I’ve started running HA on my Pi and I plan to have it accessible while I’m away from home. Using port-forwarding with some dynamic DNS is would be no-go, as I don’t want to open my door to strangers. I figured out installing a VPN server on my LAN could be a good choice. The questions are:
-
Has anyone tried this and made it work?
-
Should I install VPN server on a separate machine (i.e. another Pi)?
-
My Pi is already running my Unifi controller, and HA (that connects Hue system and bunch of Mi sensors, Blink cameras, etc.). Is there any risk that the Pi becomes a single point of failure/security risk? Especially once I put the VPN service onto it?
Probably easier and more secure to pay the $5 a month for Nabu Casa. That’ll get you remote access with no port opening in a similar way that Unifi Cloud Access works.
I’m using the same Pi (4b 8GB) for:
Home Assistant
AdGuard (Ad Blocker in DNS Level)
WireGuard (VPN Service)
BitWarden (Password Storage-Manager)
Rhasspy (Offline-Local Voice Assistant)
+some other stuff that i dont’t really use (NodeRed)
I have no problems at all and would anyone advise to use them, if you have security concerns.
I have my own OpenVPN server, personally Id run it on a different device if you can, but if the Pi has enough resources it should be ok.
I hear a lot of people using Wireguard now, not sure if thats easier.
Install PiVPN (using wireguard)
Been using it for months to access my home network from my phone when not home. works perfectly.
You can specify which ip’s you want to go over the VPN, so i just added my home server so only that goes over the VPN, all the rest just uses my normal mobile data.
Pay $5 a month and get a Digital Ocean server (or any VPS) and make your own WIREGUARD server. It’ll simply act as a relay for any HA commands and alerts. When not home, your phone will be as if it’s on your home WIFI. I can access my entire home (NAS, movies, music, etc) remotely via my phone. You can also host nextcloud and any other services for the same cost as nuba casa.
Zerotier. Available as community addon.
Check out tailscale.
But yeah, you could set it up yourself easily and it’ll work just fine. Generally speaking it’s a pretty safe setup
I decided to go the traefik 2, authelia route. only “open” ports are 443 and 80, 2FA etc. though I already had a domain (and am running mine in docker on ubuntu 20.04 and not RPI)
I run OPENVPN. Works great. Though recently I turned to doing a reverse proxy from a VPS hosted web server. One must know the path and server name for SNI plus I can limit source addresses in bulk. I’m comfortable with that exposure.
I have a pfsense router I built. It has OpenVPN as standard. I use this whenever I’m not in my house.
OpenVPN is free, open source and regularly audited for weaknesses.
Pfsense is free, open source and regularly audited for weaknesses. It is also a highly rated business product for the industry.
Pfsense pre-built boxes are on eBay, Amazon and other retailers for barely into the triple digits. Of course do not use their enclosed version as it could be a malicious one. Installing pfsense is as simple as any other operating system.
This means you not only get free upgrades but you are totally in control of your network.
If all you’re trying to connect to is just a web pages like the lovelace UI, how bout setup a reverse proxy server? There’s an addon for that; NginX. Then you’d just need to open and forward 1 port in the router and have the reverse proxy redirect to all your different web services you run.
I think this would be a bit more secure because you add a layer of obscurity. Where instead of going to http://<public_addy>:<port#> and scanning for open <port#>'s, with reverse proxy someone would have to go to http://<sub_addy>.<public_addy> and scan <sub_addy> for open services. And well you pretty much have infinite many <sub_addy>s vs only 65,535 TCP ports.
∞ >> 65,535
I use strongswan. It does IKEv2 VPNs and runs fine on a Pi.
The beauty about it is: no extra app required on the client side (for iOS, Windows, Linux, macos). Only Android requires the strongswan app as IKEv2 is not supported by the OS out of the box.
I’m currently working on a on-demand profile for iOS, so that my phone will automatically connect to the VPN when I start the Home Assistant app.
Plus it supports the development of home assistant
Agreed, and use the phone app
Works a charm for me
Mine has only 4gb but i’m not going to use as many as yours, so memory-wise i guess it would be enough.
I think we need a home assist explain it like I’m five sub. I like the concept of what you’re saying, I just have no idea how to do any of that.
I second this. Zerotier is amazing!
For your VPN server you’ll have to open an incoming port. In the unlikely event of your vpn server being compromised then the attacker can get on your network and exploit any services they find.
Using Nabu Casa does not need any incoming port opened. In the event of a compromise on Nabu Casa then worst case scenario is likely only your HA instance is vulnerable.
My Pi is currently using 1550MB Ram and I have 6GB just sitting around…I never did see over 2GB of Ram been used (I also run Glances for system monitoring).So please do use them if you think you need them ;)I am constantly searching more uses for my rest resources 
P.S. CPU usage not over 20% if it is not running the Backup script who needs resources to zip-up the entire SSD
