Last updated on March 24th, 2022 at 08:57 am
You may want to have Home Assistant remote access from everywhere, but you don’t want to setup complicated VPNs or to pay for the cloud service? If yes, then this article is just for you.
What will you see in this article?
Exposing a local server or service to the outside world has always been tricky.
Exposing Home Assistant is not hard, but you have to do it the right way with SSL encryption and IP ban enabled for multiple failed logins. Otherwise you put your whole house or at least all of your sensors, switches and integrations that you have in Home Assistant at risk.
This tutorial will take you through some port forwarding, setup a dynamic DNS for your IP and allow trusted encrypted connections – using DuckDNS and Let’s Encrypt for free!
And if you wouldn’t mind just hitting that little “subscribe” button for my Newsletter. That will greatly help me and by the way it is also free.
Now let’s start this article.
Home Assistant Port Forwarding
First step of the enabling Home Assistant remote access is to set up a port forwarding rule in your router. Just search for: ”[your router] port forward” in YouTube or in Google.
Here is how you can do it in UniFi controller.
Go to Settings > Routing & Firewall > Port Forwarding in your UniFi Controller interface and click on Create New Port Forward Rule button.
This is what you aim! Just replace the Forward IP – 10.0.0.2 with your Home Assistant local address and you are good to go.
If you have different router the experience and visualisation may differ, but the principle is the same. You just have to open port 443 in your router and forward it to your local Home Assistant IP on port 8123.
You also have to assign a static IP address for the server where your Home Assistant is installed. If you don’t know how to do that just ask in the comments section below or search in Google.
Creating a DuckDNS sub domain
Now you have to create a DuckDNS sub domain. This will be the address that you will enter in the browser the Home Assistant remote access.
Just go to DuckDNS.org and login with either of the available options (Persona, Twitter, GitHub, Reddit, Google) and then create a new sub domain. In a similar way as in the picture below.
Then copy the DuckDNS token above your newly created sub-domain and head over to your Home Assistant with a smile.
Adding DuckDNS add-on in Home Assistant
Open your Home Assistant and go to Configuration > Add-ons, Backups & Supervisor > Add-on store (lower right button).
Or just click the My Home Assistant Link below:
Search for DuckDNS add-on and install it.
Go to the configuration tab of DuckDNS add-on and:
- Change the accept_terms to true. By changing it, you agree to use Let’s Encrypt auto renewal SSL certificate feature. And that is really good.
- Add your DuckDNS token next to the token: keyword.
- Add your DuckDNS subdomain (get it from the duckdns.org website) under domains:
Save the changes and start the add-on. You should see no errors in the logs and if that is the case you are just perfect.
Set Home Assistant internal and external URLs
Now is the right time to set up your internal and external URLs for our Home Assistant remote access.
You have two options:
The result is exactly the same and here are the both options.
Using the Home Assistant GUI
In Home Assistant, go to Configuration > General
Input your external and internal URL in the appropriate boxes.
You are done and you can continue to the Home Assistant http section
Editing configuration.yaml file
Open the configuration.yaml file with your favourite editor and paste inside the following lines under your homeassistant: section:
# configuration.yaml entry external_url: https://YOUR_SUBDOMAIN_HERE.duckdns.org internal_url: http://YOUR_INTERNAL_HA_IP_HERE:8123
Don’t forget to replace YOUR_SUBDOMAIN_HERE & YOUR_INTERNAL_HA_IP_HERE with yours.
You can save the file, but don’t close it yet! We will need it a bit more in the next section.
Home Assistant http section
To enable a secure Home Assistant Remote Access we have to tell the Home Assistant where to find the SSL certificate and key from Let’s Encrypt.
It is not hard just paste the following lines in your configuration.yaml file:
# configuration.yaml entry http: ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem ip_ban_enabled: true login_attempts_threshold: 5
Double check that you don’t already have http: section in your file, if so copy only the last 4 lines under it.
The last two lines from above YAML are helping to harden the security. If you enable IP Ban option with threshold 5 as in the example, then when someone tries to login 5 times with a wrong password in your Home Assistant – it will be banned automatically.
After the first ban, an
ip_bans.yaml file will be created in the root configuration folder. It will have the banned IP address and time in UTC when it was banned. So you can be rest assured that you have a secure Home Assistant remote access.
Save the changes, check your configuration and restart your server.
If you don’t know how to do a configuration check or restart, then ask in the comments below or check some of my other Home Assistant tutorials.
After the restart you can check if your Home Assistant remote is working and you can access it remotely for the first time.
Just open the https://YOUR_SUBDOMAIN_HERE.duckdns.org in a new browser or tab.
Congratulations! Really, you deserve it!
But, don’t stop reading now. You have just few more step to make this even more secure!
What if Home Assistant Remote Access is not working or you loose your local access?
After the above implementation you may face difficulties accessing your local or remote Home Assistant address. First of all, don’t panic! Second, double check these things:
- Make sure that you type https:// and not http:// before your local & external address of your Home Assistant,
- Make sure that you are not banned by the ip_ban_enabled option. That means your IP is not in the ip_bans.yaml file. If it is there just delete it and/or disable the ip ban option by set ip_ban_enabled: false in configuration.yaml file
- Clear your browser cache or open an private/incognito window and try again. You can also try with different browser.
- Don’t expect to have Trusted SSL certificate when access your local address. That is not possible! That means – you will receive warnings from your browser when you access the https version of your local Home Assistant. Depending of the browser that you are using you may add your local Home Assistant https address as exclusion once and you will not receive any warnings after that.
- The Trusted SSL certificate by remote authority like Let’s Encrypt is only possible with your external IP (duckDNS subdomain or other domain).
- Correct port forwarding in your router is crucial for this Home Assistant remote access to work – Double, not Triple check it and test it.
- If you didn’t install and start the DuckDNS add-on. You will receive errors that ssl files and folders are missing when trying to check your Home Assistant configuration or during the Home Assistant start.
Two other ways for Home Assistant remote access
There are also two other ways for Home Assistant remote access.
- The first one is to use the Home Assistant cloud service called Nabu Casa. This a secure and easy way, but it will cost you 5 dollars monthly to have it. You can try the service for free for 31 days.
- The other method is to use a VPN. I will recommend to invest some of your time into configuring and setup a VPN to securely access everything in your home and to leave your ports closed.
Quick question for You
Nobody answers my questions in the articles for unknown reason for me.
Would you like to brake that rule?
If yes, then let me know in the comments which Home Assistant Remote Access is better for you?
- Using a VPN,
- Using the Cloud Service,
- Using this method that I’m showing.
Regardless of what you choose just be sure that you smashed the subscribe button for my Newsletter.
One more thing…
And before we harden the Home Assistant remote access, there is one more thing that I want to share with you.
Yes, exactly you who read this article till this very moment!
I have a Home Assistant Webinar on which I’m talking about 4 different official ways to install Home Assistant + 1 secret stupid easy way. This webinar is completely free of charge and you can watch it instantly by register on this link 👉 https://automatelike.pro/webinar
I hope you will like it as much as I do. Now let’s continue!
Harden the Home Assistant Remote Access Security more
Log in your Home Assistant and click on your username in the lower left corner of the screen.
Then do the following:
- Change your password with a password that contains: letters in upper and lower case, digits and special characters. It will be best if you use this password only for your Home Assistant and nowhere else.
- Enable Multi-factor Authentication Modules – I’m using Google Authenticator for that.
- Download it for free from you your mobile phone store.
- Open it and scan the code that Home Assistant will display with the authenticator app.
- Then the authenticator will display a code that you will have to enter in Home Assistant.
- From now on every-time you want to log in Home Assistant from new device, you will have to enter your username, password and a generated code in the Google authenticator that is changed every 30 secs.
Activating ip_ban_option and Multi-factor Authentication Modules is a must if you enable your Home Assistant Remote Access in the way that i’m showing with the port forwarding and SSL. So don’t skip this!
Support my work
If you like the Home Assistant Remote Access with DuckDNS and Let’s Encript Article and you want more content like this you may want to become one of my supporters. Check exactly how on my support page!
Any other sort of engagement on this site and my YouTube channel does really help out a lot with the Google & YouTube algorithms, so make sure you hit the subscribe, as well as the Like and Bell buttons.
I really hope that you find this information useful and you now know how to setup Home Assistant remote access with DuckDNS and Let’s Encrypt and of course some port forwarding
Stay safe and don’t forget – Home Smart, But Not Hard!
Thank you for reading, I will see you in the next article.