Prior to finding this walkthrough guide I was planning on installing OpenVPN and using this to create certificates which I was going to use to authenticate devices that I wanted to access home assistant with remotely and VPN into my LAN and connect via my internal IP address.
I was wondering if I could get the collective tribes thoughts on which set up is best?
My understanding is that a reverse proxy is better than just opening 8123 in my firewall and port forwarding - if someone is maliciously scanning my network they will only see port 80-443 going to Traefix - rather than the numerous ports being opened to the various services that I am planning on putting in place. This would make it harder for them to implement service specific hacks to try to get access to my LAN.
How secure is a reverse proxy compared to using OpenVPN to securely gain access to my LAN from trusted devices?
Will solely running home assistant behind a firewall (using OpenVPN to remote in) limit the functionality of home assistant and some of the plug-ins (such as google assistant)?
Will adding a reverse proxy make these additional components more difficult to configure?
How are people locking down their Home assistant installation? I noticed that there have been some recent posts highlighting security concerns.
If you set up a VPN, your VPN service is the only thing exposed to the internet, and all other services are hidden behind it. This means your entire security boils down to just making sure your VPN is configured properly (up-to-date encryption, strong keys / certs). Your average VPN is designed and hardened specifically for this purpose, so that’s easy.
Reverse Proxying means every service is exposed to the internet via a single dedicated box. So like with the VPN service, you still have an “access” service to secure, the Remote Proxy - these are also designed for the purpose. But now you also have to worry about the security of each individual service it is forwarding. If HASS has a flaw, people can exploit it. If NodeRed has a flaw, people can exploit it. And while those services are for the most part secure, they are rarely hardened and audited; plus, the more complex software is, the more chances there are for something to have been overlooked.
Port forwarding is like Reverse Proxying, except now you’re exposing the systems themselves to the internet as well. It’s a bit less secure than Reverse Proxying, as it opens up some additional possibilities for hacks that affect devices on your network instead of your cloud-hosted reverse proxy server. But not majorly so, because the big weak spot for both lies with the services you are serving up.
Will solely running home assistant behind a firewall (using OpenVPN to remote in) limit the functionality of home assistant and some of the plug-ins (such as google assistant)?
Google Assistant cannot VPN in - it needs to be able to access Home Assistant publicly, which means you have to do port forwarding or reverse proxy. As an alternative, you can subscribe to Home Assistant Cloud, which lets you use Google Assistant via Home Assistant cloud servers.
If you plan on using google assistant then vpn is not an option, you need an open port from the outside world to HA. You also need nat reflection so reverse proxy straight from the edge isn’t an option (or maybe it is but I’m just not smart enough to figure it out). I do port forwarding to an nginx reverse proxy to HA.
I definitely do, but that’s more of an ease-of-use thing. I have split DNS (internal network and my cloud provider run the same domain) so the app on my iPhone just works, period, using an nginx reverse proxy back to my home IP.
I’ve also got a strong password set on my Home Assistant installation, and the auto-ban feature enabled. My servers also all run fail2ban.
I’m also not terribly concerned about it, because the worst thing someone can do is unlock my doors… which would be bad, except we have a monitored alarm system that is basically always set.
The reverse proxy that I am looking at setting up will be locally hosted rather than cloud based. I am keen to local host as much as possible, so that my systems will continue to run in the event of loosing internet connection.
I am not looking for military grade security - but equally don’t want to leave myself wide open to the drive by attacks either. I know that if someone was hell bent on getting into my network they probably could - but I would like to make it somewhat difficult. At the same time I want a system that is relatively easy to use
The VPN isn’t bad at all for me. It’s rare that I need to access HA directly as I use HomeKit for when I’m away from the house to control things. Even then I hardly touch it.
For me the VPN access is more to deal with my plex server or if I need a file from my NAS while I’m away from home.
o HA. You also need nat reflection so reverse proxy straight from the edge isn’t an option (or maybe it is but I’m just not smart
Newb here. I was curious about this. I shut down all my forwarded ports but had to leave 8123 for google assistant and 433 for pihole. Is there a way to have google assistant work and not leave a port open?
i would only expose things over reverse proxy if anyone else than you should have access for it. and if you do, let swag handle all the proxying, ssl & subdomain stuff. maybe consider cloudflare free plans. please use pivpn with wireguard, its easy & better than openvpn