Thanks for the tip. I'll look into that.

@@mostlychris checkout the "Cloudflared" addon by brenner-tobias, this makes it super easy

Will do!

Interesting. I hadn't seen that. Thanks for the tip!

I've started to use the tunnel. Be good if could use automation to turn off tunnel if phone presence at home.

@@MartinHiggs84 hi but by using tunnel ..your home assistant local runs on http ..not https ...any fix for that?

Hello i did the cloudflare process, does that mean that my connection is already secured? Im a newbie

Thanks for the clarification Eric. VPN is the only real way for end-to-end encryption. How is Nabu doing it?

​@@mostlychristhanks

You're welcome!

Lol. Thanks Mr. Barett!

Thanks!

I know that pain. I have been just accepting the SSL to IP mismatch for now. I am still experimenting with a way to access SSL both internal and external. Since I have two instances of HA running, this demo was on my secondary and not my primary. On my primary, use the same url both external and internal and when internal, AdGuard rewrites my DNS query to the internal IP. This one is not going through Cloudflare though, so I don't have the origin cert installed there.

Thanks! I'll add your suggestion to my list of video ideas.

Thanks!

Thanks for watching!

Thank you Kapil for watching and joining the channel! There is a developer section for accessing HA API over at developers.home-assistant.io/.

Thank you!

You're welcome!

FWIW, I have a Let's Encrypt wildcard certificate for my domain and a wildcard DNS entry. I point this to a single port on my reverse proxy (which runs on my router). The reverse proxy then forwards to each backend server based on hostname. In addition, I also require authentication inside the reverse proxy by default. That way no traffic (random internet scans) can reach the backend server without first being 2FA authenticated. I prefer going this route because everything I need to access on my home network can be reached over http/https. This requires a one-time setup of the reverse proxy and no setup on each end device. Had I needed to use something other than http/https, I'd have considered a VPN. I'm not a fan of cloud-based solutions, so Cloudflare/NabuCasa/Tailscale/ZeroTier are all no-go for me. I have zero concerns about being port scanned. I just keep my reverse proxy up-to-date.

This really depends on you. As Eric mentioned in his comment, I think that nginx reverse proxy is a good solution if you don't want to use a VPN. This allows connections over SSL to your hosts inside your network and can also add an additional layer of security with specific proxy auth.

Welcome to HA. I would need more details on how this is failing and how you set things up. Discord is the best place to have a discussion such as this.

You've got to get to the public facing IP of your local network.

You are going to have to access at the local IP address with https. Alternatively, you can use nginx proxy manager local DNS such as pi-hole or AdGuard to have a rewrite point you to your domain.

Probably. I haven't played with that but I have been asked to make a video on some other Cloudflare access methods. If anything, you can set up a zero trust connection to something in your local network and then access HA at the local network IP address assuming it is on the same subnet.

I think you probably can. NPM is just a service running on your network. As long as you can get to it, you can forward to any IP/port inside your network.

@@mostlychris it works. Only had to add a couple of lines of code to configuration.yaml specifying a couple of local addresses and the proxy server.

Oh! Yeah, I forgot about that. You have to allow proxies like you did. It was a security feature added quite awhile ago.

Had to do some digging around but found it. Thanks 🙏 I'm getting more and more excited about HA every day. Keep figuring out more features and tricks to make things better every time. Really appreciate everyone in the community, everyone seems to be more than willing to help others. Lots of love to you all from The Netherlands and keep up the good work ⚒

Thanks for pointing that out. There are a number of ways to tell various DNS providers what your IP is and those update automatically. Too many to mention in the video but I've used quite a few over the years.

For this type of situation, you might be better using something like Nabu Casa (Home Assistant's Cloud). This gives you access to those devices. Keep in mind that there are a number of different access solutions for Home Assistant and not all of them will fit every setup. You'll have to choose which one is best for your setup. FWIW, I run both Alexa and Google smart speakers but the local TTS and other stuff is still working. I am connected to Nabu Casa on my production box as well has having the ability to tunnel and use other access methods.

Why is that?

It's pretty easy. You could set up something like duckdns to keep your IP address up to date. Then on cloudflare you would use a cname record instead of an A record that points to your duckdns hostname instead of the IP.

@@jmr I understand it is possible, but I come to the Internet to find full solution, not half one that requires knowledge I may not have. And I believe that people with a Dynamic IP outnumbered by far the number of people with Fixed IP - so why target the minority only? I would have add maybe an extra 2-3 minutes to the video. That is not too much !

@@jmr why anything on top of duckdns? what is the benefit? if you want real security you use your own vpn on your lan and go to your HA (not only) through this

@@hkitservices I can't argue with that reasoning. Just an oversight probably. Dynamic IP definitely outnumber fixed in his audience.

@@zyghom The primary but not only advantage of this setup is that it can stop DDOS attacks. Not everyone wants to run a VPN constantly on all their devices to talk to their system. VPNs are also difficult when running outside services that must talk to Home Assistant. I really think this is primarily in there for completeness which I believe he mentioned. I have been considering this setup for months and might eventually try it.

I'm not sure I understand this question.

I was using Google Domains and then moved to Google DNS that allowed me to renews SSL certs via automation. Then I decided to go to Cloudflare to keep it all under one roof. I can also do SSL renewal via Letsencrypt and automation using Cloudflare so that's a plus. I also use Cloudflare as my registrar. How did you get free at Google? I was paying for each domain.

@@mostlychris I'm paying for domain registration and I'm getting "domain privacy" free. It's doesn't show my contact information. I referred to it as "private registration". That was poor phrasing. That feature will probably be offered free by more companies given EU legislation that I believe basically requires it for customers in the EU anyway.

I use that feature as well. All domains belong to "jaifjieawefaw" or something like that, lol.