I’m running my own HA locally, in my house, but I would like to be able to access it also when I’m not home. So I’ve put it on my Zerotier One VPN, which works fine. Except for two things:

  1. HA no longer knows when I’m home - it thinks I’m always home;

  2. Other people in my household would also like to have remote access, but it’s unrealistic to have them install and use the VPN.

So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?

  • JustEnoughDucks@slrpnk.netEnglish
    0·
    13 days ago

    If you are hosting other things with it, then a reverse proxy like Caddy or Traefik + crowdsec is pretty much as good as you are going to get and you can add region blocking on your router (if that feature is available) or if you use cloudflare as a proxy.

    If you want to go really crazy, you can put authelia/Authentik in front of it, depending on what else you host.

  • dislabled@lemmy.mlEnglish
    0·
    13 days ago

    I don’t really see why you shouldn’t… I have mine behind a reverse proxy, which puts SSL on the public endpoint. The biggest “issue” today, is the isp rotating my ipv4 address to often.

      • dislabled@lemmy.mlEnglish
        0·
        12 days ago

        Yeah, I just made a quick script that queries my public IP every 5 minutes, then changes the a-records via the registrar’s API, if it detects a change.

        • Claude Flammang@dju.social
          0·
          12 days ago

          @dislabled
          Nowadays there are lots of people without a routable IP V4 address. As providers don’t have enough addressspace for all their customers they use NAT.

      • dislabled@lemmy.mlEnglish
        0·
        12 days ago

        My ISP only have static ipv4 available for businesses. The price increase is quite a lot. I have been experimenting with ipv6, though I will loose connection when I am at someone else’s WiFi with no ipv6… It’s there as a fallback for now.

        • batshit@lemmy.worldEnglish
          0·
          12 days ago

          That kind of blows, I’m blessed with an ISP who doesn’t discriminate against power users and I get it gor relatively cheap (~$15 per month)

  • tofu@lemmy.nocturnal.gardenEnglish
    0·
    13 days ago

    It’s generally fine to open it up, if your somewhat know what you’re doing. I wouldn’t do it without some protection measures like fail2ban and making sure HA is always up to date.

    Nabu Casa, the manufacturer of HA, has a paid option where they take care of publicly accessing your local HA instance. I think that’s a good solution as well. It includes backups on their servers.

    • ropatrick@lemmy.worldEnglish
      0·
      13 days ago

      Nabu Casa is the way. Built by Home Assistant for Home Assistant, and utterly seamless and reliable (in my experience).

      Most importantly it supports the developers who have created this amazing piece if software! Do it! 👍🏼🙏🏼

  • undefinedTruth@lemmy.zipEnglish
    0·
    13 days ago

    If you don’t want to use a VPN like Tailscale (or ZeroTier) then this is exactly what the Home Assistant Cloud is for. And it even has an 1-month trial.

  • bob_lemon@feddit.orgEnglish
    0·
    13 days ago

    I solved Problem 1 by adding ICMP to HA. It’s constantly checking if my phone is present on the WiFi*.

    I’m using Tailscale instead of ZeroTier, but that should not matter.

    *I could also use my routers integrstion, but this logic worked with my shitty old router that had no integration

  • spaghettiwestern@sh.itjust.worksEnglish
    0·
    13 days ago

    So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?

    Install Fail2Ban on a free cloud VM and watch it for a couple of days. Seeing the never-ending intrusion attempts from around the world was a real eye-opener. There is no way I’d expose HA (or anything else except Wireguard) to the Internet. (Open WG ports appear closed unless they receive the correct key.)

    In your situation I’d just pay for Home Assistant Cloud. It’s not expensive and will do exactly what you want to do.

    For a zero cost solution I use Tasker to automatically enable a Wireguard tunnel whenever we’re not on home wifi. It allows direct access to everything on our local lan, and as a bonus prevents our wireless carrier from monitoring our Internet activities. A combination of the OpenWRT Ubus integration and a BLE integration (using inexpensive Shelly switch modules) detect when we’re home with 100% accuracy.

  • QueenMidna@lemmy.caEnglish
    0·
    13 days ago

    Why not a presence sensor of and kind? Check your router’s WiFi client list for your phone MAC or something

  • thr0w4w4y2@sh.itjust.worksEnglish
    0·
    13 days ago

    If you have to open it up, then you can at least allow-list IP addresses through your firewall so it’s not everyone who gets full access.

    • tofu@lemmy.nocturnal.gardenEnglish
      0·
      13 days ago

      How’s that supposed to work if the other people want to access it “from the Internet”, most likely meaning their mobile phones when not at home? Find out all IP subnets for the carrier?

      • HeyJoe@lemmy.worldEnglish
        0·
        13 days ago

        I have done something similar on mine but reversed. Instead of a whitelist I put together a rule to geo block all countries except the one I am in at the firewall. Before doing this I absolutely saw unknown traffic hit me constantly. With this in place it has been quiet ever since. You could probably narrow it down some more if you really feel like it’s necessary. I know this is also hardee for some people to do since before I had this firewall I did not have an easy option to just block traffic like this.

  • Archer@lemmy.worldEnglish
    0·
    13 days ago

    What I personally do is have it accessible over WireGuard. Open TCP ports to the Internet is a bad idea. This does mean you have to launch WireGuard every time, but it’s way more secure

  • CameronDev@programming.devEnglish
    0·
    13 days ago

    Mine is on the internet. The real risk is a zero day auth bypass, password cracking won’t really work when the HA interface sends notifications on authentication failures.

  • SwingingTheLamp@piefed.zipEnglish
    0·
    13 days ago

    I work in IT at a major university, and watch the logs. My Home Assistant instance is open to the Internet behind an nginx reverse proxy with SSL. (The official add-on makes it easy.) Brute-forcing passwords on HTTPS is not really a thing anymore. I get a connection attempt or two per month at home. At work, they go for known vulnerabilities in web apps; WordPress, mostly.

      • SwingingTheLamp@piefed.zipEnglish
        0·
        12 days ago

        I would expect that the cost-benefit calculation doesn’t work out. If you have a password hash in local memory, then the computer can try each possibility in nanoseconds, and it can still take several minutes to crack trivial passwords.

        To brute-force a password over HTTPS, each attempt is on the order of microseconds, about 1/1000th the speed, or slower. Plus, all the overhead of SSL, which imposes a compute burden on the attacking machine.

        And that’s just trivial passwords, plus assuming that the target host doesn’t have connection rate-limiting, or even a sysadmin who’d notice the logs getting flooded with bad requests continuously for a couple of days.

  • hendrik@palaver.p3x.deEnglish
    0·
    13 days ago

    Mine is open to the internet, via a nginx reverse proxy. I made it ban people who try to brute-force my password. It’s been fine like that for years now:

    http:  
  trusted_proxies:  
    - w.x.y.z  
  use_x_forwarded_for: true  
  ip_ban_enabled: true  
  login_attempts_threshold: 10