN 140 → VLAN 110 Port 443 rule?
What kind of devices would we put on VLAN 140 ?
Can the devices on the default unfifi private corporate network initiate communication with a device on the VLANs
I was thinking instead of opening up 8123 to hass.io should I use a non default port, what port number (range) should I look at opening up?
Would it be ok to run unifi controller on the hass.io pi, or should I use another pi instead. I do have a free pi that I thought I could install both unifi controller and some sort of add blocking thing (i think it’s called pi hole).

Thanks
Kiwi

jeremyowens · July 13, 2018, 5:15pm

This allows your laptop, computer, phone, etc. to access Home Assistant
All your normal devices that need internet, such as your computer, XBox, phones, etc.
This setup is designed to be in-place-of the default setup, not in-addition-to it.
It’s recommended to use SSL if you are opening up Home Assistant to the outside world. There are already many articles about how to do this in the documentation.
I ran my UniFi controller alongside my Home Assistant setup with no issues, however I’m not sure if it’ll run on the HASS.IO operating system image. It’s worth a try though.

Targettio · July 13, 2018, 5:45pm

Safest way is tricky to define but things I think need in a secure(ish) setup:

1 non-standard vpn port facing the internet. All other ports locked tight
VPN server only accepts clients with a certificate AND an password (to prevent someone stealing your phone accessing the network)
Your VPN being a stand alone machine that can be physically removed from the network (powered down or remove network cable) to prevent any access when no desired.
VPN server set up so no VPN clients can get a local IP (local = 192.168… VPN = 10.0…)
Ever server on the network is running ufw
Configuration (SSH VNC etc) access restricted to only local IPs (or even singular machines).
SSH/VNC login with certificates AND password.
All systems such as HA etc (torrent, sickbeard etc) are behind a reverse proxy which runs lets encrypt
Local network server/machines refusing (dropping) all connections from all client, except the reverse proxy machine. This prevents anyone sneaking round your reverse proxy
All systems have a password
Samba (either HA or general file server) is set up to accept only authorised users with passwords (this can be automated to prevent users loging in twice)
Samba shares do not have execute access (especially for VPN clients)
All the users on all the machines are changed from the defaults (eg don’t use user:pi pw:raspberry).
If you are using raspberry pis on your network: Remove the user rights from the user PI and lock it.
If you are using raspberry pis on your network: read this and do most if not all of this

https://www.raspberrypi.org/documentation/configuration/security.md

Probably a lot more…