TL:DR Hosting HA behind a reverse proxy still requires opening up ports on your router, and my USG (Unify Security Gateway) IDS/IPS reports daily break-in attempts which if not (yet) successful, remain troublesome. I’ve implemented a number of architectures over time starting with Nginx reverse proxy, Wireguard VPN and am now testing Argo Tunnel from Cloudflare. My purpose here is to understand if a) I’m paranoid, b) I’m going in the right direction, and c) am I missing something.
The longer read: A lot has been written about securing HA when accessing from internet and over the last 3 years I’ve tried a few solutions. The purpose of this thread is to share key highlights of these experiences and gather any further information or insights into the subject.
Problem : I run what I can call a “mission-critical” instance of HA on a dedicated VM (OVA image) running on top of ESXi. It is critical as it runs the management plane of my off-grid, totally autonomous house on a large plot of land and manages my water (irrigation, filtering and potabilization), energy (large PV and battery array supported by gas generator), HVAC (full heat pump based heating and cooling system with wood fired stove integration for domestic hot water and swimming pool heating), access and security (presence and intrusion detection, remote door locking and opening, window contacts, blinds) to name but the most important.
I’ve decided on wired KNX (TP twisted pair for the lines and IP for backbone) for the IoT sensor and actuator level wherever possible because it is a really robust, tested and straightforward solution which will last me, hopefully, decades. Baseline automation is implemented here as much as possible.
On top of KNX, HA handling more complex logic which even if possible to implement in KNX would be rather difficult to and especially more complex to document and pass-on to another person having to maintain or upgrade anything on the system. And monitoring and visualization plane too, UI for short.
On top the data and reporting layer based on Influxdb/Grafana pair using add-ons.
The whole is complemented by GitHub push/pull scripts, daily snapshots backed-up to my FreeNAS server via rsync and replicated to an offsite Synology and to a cloud service provider for extra assurance (as FreeNAS running on the same hardware).
Complication : This whole set-up can run on its own without any Internet connection (expect for the remote and cloud back-up replication) but for obvious reasons I want on-the-road access to check-in on things, and have set-up a number of messages/warnings to let me know what’s going on and act if something didn’t work as expected (Murphy).
The complication is that opening ports on my router immediately leads to attempts to get in from all over the world using all sorts of vectors and even if my set-up uses a Unify Security Gateway with IPS turned-on (yes, I could also have gone the pfsense way but I don’t want to overcomplicate my set-up) I’m not happy with the situation as “you never know”. I’m segregating my network into VLANs but I still feel it is preferable not having any of these pesky bots knocking on my door.
Solution : I’ve moved up what I think is the security ladder over time looking for the best security while still keeping it manageable and above all problem-free and reliable.
In the beginning I did the obvious simple if not NONO thing which was to open up port 8123 on my router. It worked, of course but I did know I was making a mistake.
Second up was my own set-up of Nginx which was extremely educative teaching me real stuff beyond just reading how it works. Once Nginx became available as an add-on (I used the excellent Nginx Proxy Manager) I moved that way to simplify my set-up and it worked perfectly. But I still needed to open up ports and the bots kept knocking on the door.
Third was just a VPN using first my own set-up of OpenVPN server and again, when Wireguard became available as an add-on, moving there. It worked very well and indeed from experience Wireguard is quite easier to set-up and faster than OpenVPN but still, ports (the minimum = 1) had to be open so I kept searching and I came across the architecture of reverse tunnel, in my case specifically Argo Tunnel from Cloudflare.
Other alternatives do appear to exist (I haven’t tested them) like ngrok but I chose Cloudflare because I felt it could offer a more integrated one-stop-shop solution including my DNS hosting, certificates, etc.
Implementation : I won’t go into the details as it is well explained by Cloudflare itself but the basics is that you run a daemon on your environment and it creates a reverse tunnel to Cloudflare’s edge servers from which you can access your environment, no ports needed. You can further protect/simplify by setting up Access which gives you a sort of SSO using your identity provider of choice, in my case GitHub.
As I’m running Hass OS and I don’t want to get under the hood (even assuming I could and it would work) I have another VM (Ubuntu server 20.4) were I run the daemon and other non-HA stuff like Roon (music server) and whatever. Cloudflared, the daemon, allows configuration of ingress rules very much like Nginx where you define the upstream IP:port serving the request. This way I can serve whatever I want over the tunnel without opening up any port and presto, no pesky knocks on my door anymore!
Argo Tunnel is not for free but I feel the cost may be worth the added security and peace of mind. It is “limited” today to mostly http/https trafic and I haven’t found a way, yet, of running a VPN UDP stream over it (because I can’t according to the specs). I’d like to keep a way for me to still gain access to my installation in case something happens like for instance my deamon or the server has a problem. If that happens I can still logon to my Unify cloud controller and temporarily open up a port and get in with SSH, solve it and close the door again.
Next steps : So far so good, I’m happy with the set-up, it is responsive, has proven reliable, gives me single point of access and sign-on for all the things I want/need to server over Internet, is secure (or I think so) and the cost is not prohibitive.
Are there better options out there? Better as in secure, reliable, cost-conscious.