I’m running my own HA locally, in my house, but I would like to be able to access it also when I’m not home. So I’ve put it on my Zerotier One VPN, which works fine. Except for two things:
-
HA no longer knows when I’m home - it thinks I’m always home;
-
Other people in my household would also like to have remote access, but it’s unrealistic to have them install and use the VPN.
So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?
If you have to open it up, then you can at least allow-list IP addresses through your firewall so it’s not everyone who gets full access.
How’s that supposed to work if the other people want to access it “from the Internet”, most likely meaning their mobile phones when not at home? Find out all IP subnets for the carrier?
I have done something similar on mine but reversed. Instead of a whitelist I put together a rule to geo block all countries except the one I am in at the firewall. Before doing this I absolutely saw unknown traffic hit me constantly. With this in place it has been quiet ever since. You could probably narrow it down some more if you really feel like it’s necessary. I know this is also hardee for some people to do since before I had this firewall I did not have an easy option to just block traffic like this.
I do this as well, but another approach I was thinking about implementing (i havent tried it yet) was to also block all IP addresses not belonging to mobile networks or residential ISPs in my country.
That way, in theory, only a mobile network IP or somone on residential wifi would pass through my firewall to Home Assisstant, and this would filter out IPs belonging to datacentres which may be hosting hostile VPS’s, Tor exit nodes, proxies, VPN exit points, etc, etc.
Yeah that’s a solid approach if you and your housemates are the only users.