Why not a presence sensor of and kind? Check your router’s WiFi client list for your phone MAC or something

I’m using cloudflared to give it a bit more protection over a plain reverse proxy

Layers

HA has it’s own built in IP ban function with the HTTP(S) Integration, but that might only see NAT’d addresses (ie the entire internet has the same address as far as HA is concerned), and is really only intended for protection from someone already on your network.

You should also have some other form of external facing brute-force protection with HAproxy, nginx, fail2ban, etc.

You should have a firewall somewhere, maybe a function on your router, maybe a separate box. If possible also use geographical IP ranges to only allow your region(s).

All of that can either be at home, or on a VPS if you wanted to bounce all your traffic via a fixed location, perhaps with an outbound VPN from your home to the VPS.

Also use other network presence detection (ie ICMP ping, GPS, etc) to determine if you’re at home.

Or… as others mention… support the devs with their solution.

I’ll add pangolin to the list of things to think about trying. It was relatively easy to set up and it can run locally or on a vps. If it’s on a vps you dont need a constant IP or ddns because your hone server will connect to pangolin on the vps and the vps will serve the apps. youll point the dns records to your vps.

It’s what i use for my extended family to reach my immich instance. No complaints yet whatsoever. It’s traefik+crowdsec+wireguard under the hood but all abstracted into a maintained, easy to use GUI. Youll have granular control over which users can use which services/subdomains and geoblocking etc is effortless.

I put a centralised authentication layer (pocket id) on top of it for easier enrollment across various apps im running but for homeassistant only the built in 2FA should be enough.

If you are hosting other things with it, then a reverse proxy like Caddy or Traefik + crowdsec is pretty much as good as you are going to get and you can add region blocking on your router (if that feature is available) or if you use cloudflare as a proxy.

If you want to go really crazy, you can put authelia/Authentik in front of it, depending on what else you host.

Tailscale is possibly a solution for you.

It’s generally fine to open it up, if your somewhat know what you’re doing. I wouldn’t do it without some protection measures like fail2ban and making sure HA is always up to date.

Nabu Casa, the manufacturer of HA, has a paid option where they take care of publicly accessing your local HA instance. I think that’s a good solution as well. It includes backups on their servers.

I just use a Cloudflare tunnel using the Cloudflared plugin and a custom domain name. So no need to open ports. I use long passwords for the users. Not sure how unsafe it is but in HA you get a notification when a failed login happened.

So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?

Install Fail2Ban on a free cloud VM and watch it for a couple of days. Seeing the never-ending intrusion attempts from around the world was a real eye-opener. There is no way I’d expose HA (or anything else except Wireguard) to the Internet. (Open WG ports appear closed unless they receive the correct key.)

In your situation I’d just pay for Home Assistant Cloud. It’s not expensive and will do exactly what you want to do.

For a zero cost solution I use Tasker to automatically enable a Wireguard tunnel whenever we’re not on home wifi. It allows direct access to everything on our local lan, and as a bonus prevents our wireless carrier from monitoring our Internet activities. A combination of the OpenWRT Ubus integration and a BLE integration (using inexpensive Shelly switch modules) detect when we’re home with 100% accuracy.

I don’t really see why you shouldn’t… I have mine behind a reverse proxy, which puts SSL on the public endpoint. The biggest “issue” today, is the isp rotating my ipv4 address to often.

I solved Problem 1 by adding ICMP to HA. It’s constantly checking if my phone is present on the WiFi*.

I’m using Tailscale instead of ZeroTier, but that should not matter.

*I could also use my routers integrstion, but this logic worked with my shitty old router that had no integration

What I personally do is have it accessible over WireGuard. Open TCP ports to the Internet is a bad idea. This does mean you have to launch WireGuard every time, but it’s way more secure

Mine is on the internet. The real risk is a zero day auth bypass, password cracking won’t really work when the HA interface sends notifications on authentication failures.

Mine is on the internet behind nginx. I block connections not originating in countries that are reasonable for my family. I don’t like geoip blocking but it straight up eliminated almost all the IDS alerts. I needed to migrate to DNS based validation for certbot.

If I or my family leave the geo region, I’m “away” anyways until I return to the area and my device gets a new IP. Or I can allow the country temporarily.

With the price of oil and therefore plane tickets what it is, I won’t be leaving my geo region.

Mine is open to the internet, via a nginx reverse proxy. I made it ban people who try to brute-force my password. It’s been fine like that for years now:

http:  
  trusted_proxies:  
    - w.x.y.z  
  use_x_forwarded_for: true  
  ip_ban_enabled: true  
  login_attempts_threshold: 10