Hi everyone
So, that’s a 2 in 1 post. First a more general question then looking for advice for a friend.
-
What is your preferred way to access HA from outside (and why)?
-
a friend of mine use duckdns and I often read (recently) that some people are having issue with it. Is wireguard a better way or another solution that is not too techy to deal with?
Tailscale.
I just set up Tailscale for the first time, and it is mind-blowing how easy and straightforward it is compared to previous times I’ve set up VPNs. I can’t imagine ever going back (maybe I’d selfhost Headscale). It’s such a great system (product?).
Very different solutions.
- DuckDNS: you expose your HA to the internet like a public website and register it’s address with DuckDNS so you can look it up.
- Wireguard: you VPN to inside your firewall and can access anything on your private network.
Wireguard all the way. Exposing just a VPN endpoint that can’t be connected to without the right cryptographic keys is a much more secure and maintainable attack surface.
BTW I assume that’s what you meant by “DuckDNS”. Using that service is orthogonal to making HA visible externally, but is (I think) the common pairing.
Thanks, wireguard sound much better then for just accessing HA, wonder why is duckdns so popular then
Because DuckDNS means you don’t have to buy your own domain. I don’t know their product offerings; they might offer VPN services, like Mullvad.
Wireguard doesn’t provide you with a DNS entry. Without a domain name, you’ll have to always either edit your hosts file on every computer you use, or access your services via IP (
https://65.147.69.34:8080/
), whether or not you have Wireguard. DuckDNS lets you createhttp://pafha.duck.dns
(or whatever). Using subdomains also helps with reverse proxying, because routing rules are usually configured by host name. For example, your proxy server can route pafha.duck.dns requests to port 8124, which is where your Home Assistant is listening; while pafmympd.duck.dns proxies to port 8091 which is where your MyMPD server is listening. If you own your own domain, you don’t need DuckDNS. If you don’t, it’s very useful.Wireguard gives you a VPN. It’s for creating encrypted subnetworks. Security, and privacy. It doesn’t solve the DNS problem.
Will check that, thanks
Apples and oranges.
Wireguard is a VPN technology. DuckDNS is a service that lets you create a subdomain on the duckdns TLD and point it at your server. They do completely different things.
You would use DuckDNS if you don’t want to rent your own domain (“rent” because it’s a recurring payment for something over which you have only nominal control). It provides no security, no access control, and it creates no network. It’s just a pointer in the global DNS DB.
Wireguard is a VPN technology, for creating private networks.
One is like a mailing address. The other is like a strongbox. You could give the strongbox to a friend to deliver it to someone who has the key (Wireguard). Or you could write a message on a postcard and mail it (DuckDNS). Or you could put the address on the strongbox and mail it (DuckDNS + Wireguard). The point is, they serve completely different functions.
The two could be used together.
Ok, so wireguard seems a better alternative for him. Thanks
Different services for different use cases.
I use nginx reverse proxy behind Duckdns for anything that requires public access, or that I use very frequently, like jellyfin or immich
I use Wireguard for everything else, to expose as little as possible.
If anything, I would say that Duckdns is harder to setup than Wireguard. You will need something like nginx reverse proxy if you want to host multiple services, and also deal with SSL certificates.
Can you explain why you don’t use wireguard for jellyfish/lmmich?
(Network things are something I never get to fully understand)
To use Wireguard, you need to:
- provision a client tunnel for every device, or at least every person who needs to access your network
- have Wireguard downloaded and installed on every device, with the tunnels all imported.
Basically, Wireguard works really well for services that only you use, on your own devices. You set it up once per device, and you have access to every service you host on your network.
For the DuckDNS / reverse proxy route, you need to configure the reverse proxy for every service you want to expose, but don’t need to configure anything on the end user’s device.
For Jellyfin, since I have users that are not me, it is impractical to expect them to go through all the hoops to get Wireguard running just to watch some movie or tv show. I also don’t want to make new Wireguard client tunnels for every single friend that I add to my jellyfin server. This also means I can access jellyfin on devices that aren’t my own such as a friend’s TV.
For immich, my phone is a bit wonky with keeping Wireguard connected in the background, and I just don’t want to worry about if I’m connected to my vpn just so my photos will get backed up.
I just realized that this is the homeassistant community and not something more generic.
Specifically for homeassistant, Wireguard should be fine, unless you plan to do some more advanced stuff like use Alexa without a nabu casa subscription.
The times where you need access to your HA instance without being able to connect to Wireguard should be pretty limited.
Thanks
I consider myself a novice but this is how I do it too (ngnx reverse proxy handling SSL in conjunction with Duckdns domain. Wireguard for remote access to everything else). Both Nginx & duckdns are fairly straightforward to set up through Docker/Portainer.
Should the need arise I’ll look at Tailscale.
I dont use HA yet, it’s something I’d like to get into if I can figure out VLAN in order to keep IoT stuff away from the rest of the network.
I’ve currently switched to cloudflare DNS, and it looks like it’s doing the job better than duck for me. There’s an integration for it, though I don’t know how good that works, I initially set it up manually
When you say it is doing a better job, can you explain how ?
I use the Google assistant integration, and it works right now. With duck, I think it was maybe 50/50 on it that a voice command worked. Some days it was nearly not at all. So far with cloudflare, I’ve had no “I’m sorry, but ___ is not available right now”
Tailscale, because it’s a peer-to-peer VPN based on WireGuard with very little setup and Cloudflare Tunnel for external access to HA
I used to use a custom DNS solution using Amazon Route 53 (which I already used for my websites) and a Let’s Encrypt certificate. It worked ok but was pretty technical to set up.
Then I switched ISP and the new one doesn’t allow incoming connections by default so I use Nabu Casa. It was super simple to set up and works perfectly and, imo, well worth the cost.
My router has a built in VPN, so I setup my phone with the VPN settings. Just a toggle on my phone and it connects to my home as if I was at my home Wi-Fi.
That is useful but I guess you can’t get HA app notifications unless you toggle that setting on your phone? You are using telegram or else for that purpose?
I don’t get any notifications from HA. I also don’t really use HA away from home. Just convenient for me to log in and check temperatures, make sure I have lights off, etc.
Lots of good info here I’m not going to repeat, but I think if you’re going to open home assistant to the public Internet, you should not use duckdns. It’s better to get your own domain and set up a reverse proxy to use https. Or if it’s too technical, subscribe to nabu casa and let them handle it for you.
Nabucasa is what I do as I never managed to understand properly network rules. What your thoughts on wireguard?
Wireguard is good if you don’t want easy access to notifications or location based automations. Otherwise you need to always make sure the VPN is on.
Wireguard. Wireguard is fairly easy to configure and keeping your setup behind the firewall is much less headache in the long run.
First rule of hosting publicly available services is “Don’t. Unless you absolutely have to.” Second rule is: “If you have to, do it very carefully.”
Wondering something, Can you get wireguard client to only be used for HA app and leave everything else threw normal routing on your phone? (Not sure I have proper wording). So that wireguard will always be on but only being used for HA app
On Android, you can specify which applications you want included or excluded. Or you can specify that you only route your home LAN IP ranges through wireguard. Both of those would accomplish your goal.
Yep. Split tunneling has been a standard option for a long time.
Perfect, thanks
DuckDNS + LetsEncrypt + Pihole + Tailscale.
I use DuckDNS for my domain name but put in a random IP that isn’t mine.
LetsEncrypt to generate certificates for my DuckDNS domain using the DNS Check option.
Pihole to locally route traffic for my domain on my network to my home server
Tailscale to remotely access to my network.