New to Home Assistant, moderately good with linux, very good with networking.
I have hass.io running on a rPi 3B and it works great, but I am more or less in proof of concept mode now, and have not spent any time on security yet. I spent the morning reading numerous rants and recommendations without much clarity.
Mostly my HA stuff will be on a separate subnet, with separate firewall rules to limit internet access (either entirely, or only when I want to do updates). I will likely access it from outside via a VPN (i.e. still “inside” really).
My problem comes with tools like Google Assistant; I have not tried it yet with Home Assistant but it appears to integrate. This would appear to imply I must provide some internet web access to Home Assistant, and I am unlikely to be successful in IP level restrictions as I suspect Google servers change IP regularly.
I vastly admire the Hass.io image and how easy it was to get working, but from a security standpoint I also value the massive number of eyes on apache and other common linux tools and worry that exploits may remain hidden in hass.io moreso than more common web servers.
My question is this: What are people doing to secure Hass.io while allowing google (and potentially other specific services) in? Just trusting it? Some kind of firewalling?
Or are you front-ending it with a separate proxy (it’s not obvious this helps all that much since almost by definition it has to relay all requests)?
Or are you doing manual installs? (But doesn’t Home Assistant still end up being its own web server?)
Or just giving up Google Assistant entirely, and living locally (which honestly I am leaning toward).
You could take a look at Home Assistant Cloud (though it costs a few dollars/euro’s per month). This is a secure way to keep your HA install completely local and feed to Google Assistant/Alexa. Though this way only the digital assistants will work and the frontend won’t be reachable over the internet.
You could also setup Google Assistant manually which is less secure (but free) as you will need to open either ports or use other means (e.g. Nginx/IIS/Apache with reverse proxy) to make your HA instance available to the internet. You could also use a VPN which would probably be the safest way however not the most practical (but that depends on how your vpn is setup).
If you look for something easy, secure and fast to setup Home Assistant Cloud is the way to go.
Edit: personally I just use portforwarding a good firewall and a ssl certificate. I have my own domain running with Active Directory (windows server). And HA runs on a Ubuntu VM which runs HA in a python virtual environment. My HA instance is not within my windows domain.
Though most people I see here use Nginx with some reverse proxy.
Home Assistant Cloud: definitely will look at that, I saw it early on and then put it to the side and forgot about it.
Reverse proxy: I get it, though I’m not completely convinced it adds much real security, as depending on the (hypothetical) exploit it might pass right through.
VPN: How would that work? I thought google had to be able to reach out and touch a public web server (and cert)?
I like free by the way; being a bit of a hassle to set up, if it is reliable going forward, is not a big deal. Most of this automation is all for fun, not because I really need something to turn on a light for me.
Depending on which and how many devices you want to associate with Google Assistant it’s possible to do it with an MQTT bridge.
I am only using 4 devices right now and I am using gbridge (it’s free for 4 devices and pay what you want for a subscription). gBridge gets added to you Google Home and HA subscribes to it’s MQTT topics.
I just wanted to follow up. I’ve spent the last 10 days or so deep into Home Assistant, node-red, and related. I set up my router with OpenConnect for VPN, and LetsEncrypt for both it and potentially SSL from google. It is all relatively straightforward.
Then I realized the opening you needed for google wasn’t google specific, so the GUI was exposed. The straightfoward answer limiting access to specific URIs appears to be a proxy, so started setting ho HAProxy (just because I knew it).
Then I decided to just try the cloud. It was trivial and worked out of the box.
Considering all the money spent on HA hardware the $5/mo is not a terrible burden, but it does worry me to have a proprietary 3rd (well, sort of third, maybe 2.5) involved with remote access to my home network.
But it is really starting to look like a solution that may be worth it.
I know this is an old thread, but since it is still a top Google result, I wanted to share a solution.
gBridge is no longer an option unless you self-host (which is a lot of overhead). I’m using HAProxy on OPNsense, but any HAProxy would work. To publicly expose only the endpoints that the Google integration needs, add some conditions based on the host and path. For example, in your frontend config, add
# ACL: If path exactly matches one of the 3 needed by the Google smart home API
acl acl_623bdd890cc426.95133855 path -i /auth/authorize || /auth/token || /api/google_assistant
# ACL: If url host is ha.example.com
acl acl_623bdfc442cec1.35322759 hdr(host) -i ha.example.com
# ACTION: Send Google smart home traffic to the home assistant backend
use_backend hass_backend if acl_623bdd890cc426.95133855 acl_623bdfc442cec1.35322759