I know this probably comes up a lot and I’ve done some reading but it’s a little overwhelming so I thought I’d just post to help me get my thoughts together. I want to set up HA primarily to start using it with Frigate and give me remote access to my cameras but I might as well double down and get everything on this. I like the idea of clever houses and I’m glad there’s a good option for doing it locally with decent FOSS solution.
So in my network I have a sort of DMZ network. This network has all those dodgy IoT devices on it and it’s basically an untrusted network with internet access. I then have my normal network with everything else on it, like my laptop, phones, home server, etc. I’m planning on installing HA in a Podman container (Docker) on my server but I’d like to have some remote access so I can check out my cameras, 3D printer, and maybe a few other things, I’d also like to be able to receive notifications. However I still want to be able to run it normally without too many complications so I’d like it internal to my trusted network.
I’m thinking about the possibility of running two containers, one on my trusted network and one on my DMZ. I could sync them up or give them access to the same storage areas maybe. Is this possible? ChatGPT suggested it so I’m not sure if it’s worth pursuing. If not what are my other options? I basically want all the positives of having it on the internet with none of the negatives, how hard can that be?
You are over complicating it. I suggest starting out with some sort of VPN. Wireguard is super simple to setup with a wg-easy container
Plus one for the wg-easy container. It’s dead simple!
HA on your private network. Tailscale or Wireguard into that network. Problem solved.
Just run HA on the network you prefer and add firewall rules to cross to the other network as needed. Don’t need to overcomplicate things!
If vanilla Wireguard is too complicated to set up for you: try tailscale.
If you don’t trust the central tailscale server: rent a vps and set up headscale on that.
I pay what I consider a pretty affordable price for this ($65/yr), and support HA dev community. It also allows auto-syncing devices to my Google Assistants. No affiliation but an easy way to get something more and give a little back.
A DMZ is a decent idea, but you can do the same thing with vLAN and it would be less of a PITA.
I recommend just doing a vLAN and disable outside connection to your network. Use Wireguard to VPN in, and access local services via the VPN.
For notifications, you can use Gotify.
I’m thinking about the possibility of running two containers, one on my trusted network and one on my DMZ. I could sync them up or give them access to the same storage areas maybe.
It is, but it could/would cause huge complications when both containers attempt to access the same resource which is already in use. I wouldn’t recommend running 2 containers from in the same location. It’s a bit antithetical to what docker is used for.
I am not sure how two synced HA instances (if that’s even possible) would help. You would need to allow your IoT devices to be accessible by the Home Assistant instance you want to use with your personal devices. If that seems like a risk to you, then why not run HA in the DMZ alltogether?
You can configure HA to use an external database, so you could (presumably) config two instances to use the same DB. Not sure how much conflict that would cause for entities that are only attached to one of those instances, but it seems like both should have the same access to state data and history. Could probably even set one instance up with read-only DB access to limit data conflicts, although I imagine HA will complain about that.
Even with an external database, HA still uses its internal DB for some things, so I don’t think you’d ever get identically mirrored instances.
Theres a subscription for this that works kinda like that.
Otherwise a vpn into your hone network gives you access from your devices. Maybe your router already supports this, otherwise tailscale or zerotier and similar can be a good solution.
I dont have issues exposing my ha to the internet through caddy, but i filter traffic based on country of origin (geoip2). Used to have separate auth in front but i removed that a few months ago
Edit: not too much use of running two containers if you expose the same storage to both. Better option would be to have two reverse proxies, one for local and one for internet, both proxyinf the same ha instance. That way you can get ha on normal https port with certs.
Imo you are pretty safe with a reverse proxy with an extra layer of security.
It sounds like your trying to solve two problems in this question.
-
How to access home assistant from outside your home
-
How to run home assistant on your normal network while letting it have access to your IOT network.
The first problem is usually solved by one of a couple difference ways. You could set up a vpn from your phone back to your house and access home assistant locally, you could use something like cloudflare tunnels, you could set up a reverse proxy, or you could use home assistant cloud. Some of these are paid features and each of them has various advantages and disadvantaged.
The second problem is likely best solved with vlans but unless you specifically bought a switch or router to support that feature it’s likely yours can’t. There are probably other means to bridge the access and limit it to a one way view with firewall rules but the same thing there, most standard consumer router/modem boxes are somewhat limited on how you can set your rules.
You’ve got a couple of options available to you and if you’re early enough on in the project and you’ve got the budget for it i’d look into getting your hands on a managed switch and a box you can install opnsense or pfsenseb on. Either would give you the ability to set and manage vlans, establish firewall rules to control access between them, set up a vpn and/or reverse proxy, and much more.
-
Why not use cloudflare with client certs?
