Home Assistant: Easy secure remote access from anwhere without exposing your network

Home Assistant: Easy secure remote access from anwhere without exposing your network

The Options

If you want to access your Home Assistant instance when you're outside your local network the suggested solution is often either subscribing to Nabu Casa or setting up a VPN solution. There's a third option however that's recently become possible; using a mesh network based on Wireguard (A new "VPN" protocol, which is lightweight, highly performant and secure). There's a good list of advantages to this approach, it's P2P (peer to peer), it's very fast/performant, nobody else but you will have access to your machine (Nabu Casa will set up a hostname which anyone can access), the setup is very easy and multiple devices can be easily setup to connect.

Mesh networks solutions

Such a mesh network is for example Tailscale (or Headscale, which is the open source project). I have been using Tailscale the last year to host game servers with friends who's behind double NAT, connect to VPS servers and much more. The advantage of Tailscale is that it has a NAT punch functionality though the use of STUN/TURN servers, that means that Tailscale can often get through to your server even without exposing ports in firewalls or configuring your router. Install tailscale is also a two step install, you install the tailscale agent and then you authenticate with SSO through the tailscale website.

The Caveats

Sounds great! What's the downsides?
Here's the list:

  • Like most VPNs, Tailscale configures it's own network interface, this both an upside and downside. If you're in Linux and want to use a firewall against Tailscale you need to set it up specifically against this interface using i.e UFW (uncomplicated firewall). This can also be an advantage, since you will have full control over the traffic that goes through Tailscale.
  • The Windows version is currently in beta, I use this version daily to connect to an exit node but I sometimes struggle with the wifi driver crashing and having to restart the OS. This happens however so infrequently that it's not a big issue. I don't envy the people that has to develop the Windows version of Tailscale, Windows is notoriously messy when it comes to programmatically managing networking and timers. Since Tailscale also directly manages your network, it requires you to disconnect through their software on Windows. If you shut down tailscale, you might still be connected to your exit node through Wireguard.
  • Tailscale is commercial software, they however offer a personal free plan which covers most use cases. If you don't like their plans, you can always host Headscale yourself, I'm a self-hoster but I have found just using Tailscale out of the box the easiest and fastest. Especially when using Tailscale for Windows.
  • Since your instance isn't exposed to the internet, you won't be able to use public webhooks like you can with Nabu Casa. Webhooks are nice to use if you want to use an API which doesn't have an intergration against Home Assistant.

That's it! A short introduction to mesh networks with Wireguard and Tailscale.