Securing HA to internet access - experiences and search for new insights

TL:DR Hosting HA behind a reverse proxy still requires opening up ports on your router, and my USG (Unify Security Gateway) IDS/IPS reports daily break-in attempts which if not (yet) successful, remain troublesome. I’ve implemented a number of architectures over time starting with Nginx reverse proxy, Wireguard VPN and am now testing Argo Tunnel from Cloudflare. My purpose here is to understand if a) I’m paranoid, b) I’m going in the right direction, and c) am I missing something.

The longer read: A lot has been written about securing HA when accessing from internet and over the last 3 years I’ve tried a few solutions. The purpose of this thread is to share key highlights of these experiences and gather any further information or insights into the subject.

Problem : I run what I can call a “mission-critical” instance of HA on a dedicated VM (OVA image) running on top of ESXi. It is critical as it runs the management plane of my off-grid, totally autonomous house on a large plot of land and manages my water (irrigation, filtering and potabilization), energy (large PV and battery array supported by gas generator), HVAC (full heat pump based heating and cooling system with wood fired stove integration for domestic hot water and swimming pool heating), access and security (presence and intrusion detection, remote door locking and opening, window contacts, blinds) to name but the most important.

I’ve decided on wired KNX (TP twisted pair for the lines and IP for backbone) for the IoT sensor and actuator level wherever possible because it is a really robust, tested and straightforward solution which will last me, hopefully, decades. Baseline automation is implemented here as much as possible.

On top of KNX, HA handling more complex logic which even if possible to implement in KNX would be rather difficult to and especially more complex to document and pass-on to another person having to maintain or upgrade anything on the system. And monitoring and visualization plane too, UI for short.

On top the data and reporting layer based on Influxdb/Grafana pair using add-ons.

The whole is complemented by GitHub push/pull scripts, daily snapshots backed-up to my FreeNAS server via rsync and replicated to an offsite Synology and to a cloud service provider for extra assurance (as FreeNAS running on the same hardware).

Complication : This whole set-up can run on its own without any Internet connection (expect for the remote and cloud back-up replication) but for obvious reasons I want on-the-road access to check-in on things, and have set-up a number of messages/warnings to let me know what’s going on and act if something didn’t work as expected (Murphy).

The complication is that opening ports on my router immediately leads to attempts to get in from all over the world using all sorts of vectors and even if my set-up uses a Unify Security Gateway with IPS turned-on (yes, I could also have gone the pfsense way but I don’t want to overcomplicate my set-up) I’m not happy with the situation as “you never know”. I’m segregating my network into VLANs but I still feel it is preferable not having any of these pesky bots knocking on my door.

Solution : I’ve moved up what I think is the security ladder over time looking for the best security while still keeping it manageable and above all problem-free and reliable.

In the beginning I did the obvious simple if not NONO thing which was to open up port 8123 on my router. It worked, of course but I did know I was making a mistake.

Second up was my own set-up of Nginx which was extremely educative teaching me real stuff beyond just reading how it works. Once Nginx became available as an add-on (I used the excellent Nginx Proxy Manager) I moved that way to simplify my set-up and it worked perfectly. But I still needed to open up ports and the bots kept knocking on the door.

Third was just a VPN using first my own set-up of OpenVPN server and again, when Wireguard became available as an add-on, moving there. It worked very well and indeed from experience Wireguard is quite easier to set-up and faster than OpenVPN but still, ports (the minimum = 1) had to be open so I kept searching and I came across the architecture of reverse tunnel, in my case specifically Argo Tunnel from Cloudflare.

Other alternatives do appear to exist (I haven’t tested them) like ngrok but I chose Cloudflare because I felt it could offer a more integrated one-stop-shop solution including my DNS hosting, certificates, etc.

Implementation : I won’t go into the details as it is well explained by Cloudflare itself but the basics is that you run a daemon on your environment and it creates a reverse tunnel to Cloudflare’s edge servers from which you can access your environment, no ports needed. You can further protect/simplify by setting up Access which gives you a sort of SSO using your identity provider of choice, in my case GitHub.

As I’m running Hass OS and I don’t want to get under the hood (even assuming I could and it would work) I have another VM (Ubuntu server 20.4) were I run the daemon and other non-HA stuff like Roon (music server) and whatever. Cloudflared, the daemon, allows configuration of ingress rules very much like Nginx where you define the upstream IP:port serving the request. This way I can serve whatever I want over the tunnel without opening up any port and presto, no pesky knocks on my door anymore!

Argo Tunnel is not for free but I feel the cost may be worth the added security and peace of mind. It is “limited” today to mostly http/https trafic and I haven’t found a way, yet, of running a VPN UDP stream over it (because I can’t according to the specs). I’d like to keep a way for me to still gain access to my installation in case something happens like for instance my deamon or the server has a problem. If that happens I can still logon to my Unify cloud controller and temporarily open up a port and get in with SSH, solve it and close the door again.

Next steps : So far so good, I’m happy with the set-up, it is responsive, has proven reliable, gives me single point of access and sign-on for all the things I want/need to server over Internet, is secure (or I think so) and the cost is not prohibitive.

Are there better options out there? Better as in secure, reliable, cost-conscious.

I wonder why in all your options you don’t list Nabu Casa’s SniTun implementation of Server Name Indication.

I may be wrong but from what I understand NabuCasa’s implementation connects to the local instance of HA and that’s it, allowing access to add-ons but not other servers/services on my network such as Nextcloud, Roon, etc.

Is my assumption right? Could I use NabuCasa’s implementation to access other services on my network?

I developed my own add-on to run Roon on my HA instance but that was just for fun, not attempting to go beyond just the test phase, “because I can” type of stuff.
And I don’t want to run my data cloud out of HA as I don’t think that’s it’s purpose either.

I accept, applaud and buy-in to the premise of Hass OS but want to keep it to its purpose and have my other non-HA services running on appropriate platforms. Horses for courses if you want.

Indeed, Nabu Casa is purely for HA. It’s a secure, simple, and self-maintaining option for a dedicated solution (HA). It’s beautifully integrated via the HA Mobile App. It’s very affordable at $5/month.

Maybe you could find corresponding lead ropes for the other horses in your stable?

This is one of the reasons I use HomeKit, it gives me visibility to my home automation in a secure environment without punching holes in my firewall. Of course you don’t get your Lovelace or native HA access, but for me I’m mostly automating through voice commands anyway so I only use native HA for administration.

If I didn’t do this, though, I would either sign up for the Nabu Casa solution stated above or establish a VPN for HA use.

Of note, Nabu Casa does not punch a hole through a firewall. It uses an existing ‘hole’, i.e. port 443. If you don’t have that one open then you won’t do much internetting anyways.

Your HomeKit post actually brought something to mind which I forgot in my original post. I want vendor agnostic solution and certainly not a proprietary closed-wall garden as Apple even though I’m typing this on an iMac.

The reason is that you never know where they’re going and it happened to me a few years ago to buy into a bells and whistles irrigation controller which went bust and there I was, a nice piece of hardware totally useless.

You could argue that KNX is proprietary but it is not, in the sense that it is a standard and I can go and buy compatible hardware from umpteen number of vendors and not be tied with anyone in particular.

It’s been sometime I used Home Assistant Cloud and did I forget I needs port 443 open? If that is the case then that is what I’m trying to get away from, having ANY port open on my router because as I explained the moment you do you get swarms of attempts to get in.

Port 443 is for HTTPS. Every consumer firewall has that open.

Of course, it uses tunneling, otherwise what would be the point of using Nabu if you can just punch the hole yourself and call it a day?

You can be vendor agnostic, but you’ll never reach that level of bliss. This is home automation, you always run the risk of any system giving up the ghost. And what would the worse case be? You would have to replace the gizmo that is no longer supported. The most expensive gizmo for me is my Rachio controller, and even that is only a couple hundred bucks. That’s why I am not personally concerned with being vendor agnostic. The funny thing is that HA probably has a better chance of being abandoned and it’s your central brain center, than HomeKit is of being abandoned and that is simply your interface. One way or the other you are tied to something that could go poof at any point.

Hi @lsgv,

I’ve also integrated Cloudflare’s solutions into my HA setup, but only Cloudflare Access, not the Argo Tunnel (yet?). However, I notice that I cannot update my iPhones location with the iOS companion app through it. If I disable Access however, the iPhones’ location is immediately updated… Do you also see this issue?

Regards,
Cadish

Outbound yes. Most consumer firewalls have all outbound ports open.
Inbound it’s most likely closed since most consumer firewalls have all inbound ports closed by default.

To the OP: I run pFSense, and have OpenVPN co-listening on port 443. For me that’s safe enough.

Having a port open is not unsafe by itself. It becomes unsafe when the service/protocol/implementation listening on that port is vulnerable.
The fact the someone is “knocking on the door” is a fact of modern internet and can be a simple port scan functionality, it’s not malign per sé.

I am contemplating switching to OPNSense for its WireGuard capabilities.