I have read countless topics here and on other sites trying to get a better grip on successfully implementing secure remote access. I am getting nowhere fast!!! I have had a hell of a time getting the DuckDNS and LetsEncrypt access to work at all. Did a fresh install of HA last night to try and start over. Will likely have to do that again tonight since my access is nowhere to be found. I have read many posts with others also running into a bunch of problems. I feel like I am doing all the steps correctly. Although in fairness, many of the topics I have been using for reference are a few months old.
Bare with me because I am a bit ignorant regarding a lot of this. Trying to learn as quickly as possible but would really appreciate your help to setup a rock solid system. Before I get a bunch of devices working and getting automations started, I want the most important part of this setup (secure remote access and notifications) to be done correctly.
My setup is Hass.io on a RaPi3 wired to the router
Is there an up-to-date community page regarding the complete (and detailed) process for getting this to work using DuckDNS & LetsEncrypt? Is this the community standard?
Is this even necessary to incorporate secure remote access? Are there other methods to try that are just as good or better?
My router control panel has a built in Dynamic DNS setup with a different DNS site (dnsdynamic.com). Could I potentially use this instead of DuckDNS? I imagine I would still need to setup the port forwarding correctly anyway.
Would a VPN setup be a more secure setup ultimately for remote access? What is the pros & cons of a VPN setup versus DuckDNS/LetsEncrypt and vice versa?
Configure your configuration.yaml to include the lines ssl_certificate, ssl_key and api_password. Choose a strong api_password and include it in your secrets.yaml:
Do not open any ports for this add-on because it does not need any to work properly.
Of course!
There are, but itâs more complicated in the beginning. If you are thinking about incorporating other add-ons like Node-RED or the like that run in their own containers but need access to hass.io it may easier to use a reverse proxy like Caddy or nginx.
Start small and when you feel more used to the concepts you can begin exploring other options.
You could use that, but you should only if your router also handles the letâs encrypt part. You shouldnât connect to hass.io without using SSL.
Of course. 8123 needs to be forwarded to your pi regardless of the used dyndns.
The main factor that influences to use VPN or not is what you want to do with exposing hass.io to the internet.
Is it only for having access to it trough your browser? VPN could be an option.
Is it to use services like Google Assistant, Amazon Alexa or some types of notifications? VPN isnât an option as the services need to communicate with hass.io directly.
DuckDNS and LetsEncrypt donât provide any security really when it comes to remote access.
DuckDNS just provides a means to allow your public IP to be translated into a domain name that doesnât change. There is no security here.
LetsEncrypt only encrypts your traffic, it does nothing to prevent access. The benefit of using this service is your traffic is encrypted, any sensitive information that may be passed over any network while you use HA should be encrypted and much more difficult to gather sensitive information.
Is this even necessary to incorporate secure remote access? Are there other methods to try that are just as good or better?
You can see the reason people use lets encrypt above. a DNS service (any DNS service works) is only for convenience. Before I used duckdns I just had a sensor in HA monitor my IP address. When it changed (rare) it sent me an e-mail with the new address and I updated my link.
@Florian Thank you very much for the detailed response. Regarding the steps to get the add-on installed, is exactly what I did last night and then I attempted to restart HA and everything crashed and I could no longer access it.
I was reading a very thorough post on Reddit last night and it mentioned something about NOT restarting HA from the config panel. It mentioned doing it through the Hass.io tab. I did not find a âRestartâ button but I did find a âRebootâ button on that tab. Any truth to that in your experience about restarting HA from the config panel?
I am wondering if my problems stem completely from setting up my port forwarding incorrectly. I have tried YouTube, topics here, and somehow I think I may be confusing what I am supposed to do exactly. Later this evening, I will attempt to get a screenshot of my control panel and post it here to see if I am doing it correctly. Seems like it should be simple but it is entirely within the realm of stupidity that I am putting things in there backwards!
@silvrr Thank you. Yes, I understand that DuckDNS & LetsEncrypt are not really a security measure (entirely). But I do view the LE portion of it as a way to minimize someone seeing what is happening on that network. So in a sense to me it adds a bit of security to my setup. I understand the DuckDNS process is simply to ensure that my IP address will automatically update if my IP dynamically changes my addresses. Correct?
After setting it up this way you always have to access it using https (mind the âsâ). If you did that while using your DuckDNS domain and nothing happend it might be a feature/configuration of you router that prevented the connection. You router must support NAT Loopback to make this work properly. You still can connect to your pi using https://hassio:8123/ or https://hassio.local:8123/ or https://<the-ip-of-the-pi>:8123/ (mind the âsâ again) but you will get a warning from your browser, because these addresses donât match you DuckDNS Domain.
Restart was removed there with hass.io 0.64. You can still find it in configuration / general / server management.
I think that depends on the router. My router supports NAT Loopback but does it only for the ports I forwarded. That may be true for you, but if you forwared 8123 to 8123 (or whatever port you want to use from outside) that shouldnât be a problem.
Basically yes. To be a bit more precise. DuckDNS ensure that the domain you choose will automatically update and redirect to the new IP when it updates.
For what its worth I have the steps taken to secure my HA instance outline in my github repo. I just have port 8123 forwarded to my HA instance and a password implemented on the front end. After that it is basically all passive monitoring to keep it secure. I looked into some other options but this was the easiest to keep access easy for my wife and I.
OhâŚand I have also read in other topics that the DuckDNS and LetsEncrypt process is the only way in order to get Google Assistant or Alexa voice control to work. I guess that makes the decision for me regarding VPN. VPN as I understand cannot be used for the voice control aspect because of requirements from Amazon and Google. Correct? Which leads me to my next questionâŚwhich one should I go with? Alexa or GA? That is probably for another topic/post!
The âcookbookâ page on the HA website is another good source. There is some âspring cleaningâ going on to try and keep this to current and regularly updated repoâs as some are a bit stale. I think that change should be happening soon.
To use Amazonâs or Googleâs services they require you to provide an endpoint that is accessible using a static address secured by an SSL certificate. DuckDNS is one of the possibilities to provide a static address, Letâs Encrypt provides the certificate.
So neither of them is required as long as you find an alternative way to fulfill this requirement.
Thatâs nothing we can answer for you
I should stop using hass and hass.io synonymouslyâŚ
Thanks again @silvrr for your responses. I appreciate you sharing the github link as well. I will head on over to that and start getting familiar with it. I will be giving it a go again later this evening!!!
Just curiousâŚbut why have you decided not to use hass.io? I personally decided on hass.io because it appeared to be the easiest way to get started quickly with my level of experience (or inexperience). There were also lots of resources (here and YT) to get going.
I started with Home Assistant before Hass.io was available. It was a manual install, then the all in one installer came along, then hassbian and then Hass.io. All have their advantages, but for me the python virtual environment install is the best option for the hardware Im on. If I use a Pi I use the hassbian image which is just a python virtual environment install on top of rasbian.
Given my limited (but generally adequte) linux skills and that I have learned to do everything I want without Hass.io I have never made the move over. It seems to be a somewhat restrictive environment if you donât understand the docker ecosystem (which I donât).
I still write all my automatons, customizations and groups manually in a text editor too, its just what I am used to.
I am checking out your yaml files right now! I am already learning more just by seeing your config files. I like how you are making it easy to decipher the different areas of the config files (i.e. General, Zwave, etc.) I will definitely be incorporating something like this. Do most peopleâs config files point to other config files like yours (i.e. switches, groups, etc.)?
It makes sense to me actually to keep things compartmentalized like that. Easier to organize and edit specific things. I imagine the main config yaml file can become very busy (cluttered) if everything is included on that one file. AnywayâŚI really like your setup. There is still so much I need to learn about yaml and how to get everything setup but I can appreciate the straightforward setup you have. Now to figure out my remote access!
Imagine combining all those files into one long file. I started in file but it bacame difficult to work in. Splitting things up just makes sense after you get more devices and start adding a lot of automations.
@silvrr I agree. I can definitely see how everything is clean and easy to do within the config file at first but as I start adding devices, sensors, etc.; it could QUICKLY get out of hand!
FYIâŚI just signed up for GitHub. I was not fully understanding its purpose prior to your recommendation. I had seen a few people link to it but I was not sure where to go with it. I had never tried putting any brain power and actually clicked any of the links. I am very appreciative that you pointed me in that direction. LOTS of inspiration in there. I would also like to say that in your âRead Meâ section where you mention, âI relied on repositories of other HA users quite a bit when I was getting started for ideas and example code. Hopefully this repository will help someone else who is getting started.â You have already certainly helped me so thank you very much for that.
@silvrr & @Florian - I hope this screenshot is ok under the community guidelines. Isnât displaying any private info so I figured I would post it to get your input. What you guys think? Does it look right?
Thanks for your input @flamingm0e. Maybe you could help me better understand what I am doing here or confirm my entry.
This is the initial screen to setup port forwarding on my router:
Here are the options under the âService Nameâ:
This is the screen I see when setting up a new customer serviceâŚ
I need to name the service, Eternal Starting Port (8123), External Ending Port (8123), and then enter the IP address associated with my Hass.io install? Sound right or am I still not understanding this section?
