home assistant remote access socketxp add-on

Home Assistant Remote Access Using SocketXP Add-on



You wanted to remote access your Home Assistant without setting up port forwarding or DDNS. You are worried about the security and safety of such router hacks. You are right, opening up your home router ports could open up your home network to hackers and other unwanted malicious users.

In this article we'll discuss about a highly secure method for Home Assistant remote access without port forwarding using SocketXP add-on for Home Assistant.

If you are wondering "what is SocketXP add-on?", continue reading...

SocketXP - Home Assistant Remote Access VPN

SocketXP is a cloud based lightweight VPN alternative, that provides secure remote access and connectivity to your home automation server and applications (such as Home Assistant, Node-RED, Graphana, InfluxDB, Cloud9 etc.,) running in your home network, behind NAT and firewall.

SocketXP creates a secure end-to-end SSL/TLS tunnel and a unique public endpoint (HTTPS URL) for your home automation server and applications running in them.  You can use the public HTTPS URL to access your home automation system from any remote location.  You could even share the SocketXP public URL with any 3rd party home automation services online such as IFTTT or Zapier, to send webhook notifications to your home automation server.

SSL/TLS tunnels are extremely secure, making “man-in-the-middle” attacks impossible.  SSL/TLS is the technology used by banks, financial institutions, and e-commerce websites to perform secure financial transactions online.

SocketXP’s secure SSL/TLS reverse proxy service is a simple, reliable and safe alternative to messy, unreliable and unsafe methods of tampering your home router configuration to setup port forwarding and Dynamic DNS (DDNS) tracking. SocketXP provides Home Assistant Remote Access without port forwarding setup in your router.

Home Assistant Remote Access Without Port Forwarding:

Install the secure, lightweight SocketXP add-on to run on your home automation server, alongside your other applications.  The SocketXP add-on is an agent that creates a secure SSL/TLS tunnel between the SocketXP Cloud Gateway and a specific application running in your home automation server.  SocketXP Cloud Gateway, running in the Google Cloud Platform, creates a unique public endpoint (HTTPS URL) for the SSL/TLS tunnel.  You can use the public URL to access the specific application running in your home automation server from remote locations.

HomeAssistant SocketXP Addon SSL/TLS tunnels Rmote Access Webhooks relay

What’s the use case?

SocketXP addon provides Home Assistant remote access without port forwarding setup or altering your home router configuration. SocketXP can also be used to receive webhooks by popular services such as IFTTT or Zapier and relay them to your Home Assistant or Node-RED instances.  Since webhooks are just standard HTTP requests, any services can easily produce and consume them. SocketXP is extremely useful when:

  • You want to avoid tampering your home router configuration.
  • You cannot access your router to configure port forwarding
  • Router doesn’t support port forwarding
  • Your ISP blocks inbound connections
  • You don’t have a static IP address
  • Server that is hosting your home automation system is changing IP or location
  • You want to avoid tracking the non-static IP address on your home router via DDNS

Services Offered:

SocketXP offers two different services.

  • SocketXP Tunnel - For remote access and connectivity
  • SocketXP Webhook Relay Service - for proxying and relaying webhook notifications

Use SocketXP tunnels when:

  • You need remote access to your home automation instance (for example you want to view it through a browser remotely).
  • Third party online services that need a bi-directional communication channel to your home automation instance.

Use SocketXP webhook relay service when:

  • Your Home-Assistant or Node-RED instances or any application running in your home automation server needs to receive webhook notifications from 3rd party home automation services online such as IFTTT or Zapier.  Webhook notifications are mostly one-way and don’t expect any responses back.
  • You don’t want to expose your home automation server directly to the internet and want to add a layer of protection between the third-party online service and your home automation server.
  • SocketXP is also a great tool for testing webhooks during the development cycle.

Home Assistant Remote Access VPN

SocketXP is a secure, lightweight remote access VPN like tunneling agent which can be used as a Home Assistant add-on.

Prerequisites

  • It is advised that you are on a SocketXP subscription that supports TLS pass-through tunnels (Basic plan is $4.99 per month).
  • Get a custom domain name for your home assistant, if you don’t want your public URL to be based on SocketXP.com domain.
  • Your Home Assistant supports TLS termination. Follow the instructions here to get a free SSL Certificate and Key for your domain from “Let’s Encrypt” and configure Home Assistant to run on HTTPS.  Alternatively you can use nginx proxy add-on to setup HTTPS for your Home Assistant.

How to install Home Assistant SocketXP Add-on:

Install the add-on by adding https://github.com/socketxp-com/home-assistant repository to your add-ons:

Home Assistant SocketXP Addon - Installation SSL/TLS Tunnel

Install the add-on.  You'll find the default config that comes with the add-on, as shown below.


Home Assistant SocketXP Addon - TLS/SSL Tunnel Config

Edit the configuration and update the authentication token and your custom domain name URL.  But before that, get your auth-token from SocketXP portal.

Generate SocketXP auth token:

The add-on will need to authenticate itself to the SocketXP Cloud Gateway.  Signup at https://portal.socketxp.com to retrieve your unique auth token.

SocketXP Portal - Authtoken

Add-on Configuration Options:

There are 4 different configuration options available for the SocketXP add-on:

  1. Simple HTTPS tunnels under https://your-subdomain.socketxp.com domain. These tunnels are easy to configure but provide sub-optimal data security. SocketXP performs HTTPS proxy by acting as a man-in-the-middle.  Even though SocketXP does not record any traffic on tunnels and will never do, consider using end-to-end SSL/TLS tunnels.  Read more about SocketXP HTTPS tunnels here.
  2. TLS tunnels with SocketXP domain name and self-signed certificates
  3. TLS tunnels with custom domain names and Let’s Encrypt certificates. [Recommended]
  4. TLS tunnels with DuckDNS.org domain name.

Option #1: Simple HTTPS

This is by far the simplest option. You don’t have to register your own domain name, you can create a tunnel under the “socketxp.com” domain and use HTTPS tunnels.  It doesn't require Home Assistant to run using HTTPS, meaning Home Assistant could run on simple HTTP without requiring any SSL cerfiticate or key.  Read more about SocketXP HTTPS tunnels here.

Here is a sample config for this option:
{
        "authtoken": "<your-auth-token-goes-here>",
        "tunnel_enabled": true,
        "tunnels" : [
            {
                "destination": "http://127.0.0.1:8123",
                "protocol": "http",
                "custom_domain": ""
            }
        ],
        "relay_enabled": false, 
        "relays": [
            {
                "destination": "http://127.0.0.1:8123"
            }
        ]
}

With these tunnels TLS is terminated at SocketXP Cloud Gateway, however they get re-encrypted using the SSL certificate and key of the SocketXP add-on for the rest of the journey.  In essence, the tunnel traffic always remains encrypted in some form when sent over the internet.  However, when the  HTTPS traffic reaches SocketXP add-on running in your server, the HTTPS tunnel gets terminated and sent as a clear-text HTTP to your Home Assistant.  This is called "hop-by-hop" TLS tunnel or simply HTTPS tunnel, as opposed to the "end-to-end" SSL/TLS tunnel which is highly secure (discussed in the next few sections).

Option #2: TLS tunnels with self-signed certificates

This is the most economical option with minimal cost and maximum benefit.  Use this option if you are fine with running your Home Assistance instance using a subdomain of “socketxp.com” domain (eg: <https://your-name.socketxp.com>) but you want to run an end-to-end TLS tunnel to avoid “man-in-the-middle”.  You can generate a self-signed SSL certificate and key for your subdomain using the openssl tool.  You’ll notice certificate warnings( Root CA not verified or trusted) in the browser when you access the public URL.  You may need to add an exception to this warning in your browser to continue to your Home Assistant login page.

Here is a sample config for this option:

{
        "authtoken": "<your-auth-token-goes-here>",
        "tunnel_enabled": true,
        "tunnels" : [
            {
                "destination": "https://127.0.0.1:8123",
                "protocol": "tls",
                "custom_domain": ""
            }
        ],
        "relay_enabled": false, 
        "relays": [
            {
                "destination": "https://127.0.0.1:8123"
            }
        ]
}

Option #3: TLS tunnels with custom domain names and Let’s Encrypt certificates

If you have your own registered domain name and a valid SSL certificate and key, use this option.  You can get a free SSL certificate and key from "Let's Encrypt.com".  Use this option if you want a trouble free, highly secure and professional looking custom domain name for your Home Assistant home page(Eg: https://ha.example.com).  This option also provides full end-to-end SSL/TLS encryption to avoid “main-in-the-middle”.

Home Assistant SocketXP Addon - SSL/TLS Tunnel configuration

{
        "authtoken": "<your-auth-token-goes-here>",
        "tunnel_enabled": true,
        "tunnels" : [
            {
                "destination": "https://127.0.0.1:8123",
                "protocol": "tls",
                "custom_domain": "ha.example.com"
            }
        ],
        "relay_enabled": false, 
        "relays": [
            {
                "destination": "https://127.0.0.1:8123"
            }
        ]
}

Use the public URL provided by SocketXP add-on to configure a DNS CNAME record with your domain name provider (Cloudflare, Godaddy, Namecheap, 1&1, etc.,).  The CNAME record should make your custom domain name point to the SocketXP generated public URL domain.

Accessing the public URL:

Refresh the add-on logs to see the SocketXP public URL being generated for access.

Home Assistant SocketXP Addon - SSL/TLS Tunnel configuration

Add a DNS CNAME Record

Add a DNS CNAME record for your registered domain "ha.example.com" using the DNS configuration tool  at your domain name provider.  Point your custom domain to the above SocketXP public URL "ha-example-com.socketxp.com" as shown below.

Home Assistant SocketXP Addon - SSL/TLS Tunnel configuration

Hereafter, any HTTPS requests coming to your domain URL will be redirected to the SocketXP TLS tunnel endpoint at SocketXP Cloud Gateway, which in-turn will redirect the encrypted traffic towards your Home Assistant running in your home network.

Note: SocketXP Cloud Gateway cannot terminate the  end-to-end SSL/TLS tunnel using its SSL certificate and key.

Home Assistant SocketXP Addon - SSL/TLS Tunnel configuration

Option #4 Using DuckDNS domain name:

If you have a DuckDNS.org domain name and you would like to use it instead of the SocketXP domain name, you could do so.  Specify your DuckDNS domain name in the "custom_domain" field as shown below.

{
        "authtoken": "<your-auth-token-goes-here>",
        "tunnel_enabled": true,
        "tunnels" : [
            {
                "destination": "https://127.0.0.1:8123",
                "protocol": "tls",
                "custom_domain": "home-assistant.duckdns.org"
            }
        ],
        "relay_enabled": false, 
        "relays": [
            {
                "destination": "https://127.0.0.1:8123"
            }
        ]
}

Next, you need to go to DuckDNS.org website and associate the IP address of the SocketXP Public URL domain with your DuckDNS domain name.

Ping the SocketXP public URL domain name to get its IP address.

$ping home-assistant-duckdns-org.socketxp.com
PING home-assistant-duckdns-org.socketxp.com (34.106.57.142): 56 data bytes
64 bytes from 34.106.57.142: icmp_seq=0 ttl=62 time=222.436 ms
64 bytes from 34.106.57.142: icmp_seq=1 ttl=62 time=222.565 ms
64 bytes from 34.106.57.142: icmp_seq=2 ttl=62 time=222.504 ms
64 bytes from 34.106.57.142: icmp_seq=3 ttl=62 time=224.236 ms
64 bytes from 34.106.57.142: icmp_seq=4 ttl=62 time=222.449 ms
^C
--- home-assistant-duckdns-org.socketxp.com ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 222.436/222.838/224.236/0.700 ms

Pick the IP address from the ping response and associate it with your DuckDNS.org domain name as shown below.

SocketXP Hassio Add-on SSL/TSL tunnel - configure DuckDNS record

Remember you need to get SSL certificate and key for your DuckDNS domain name and use it to run your Home Assistant instance as an HTTPS service.

We don't recommend this DuckDNS domain option to configure the end-to-end TLS tunnel. But you can do so if you wish.  It should work fine, with some limitations.

Note:  The IP address of SocketXP public URL could change without any notice, because our service runs in the cloud.  It's your responsibility to check and update the DuckDNS's DNS record with the new IP address, appropriately.

Creating Remote Access to multiple Applications:

SocketXP add-on has the option to create an "array" of TLS tunnels and webhook relay tunnels using a single add-on.  You can create as many number of SSL/TLS tunnels or webhook relay tunnels (limited only by your subscription plan) to connect one or more add-ons running in your Home Assistance server as shown in this example below.

HomeAssistant SocketXP Addon SSL/TLS tunnels Rmote Access Webhooks relay Node-RED Grafana Cloud9 InfluxDB

Here is a sample config to connect to multiple add-ons:

{
        "authtoken": "<your-auth-token-goes-here>",
        "tunnel_enabled": true,
        "tunnels" : [
            {
                "destination": "https://127.0.0.1:8123",
                "protocol": "tls",
                "custom_domain": "ha.example.com"
            },
            {
                "destination": "https://127.0.0.1:1880",
                "protocol": "tls",
                "custom_domain": "node.example.com"
            },
            {
                "destination": "https://127.0.0.1:3000",
                "protocol": "tls",
                "custom_domain": "graph.example.com"
            },
            {
                "destination": "https://127.0.0.1:8321",
                "protocol": "tls",
                "custom_domain": "c9.example.com"
            }
        ],
        "relay_enabled": true, 
        "relays": [
            {
                "destination": "https://127.0.0.1:8123"
            },
            {
                "destination": "https://127.0.0.1:1880"
            }
        ]
}

Issue reporting & support

If you have any questions or have encountered an issue, please collect the SocketXP addon logs and provide them here https://github.com/socketxp-com/home-assistant/issues or email us at support@socketxp.com