Home Assistant – How to set up remote access

In the previous article, we set up Home Assistant on a Raspberry Pi 3 using the All-In-One Installer. We also set up Samba so we could access the Home Assistant configuration files from a windows computer. Today, we are going to configure Home Assistant so we can have remote access from anywhere we are.

 

Remote access configuration

Before you begin the remote access setup, you want to make sure that your Raspberry Pi is configured to get the same IP address from your router at all times. This step will avoid the router from releasing the IP address to another device in the event of a power outage, router reboot or Raspberry Pi reboot.

 

Step 1 – Password Protect Home Assistant

To prevent unwanted access to Home Assistant, set up a password in the configuration.yaml file.

If you set up Samba using the steps in the previous article. Open the Home Assistant shared folder by going into the Windows File Explorer > Network. Then, click on the RASPBERRYPI shared drive and, click on the Home Assistant folder. Open the configuration.yaml file using an application like Notepad++. Under HTTP, you will see the line #api_password: Password. Remove the hash # to uncomment the line and enter a new password. The line would now look somewhat like this: api_password: YourNewPassword.

configuration change password
Uncomment by removing the hash “#” and enter a new password. It should look somewhat like this: api_password: NewPassword

 

Save the file then, SSH to the Raspberry Pi and restart Home Assistant with the command

sudo systemctl restart home-assistant.service

Reopen the Home Assistant web interface and, you will be prompted to enter a password.

Home Assistant password prompt
Home Assistant Log in screen

 

Step 2 – Create a Duck DNS account and set up a new subdomain

Duck DNS
www.duckdns.org

Most Internet service providers give dynamic IP addresses to residential account. That means that over time the public IP address changes. To avoid having issues with the remote connection in the future, we are going to set up a Duck DNS account. With Duck DNS, we can create a subdomain of duckdns.org (e.g., https://exampledns.duckdns.org) and point it to a specific IP address. Duck DNS can also track changes to the public IP address, so it automatically updates the DNS configuration.

Open your browser and go to www.duckdns.org. After signing in with one of the available Sign-in options, create a new Duck DNS subdomain. Then on the top, click on Install, then select Pi as the operating system and then select the new subdomain name we created.

Duck DNS 3
1. Click on Install – 2. Select Pi as the operating system – 3. Select the domain created.

 

After you select your domain name, Duck DNS will provide the necessary steps to follow to set it up in the Raspberry Pi.

Duck DNS 4
Steps to configure Duck DNS in a Raspberry Pi provided by duckdns.org

SSH to your Raspberry Pi and create a new directory named, duckdns and then move into it.

mkdir duckdns
cd duckdns

Now, we need to create a script so type the command

vi duck.sh

Before you press Enter, go back to the Duck DNS website and copy the string that has your domain name and your token number. The full command would look something like this

echo url="https://www.duckdns.org/update?domains=Your_Domain_Name&token=Your_Token_Number&ip=" | curl -k -o ~/duckdns/duck.log -K -

Now go back to the command prompt and press Enter. Then, press i and paste the string that you copy from the Duck DNS website and then, save the file by pressing Esc > : > w > q > ! > Enter.

The next step is to make the new file executable so enter the command

chmod 700 duck.sh

Then, we are going to make the script run every 5 minutes so type the command

crontab -e

And then scroll to the bottom of the crontab and enter the command

*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1

Now save the changes by pressing Ctrl+X and then Y.

 

To check that everything is working correctly, type the command ./duck.sh. After it runs, it should come back to a prompt.

Duck DNS 5

Then run the command cat duck.log to verify that the last attempt was successful. If it shows OK, then everything is working with no problem. If it shows KO, then you will need to check the script to make sure that the domain and the token number are correct.

Duck DNS 6

 

Step 3 – Set up Let’s Encrypt

Let’s Encrypt provides free SSL certificates, so we are going to set it up to secure the connection to the Home Assistant server.

First, you need to create a new port forwarding rule on your router. All routers settings are different, so I would not be able to tell you exactly where to go to set up port forwarding. You can always do a Google search for port forwarding on a specific router brand to get the steps. Here is an example of how it would be set up on an Asus router:

  • Service name: ha_lets_encrypt
  • Port Range: 80
  • Local IP: Your_Home_Assistant_IP
  • Local Port: 80
  • Protocol: Both

NOTE: SOME INTERNET SERVICE PROVIDERS BLOCK PORT 80, SO IF YOU DO NOT HAVE ACCESS TO THIS PORT, YOU CAN SET UP THE PORT FORWARDING RULE TO FORWARD TO PORT 443 INSTEAD.

After the port forwarding rule is set up, go back to the SSH connection. You should still be in the duckdns folder so use the command cd to go back to the root directory. Now, we need to create a new directory for the cerbot software then, download it and give it the appropriate permissions using the following commands:

mkdir certbot
cd certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Next, to get the SSL certificate, run the following command and enter your email address and the Duck DNS URL in the appropriate areas:

./certbot-auto certonly --standalone --preferred-challenges http-01 --email your@emailaddress.com -d examplehome.duckdns.org

After cerbot has run, it will create an SSL certificate and other files and place them in the folder /etc/letsencrypt/. You can verify that the data is there, by using the following command, ls /etc/letsencrypt/live/. This command will show a file names after your DuckDNS URL.

Duck DNS 7

The Home Assistant user needs access to the letsencrypt folder so enter the following commands to change the permissions:

sudo chmod 755 /etc/letsencrypt/live/
sudo chmod 755 /etc/letsencrypt/archive/

 

Step 4 – Edit the configuration.yaml file and test the connection

Ok, so the certificate is now created. If you had to use port 443 instead of port 80 for the ha_lets_encrypt port forwarding rule, you should delete it now. If you used port 80, then you can leave it as it is. Then, create a new port forwarding rule using the following information:

  • Service name: ha_ssl
  • Port Range: 443
  • Local IP: Your_Home_Assistant_IP
  • Local Port: 8123
  • Protocol: Both

After that, we need to access the configuration.yaml file and enter the following information under HTTP to reflect the SSL certificate information and the base URL:

Remember to change the examplehome subdomain to your subdomain.

http:
  api_password: YOUR_PASSWORD
  ssl_certificate: /etc/letsencrypt/live/examplehome.duckdns.org/fullchain.pem
  ssl_key: /etc/letsencrypt/live/examplehome.duckdns.org/privkey.pem
  base_url: examplehome.duckdns.org

There are more options that you can set up to further secure your HTTP connection. You can click here to check all the available options. Next, save the changes and restart Home Assistant via SSH using the command:

sudo systemctl restart home-assistant.service

Before, to access Home assistant from inside the home network, we needed to type the devices IP address plus port 8123. (e.g., http://192.168_._:8123). Now, we can access it using the DuckDNS URL and securely with https.

https://examplehome.duckdns.org

 

Step 5 – Set up a sensor to monitor the SSL certificate expiration date

Certificates provided by Let’s Encrypt only last for 90 days. We can set up a sensor on the Home Assistant web interface to monitor how long we have left before we have to renew the certificate.

First, we are going to install the SSL certificate checker program so SSH to your Raspberry Pi and enter the following command:

sudo apt-get update
sudo apt-get install ssl-cert-check

Then, open the configuration.yaml file from your Samba shared folder and enter the following:

Remember to change the examplehome subdomain to your subdomain.

sensor:
  - platform: command_line
    name: SSL ETA
    unit_of_measurement: days
    scan_interval: 10800
    command: "ssl-cert-check -b -c /etc/letsencrypt/live/examplehome.duckdns.org/cert.pem | awk '{ print $NF }'"

Save the changes to the configuration.yaml file and restart home Assistant. Then, reopen home assistant, and you should now have a sensor at the top showing the remaining days of the SSL certificate.

Duck DNS 8
SSL Certificate sensor

 

Step 6 – Set up automatic renewal for the SSL certificate

Ok, so the last thing that we need to do is set up the Let’s Encrypt certificate to auto-renew. To accomplish this, we are going to schedule a task in Cron. SSH to your Raspberry Pi and open the Cron table with the command crontab -e then scroll all the way down and paste the following:

  • If you set port 80 for the ha_lets_encrypt port forwarding rule in step 3 then paste this command
30 2 * * 1 ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
  • If you set up port 443 instead then use this command
30 2 * * 1 ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop home-assistant@homeassistant.service" --post-hook "sudo systemctl start home-assistant@homeassistant.service"

When done entering the commands, save the changes to the Cron table by pressing Ctrl+Xand then Y. Now what’s going to happen is that when there are less than 30 days left for the certificate to expire, the script will automatically run and renew it.

Ok so there you have it, we were able to set up remote access to Home Assistant and set up the certificate to auto-renew. In future articles, I will cover how to set up !secrets, and I will also go over the configuration.yaml file so you can have a better understanding of how it works.


Don’t forget to follow me on social media and YouTube, so you do not miss any future written guides, tutorial videos and product reviews.

 

WANT TO SUPPORT JUANMTECH?

You can do so now on Patreon and Buy Me A Coffee