I have been iterating on this add-on for quite a bit by now, trying to achieve a balance between simplicity, security and feature completeness.
About
In short, this add-on allows secure access to your Home Assistant without having public IP, port forwarding or setting up HTTPS. This is achieved by opening a reverse tunnel to the my.webhookrelay.com servers and allowing TLS traffic to go through our servers without termination straight to your Home Assistant instance.
Main features/characteristics:
- TLS pass-through mode - traffic is fully encrypted on your own device and stays encrypted till it reaches your browser. Nobody can spy on you.
- Custom domains - if you have, use your own domain. Example is given with DuckDNS provider since it offers free subdomains + easy to use API.
- Lightweight - add-on is written in Go, arm image size is 5MB, barely uses any CPU/RAM.
-
Optional TLS termination by the add-on - for the sake of simplicity for the user, add-on can terminate TLS connections so your Home Assistant doesn’t have to have configured HTTPS, but you are more than welcome to do it. Just specify
https://in tunnel destination. -
Integrated Let’s Encrypt + DuckDNS support - add-on can retrieve Let’s Encrypt certs for your DuckDNS subdomain and configure them to work with the reverse tunnels. Traffic gets encrypted end-to-end and your browser remains happy
- Multiple tunnel support - get tunnels for your Home Assistant, Node-RED or anything else.
- One-way webhook forwarding - if you don’t want to expose your services to the internet, you can use one-way webhook forwarding that only allows inbound traffic. This is only useful for webhooks.
Pricing (after 3 months test-drive)
I have several users testing this add-on already, but would like to have a bit more. Testers will get 3 months of free access. After that my plan is to make DuckDNS domains available in the basic plan which will cost $4.5/month for 3 tunnels.
Installation
You can find a short tutorial here: https://webhookrelay.com/blog/2018/10/12/hassio-tls-tunnels-duckdns/. After registering for a free account, drop me an email ([email protected]) and I will enable TLS and custom domains.
Config example
{
"key": "your-webhookrelay-key",
"secret": "your-webhookrelay-secret",
"forwarding": [
{
"bucket": "ha",
"destination": "http://127.0.0.1:8123"
}
],
"tunnels": [
{
"name": "ha",
"destination": "http://127.0.0.1:8123",
"protocol": "tls",
"domain": "your-domain.duckdns.org"
}
],
"duck_dns": {
"token": "your-duckdns-token",
"accept_terms": true
},
"tunnels_enabled": true,
"forwarding_enabled": false
}
Config example with Home Assistant doing TLS termination can be found here.
Add-on permissions
It currently requires ssl mapped and host_network = true, however they aren’t really required in the default mode. Add-on persists retrieved certificates in /data directory and with host network disabled you can access home assistant by setting destination to http://homeassistant, although it does make Node-RED unreachable (haven’t looked whether add-ons get networks configured to facilitate communication between each other).
Troubleshooting
Currently add-on logs a bit more than it will but there are a bunch of “info” level messages, such as contacting DuckDNS, Let’s Encrypt. I have noticed that quite often DuckDNS API lookup fails, not sure whether it’s my pihole or something else but I have added retries. After the first successful update those errors don’t really matter.
- Don’t use with DuckDNS add-on since it would be changing IP address to whatever it thinks it is instead of the tunnel public endpoint.
- If you Home Assistant has HTTPS, destination should be
https://127.0.0.1:8123