You may want to have Home Assistant remote access from everywhere, but you don’t want to setup complicated VPNs or to pay for the cloud service? If yes, then this article is just for you.

Home Assistant Remote Access

What will you see in this article?

Exposing a local server or service to the outside world has always been tricky.

Exposing Home Assistant is not hard, but you have to do it the right way with SSL encryption and IP ban enabled for multiple failed logins. Otherwise you put your whole house or at least all of your sensors, switches and integrations that you have in Home Assistant at risk.

This tutorial will take you through some port forwarding, setup a dynamic DNS for your IP and allow trusted encrypted connections – using DuckDNS and Let’s Encrypt for free!

And if you wouldn’t mind just hitting that little “subscribe” button for my Newsletter. That will greatly help me and by the way it is also free.
Now let’s start this article.

Home Assistant Port Forwarding

First step of the enabling Home Assistant remote access is to set up a port forwarding rule in your router. Just search for: ”[your router] port forward” in YouTube or in Google.

Here is how you can do it in UniFi controller.

Go to Settings > Routing & Firewall > Port Forwarding in your UniFi Controller interface and click on Create New Port Forward Rule button.

You need a Port Forward Rule to enable Home Assistant remote access
You need a Port Forward Rule to enable Home Assistant remote access

This is what you aim! Just replace the Forward IP10.0.0.2 with your Home Assistant local address and you are good to go.

If you have different router the experience and visualisation may differ, but the principle is the same. You just have to open port 443 in your router and forward it to your local Home Assistant IP on port 8123.

You also have to assign a static IP address for the server where your Home Assistant is installed. If you don’t know how to do that just ask in the comments section below or search in Google.

Creating a DuckDNS sub domain

Now you have to create a DuckDNS sub domain. This will be the address that you will enter in the browser the Home Assistant remote access.

Just go to DuckDNS.org and login with either of the available options (Persona, Twitter, GitHub, Reddit, Google) and then create a new sub domain. In a similar way as in the picture below.

Smash-the-like.duckdns.org is already taken but you can still smash the like!
Smash-the-like.duckdns.org is already taken, but you can still smash the like!

Then copy the DuckDNS token above your newly created sub-domain and head over to your Home Assistant with a smile.

Adding DuckDNS add-on in Home Assistant

Open your Home Assistant and go to Supervisor > Add-on store.

Search for DuckDNS add-on and install it.

Go to the configuration tab of DuckDNS add-on and:

  1. Change the accept_terms to true. By changing it, you agree to use Let’s Encrypt auto renewal SSL certificate feature. And that is really good.
  2. Add your DuckDNS token next to the token: keyword.
  3. Add your DuckDNS subdomain (get it from the duckdns.org website) under domains:
Configuring DuckDNS add-on in Home Assistant
Configuring DuckDNS add-on in Home Assistant

Save the changes and start the add-on. You should see no errors in the logs and if that is the case you are just perfect.

Set Home Assistant internal and external URLs

Now is the right time to set up your internal and external URLs for our Home Assistant remote access.

You have two options:

  1. You can use the Graphical Interface.
  2. You can edit the configuration.yaml.

The result is exactly the same and here are the both options.

Using the Home Assistant GUI

In Home Assistant, go to Configuration > General
Input your external and internal URL in the appropriate boxes.

You are done and you can continue to the Home Assistant http section

Editing configuration.yaml file

Open the configuration.yaml file with your favourite editor and paste inside the following lines under your homeassistant: section:

# configuration.yaml entry  
  external_url: https://YOUR_SUBDOMAIN_HERE.duckdns.org
  internal_url: http://YOUR_INTERNAL_HA_IP_HERE:8123

Don’t forget to replace YOUR_SUBDOMAIN_HERE & YOUR_INTERNAL_HA_IP_HERE with yours.

You can save the file, but don’t close it yet! We will need it a bit more in the next section.

Home Assistant http section

To enable a secure Home Assistant Remote Access we have to tell the Home Assistant where to find the SSL certificate and key from Let’s Encrypt.

It is not hard just paste the following lines in your configuration.yaml file:

# configuration.yaml entry  
http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5

Double check that you don’t already have http: section in your file, if so copy only the last 4 lines under it.

The last two lines from above YAML are helping to harden the security. If you enable IP Ban option with threshold 5 as in the example, then when someone tries to login 5 times with a wrong password in your Home Assistant – it will be banned automatically.

After the first ban, an ip_bans.yaml file will be created in the root configuration folder. It will have the banned IP address and time in UTC when it was banned. So you can be rest assured that you have a secure Home Assistant remote access.

Save the changes, check your configuration and restart your server.

If you don’t know how to do a configuration check or restart, then ask in the comments below or check some of my other Home Assistant tutorials.

After the restart you can check if your Home Assistant remote is working and you can access it remotely for the first time.

Just open the https://YOUR_SUBDOMAIN_HERE.duckdns.org in a new browser or tab.

Congratulations! Really, you deserve it!

But, don’t stop reading now. You have just few more step to make this even more secure!

Two other ways for Home Assistant remote access

There are also two other ways for Home Assistant remote access.

  1. The first one is to use the Home Assistant cloud service called Nabu Casa. This a secure and easy way, but it will cost you 5 dollars monthly to have it. You can try the service for free for 31 days.
  2. The other method is to use a VPN. I will recommend to invest some of your time into configuring and setup a VPN to securely access everything in your home and to leave your ports closed.
    • These are my VPN tutorials that you could use.
      • WireGuard VPN from Home Assistant Easy Setup – link
      • Raspberry Pi into VPN (How-To) with ZeroTier – link

Quick question for You

Nobody answers my questions in the articles for unknown reason for me.

Would you like to brake that rule?

If yes, then let me know in the comments which Home Assistant Remote Access is better for you?

  1. Using a VPN,
  2. Using the Cloud Service,
  3. Using this method that I’m showing.

Regardless of what you choose just be sure that you smashed the subscribe button for my Newsletter.

One more thing…

And before we harden the Home Assistant remote access, there is one more thing that I want to share with you.

Yes, exactly you who read this article till this very moment!

Most of you probably don’t know that very recently I published my first digital product called Smart Home Getting Started Actionable Guide.

I don’t want to be a salesman that only want to sell no matter what and give nothing back.

I want to give more than I receive. Like this Home Assistant Remote Access article & video as well as many more which are completely free for use.

The Smart Home Getting Started Actionable Guide have a price, but I’m sure it will save you time and money if you buy it!

Why don’t you check it out by yourself?

I hope you will like it as much as I do.

Harden the Home Assistant Remote Access Security more

Log in your Home Assistant and click on your username in the lower left corner of the screen.

Then do the following:

  1. Change your password with a password that contains: letters in upper and lower case, digits and special characters. It will be best if you use this password only for your Home Assistant and nowhere else.
  2. Enable Multi-factor Authentication Modules – I’m using Google Authenticator for that.
    • Download it for free from you your mobile phone store.
    • Open it and scan the code that Home Assistant will display with the authenticator app.
    • Then the authenticator will display a code that you will have to enter in Home Assistant.
    • From now on every-time you want to log in Home Assistant from new device, you will have to enter your username, password and a generated code in the Google authenticator that is changed every 30 secs.
Harden the Home Assistant remote access even more by enabling MFA
Harden the Home Assistant remote access even more by enabling MFA

Activating ip_ban_option and Multi-factor Authentication Modules is a must if you enable your Home Assistant Remote Access in the way that i’m showing with the port forwarding and SSL. So don’t skip this!

Support my work

If you like the Home Assistant Remote Access with DuckDNS and Let’s Encript Article and you want more content like this you may want to become one of my supporters. Check exactly how on my support page!

Any other sort of engagement on this site and my YouTube channel does really help out a lot with the Google & YouTube algorithms, so make sure you hit the subscribe, as well as the Like and Bell buttons.

Also feel free to add me on Twitter by searching for @KPeyanski.  You can find me on my Discord server as well.

I really hope that you find this information useful and you now know how to setup Home Assistant remote access with DuckDNS and Let’s Encrypt and of course some port forwarding

Stay safe and don’t forget – Home Smart, But Not Hard!

Thank you for reading, I will see you in the next article.