Secure way to allow external access to Home Assistant - eviltoast

Hey all!

I’m fairly new to Home Assistant and have just created a few dashboards to be able to view my router statistics and be able to restart them via REST if need be. Love being able to do this seamlessly from one place.

It got me thinking however, that I can only really access the dashboard when I’m on my internal network. I know that there is a paid Home Assistant cloud that would enable me to view my dashboards and such publicly and securely, but I was wondering if this community has set it up themselves for free and securely.

Would anyone be able to guide me in the right direction?

  • redcalcium@c.calciumlabs.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    If you want some peace of mind, there is nothing wrong to keep your home assistant instance locked up behind your lan. You can still access it externally using a VPN, or zerotier/tailscale. If you need notification support, just configure sms or email notification so HomeAssistant can still send you alert via SMS or email.

    If you’re ok with not being able to use HomeAssistant mobile app, then you can add some extra security by putting your home assistant instance behind an authenticating proxy. This means your home assistant will be protected by two login pages when you attempt to access it from outside your network.

    Some authenticating proxy options are Cloudflare Access or OAuth2 Proxy.

    If you’re already using Cloudflare, then using Cloudflare Access might be no brainer. If you’re already have experience with setting up your own OIDC providers using keycloak, auth0, okta, or Google oauth2 provider, then putting your home assistant instance behind OAuth2 Proxy might be a good option. Those auth providers usually have stricter login pages and you usually can add even stricter rules to the login page (e.g. disallow login from certain countries, rate limit, add captcha in addition to 2fa, etc). How strict your extra login security will be is entirely up to you.

    For Google assistant integration, you’ll need to enable the API in your GCP account as mentioned in this page. But it does require your home assistant url to be publicly routable from GCP servers so Google assistant can reach it, which means you can’t put your instance behind an authenticating proxy or keep it behind your lan. You might still be able to whitelist certain path from the authenticating proxy (e.g. the /api/google_assistant endpoint), but I haven’t tried it yet.