# What security do you use to connect from the public?

I’m contemplating on how to use the iOS App from the public. Simple port forwarding is of course easy. Perhaps create a separate VLAN for IoT stuff.

My first thought was otherwise to use VPN, but a persistant VPN connection would complicate more than help.

Anyone care to share if they have alternatives?

1 Like

Port forwarding, DuckDNS with included lets encrypt (https), only.

Is it the securest?

No.

Is it currently sufficient security?

For the moment, yeah I reckon so.

If I was really paranoid I’d only access via VPN with AES-256 encryption. Though there was an interesting article the other day about the problem with applications reusing public key generation algorithms:

Armed with this idea, the researchers scanned the web and collected 6.2 million actual public keys. They then computed the largest common divisor between pairs of keys, cracking a key whenever it shared a prime factor with any other key. All in all, they were able to break 12,934 keys. In other words, if used carelessly, RSA encryption provides less than $99.8%$ security.

Or easily digested summary: https://hackaday.com/2019/01/16/rsa-encryption-cracked-easily-sometimes/

I thought about segregating my IoT devices on a seperate VLAN on my local netowk but have not yet implemented this as again it’s not a huge risk. I live in a low density area where wifi hacking is unheard of and have a segregated guest wifi network I turn on for guest and friends. The biggest impetus for actually doing this is running out of IP addresses in my currently defined network. Not there yet but it’s growing…

2 Likes

I use a VPN. I would not trust opening up any software that doesn’t go through thorough security testing to the public internet. Don’t get me wrong, I love HASS and It seems like the developers are following good security principles, but I haven’t really seen anything that leads me to believe anyone is testing for security vulnerabilities before releases. And I don’t necessarily expect them to as total security testing/mitigation with all of the dependencies, etc would be a huge burden. I just manage my access accordingly.

And as for IoT segregation, I do try to put anything that requires cloud only access on my guest wifi/vlan that only has INET access. But that is not always easy to do with everything. For example I just turned up one of those wifi humidifiers. The sniffer trace shows it sent my Wifi password in the clear to the cloud service in China. I also have a security cam a friend sent me, same thing, immediately tried to connect to a command and control server in China with only a network connection. So buyer beware, especially if it is made in China.

Name and shame. That is not cool.

That may be so but the devs have been visibly active in addressing identified security holes. They stopped making SAMBA share access anonymous by default because of the problem with people not knowing how UPnP could make this a very bad thing.

Also there was a spate of reported (mostly benign) intrusions not long ago. Almost entirely due to people not password protecting their publicly shared HA servers. New auth and mandatory PW protection followed soon after. There have been no reports that I’ve seen since.

WTF?! Your password? Mega uncool! Regarding the topic:
VPN is probably most safe, but really not family friendly.
I have not tried Let’s Encrypt, but I’ll check the tutorials

Any other suggestions?

It was a diffuser from Amazon they go under a lot of brands but the app it connects with is called Ama Home. It follows the typical setup pattern of install the app, use it to setup the device on your wifi. But it must do it through their servers. The good news is it also is controllable locally so I was thinking about a component for it.

And I am not trying to be critical of the devs on security. They do a great job. Security is hard, pretty much impossible these days. Just given the access HASS has to my stuff, I just don’t feel comfortable exposing it to the world directly.

VPN is not that hard once it is setup. You just launch your VPN app on your phone before you access anything. The good part about it is that all the dns names, etc will be what you are used to as if you are on your wifi. And then you can forget about TLS and port fowarding etc.

2 Likes

Thanks, I’m well aware of VPN. It’s just that I don’t want to be on it 24/7, while still get notifications. (I use other VPN’s also)

OK It’s lame an SSID password was transmitted in plain text anywhere… but… it’s going to be of almost zero use to anyone not sitting outside your front door (even if they knew where you live)

Also while a VPN is great for external access, you can’t make Google Assistant work over a VPN.

For myself, I use a reverse proxy (Caddy) and my HA is now only accessible via IPv6…

1 Like

That’s an interesting take on it. I’ll look into that also

Just read the “I got hacked” threads on the forums. There are some obvious cases to hack someones home network, but it seems to me that most of the security concerns are around how you setup your network and not so much Home Assistant itself.

I’m going to stick to VPN until I’ve figured out a 99% safe way to access HA from the outside with too much hustle.

For me I just created a subdomain on one of my personal domains that doesn’t get used for anything. Added letsencrypt to that subdomain and away we go. Sure it’s probably not the most secure approach, but’s it’s the most user friendly with family members.

1 Like

I am using an on-demand VPN connection (on iOS). It is configured to establish a VPN connection when the a certain url is requested, e.g. `hass.my.network`. That worked pretty reliable for the past year or so.

1 Like

If you are a bit more tech savvy or feel like having a go, you can use Cloudflare (free tier) to proxy your traffic through a caching engine which also blocks known bad IPs, protects against DDoS attacks and other suspicious behaviour. You can also block certain countries if you want. Then you lock down your HA instance using NgINX so it can only be accessed through the Cloudflare proxy.

2 Likes

Best solution: https://traefik.io

Contry blocking only in paid account

Not sure if you are right. You get 5 free firewall rules and you can include all the countries you want to block in one firewall rule.

Found that. Not very familiar to firewall rules. Am I right when I say that if I have allow one country ip all other countries are deny?

A normal firewall would absolutely work that way but I think Cloudflare works a bit differently. I think you would have to block every other country and omit yours because I think there is an invisible “allow any” at the end. I think you can also block by IP address. It’s been a while since I played with Cloudflare firewall and don’t have an active instance I can test right now.

Ok I will ask cloudflaresupport. I only want my own country allowed

I’m using DuckDNS with nginx and letsencrypt. Fairly basic, compared to some of the other suggestions here, and I am always looking at available options. But for now, this is my setup.

To make things easy, I use docker, so linuxserver/duckdns and linuxserver/letsencrypt (witch includes nginx).

Take a look at Juans great guide for setting up the nginx/letsecrypt if that’s the way you want to go. This way you use one certificate, and can have numerous subdomains (e.g. hass.my.duckdns.org (home assistant), dash…duckdns.org (HADashboard), etc.).