VPN and Home Assistant

Mariusthvdb · October 24, 2017, 6:45am

thanks!
have to study this, and translate to a Hassio installation, where several configuration options are out of (obvious ) control.
When you refer to the VPN, do you mean running a VPN-server on the raspberry, or just singing in to my VPN client account?
I can enable a vpn on my router, maybe thats what you’re implying?

so far ive set PW for the interface (which you don’t ), ut ift was my first attempt of securing ;-), and SMB , and of course the root@hassio

have to secure the outside world in general for snooping my network of course, but thats only necessary when trying to remotely acces the Home Assistant isnt it?

Cheers, and thanks for your patience,
Marius

Tinkerer · October 24, 2017, 6:49am

VPN on your router if it supports it, though I just run a Pi with PiVPN.

HassIO already handles the first 3 points for you.

Mariusthvdb · October 24, 2017, 7:57am

Ok cool, ill check both out.
whitelisting my local Lan is met with an error though…

[homeassistant.config] Invalid config for [http]: not a valid value @ data[‘http’][‘trusted_networks’][1].

doesn’t matter if i enter 192.168.xxx.xx/24 or 192.168.xxx.xxx-254

127.0.0.1 is accepted.

dis/enabling the VPN makes no difference.

Tinkerer · October 24, 2017, 8:10am

The entry should look like:

http:
  trusted_networks:
    - 192.168.0.0/24

Spaces are absolutely critical in YAML, if yours doesn’t have the same indentation (2 spaces per level) then that would be a problem.

Mariusthvdb · October 24, 2017, 8:19am

I’ve found out about these spaces indeed…

my router starts at xx.xx.1.1 so i replaced your 0.0 with 1.1. would that be the issue here? no point in trusting ip addresses that aren’t there i would have thought?

Tinkerer · October 24, 2017, 10:06am

It might well be that you need it to be zero.

It doesn’t make any difference to the end result. /24 says “the first 24 bits are for the network”, eg 192.168.001. are the network bytes. Everything after that is ignored.

Mariusthvdb · October 24, 2017, 12:37pm

check. 192.168.0.0 works…
peculiar it is. my router starts distributing addresses form 192.168.1.1-254. why 192.168.1.1 causes a fatal error is beyond me…
Thanks a bunch anyways.
Cheers,
Marius

heytcass · October 25, 2017, 3:33am

Would you mind sharing your NGINX config for this setup? I wonder if this would solve my issue of TTS not working over https.

Tinkerer · October 25, 2017, 6:16am

Sure, it’s on my Github

Mariusthvdb · October 25, 2017, 10:04am

great Github you’ve got there, thanks, learned many things already

ill ask about my Mqtt in a separate post, not to clutter this up.

please have a look

Cheers,
Marius

heytcass · October 27, 2017, 2:59am

If you don’t mind me asking, what is the 203… ip address? External? Or another internal interface?

Thanks!

Tinkerer · October 27, 2017, 5:11pm

The external (WAN) IP. I have a static WAN IP, and my router does NAT reflection. Connections using the DuckDNS hostname appear to come from the WAN IP - that means that I can access it using that from the LAN, without a password.

raiderjoey · November 20, 2017, 2:53pm

Sorry to bump a semi-old thread, but I have a question about your last bullet point. I’m trying to secure my home assistant instance while keeping the ability to use Google Assistant. I’m confused about how to combine the usage of NGINX and a VPN (say, PiVPN) so that Google Assistant can access Home Assistant, while I can also access it remotely. Is it possible to combine the two? If so, how? Are you setting up the VPN and NGINX separately, or are they working in tandem?

Tinkerer · November 20, 2017, 6:34pm

I set them up separately - they have nothing to do with each other at the end of the day.

raiderjoey · November 20, 2017, 7:56pm

Thanks, I think that makes sense. I think my confusion comes from the seeming redundancy of setting up NGINX to listen on ports 443 and 80, but also setting up another port for the VPN. Isn’t the end result still having more than just the VPN port open? Additionally, couldn’t you just bypass the VPN and authenticate using the NGINX proxy? It seems to me that the VPN is kind of redundant, but I’m probably understanding it wrong.

Appreciate the help!

Tinkerer · November 20, 2017, 8:43pm

Depends on what you’re trying to achieve.

You can lock down NGINX such that only the API for Google Assistant is open (and only Google’s IP ranges), while using the VPN for full access to your entire network.

raiderjoey · November 20, 2017, 8:51pm

Ok, that makes sense. Thanks for clarifying.

sti0 · December 10, 2017, 10:27am

I’ve got one question. I use the NGINX addon for HASS.IO. It works quite well but now I want to restrict the access only to Google’s IP range (for Google Assistant). How can I do this? Is it possible with the HASS.IO addon?

Tinkerer · December 10, 2017, 10:32am

Given that your question has nothing to do with this thread, can you start a fresh topic please.

sti0 · December 10, 2017, 10:34am

Thought it has to do with this, cause you mentioned it two posts ahead…sorry…