In the previous article, we set up Home Assistant on a Raspberry Pi 3 using the All-In-One Installer. We also set up Samba so we could access the Home Assistant configuration files from a windows computer. Today, we are going to configure Home Assistant so we can have remote access from anywhere we are.
Remote access configuration
Before you begin the remote access setup, you want to make sure that your Raspberry Pi is configured to get the same IP address from your router at all times. This step will avoid the router from releasing the IP address to another device in the event of a power outage, router reboot or Raspberry Pi reboot.
Step 1 – Password Protect Home Assistant
To prevent unwanted access to Home Assistant, set up a password in the configuration.yaml file.
If you set up Samba using the steps in the previous article. Open the Home Assistant shared folder by going into the Windows File Explorer > Network. Then, click on the RASPBERRYPI shared drive and, click on the Home Assistant folder. Open the configuration.yaml file using an application like Notepad++. Under HTTP, you will see the line #api_password: Password. Remove the hash # to uncomment the line and enter a new password. The line would now look somewhat like this: api_password: YourNewPassword.
Save the file then, SSH to the Raspberry Pi and restart Home Assistant with the command
sudo systemctl restart home-assistant.service
Reopen the Home Assistant web interface and, you will be prompted to enter a password.
Step 2 – Create a Duck DNS account and set up a new subdomain
Most Internet service providers give dynamic IP addresses to residential account. That means that over time the public IP address changes. To avoid having issues with the remote connection in the future, we are going to set up a Duck DNS account. With Duck DNS, we can create a subdomain of duckdns.org (e.g., https://exampledns.duckdns.org) and point it to a specific IP address. Duck DNS can also track changes to the public IP address, so it automatically updates the DNS configuration.
Open your browser and go to www.duckdns.org. After signing in with one of the available Sign-in options, create a new Duck DNS subdomain. Then on the top, click on Install, then select Pi as the operating system and then select the new subdomain name we created.
After you select your domain name, Duck DNS will provide the necessary steps to follow to set it up in the Raspberry Pi.
SSH to your Raspberry Pi and create a new directory named, duckdns and then move into it.
mkdir duckdns cd duckdns
Now, we need to create a script so type the command
vi duck.sh
Before you press Enter, go back to the Duck DNS website and copy the string that has your domain name and your token number. The full command would look something like this
echo url="https://www.duckdns.org/update?domains=Your_Domain_Name&token=Your_Token_Number&ip=" | curl -k -o ~/duckdns/duck.log -K -
Now go back to the command prompt and press Enter. Then, press i and paste the string that you copy from the Duck DNS website and then, save the file by pressing Esc > : > w > q > ! > Enter.
The next step is to make the new file executable so enter the command
chmod 700 duck.sh
Then, we are going to make the script run every 5 minutes so type the command
crontab -e
And then scroll to the bottom of the crontab and enter the command
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1
Now save the changes by pressing Ctrl+X and then Y.
To check that everything is working correctly, type the command ./duck.sh. After it runs, it should come back to a prompt.
Then run the command cat duck.log to verify that the last attempt was successful. If it shows OK, then everything is working with no problem. If it shows KO, then you will need to check the script to make sure that the domain and the token number are correct.
Step 3 – Set up Let’s Encrypt
Let’s Encrypt provides free SSL certificates, so we are going to set it up to secure the connection to the Home Assistant server.
First, you need to create a new port forwarding rule on your router. All routers settings are different, so I would not be able to tell you exactly where to go to set up port forwarding. You can always do a Google search for port forwarding on a specific router brand to get the steps. Here is an example of how it would be set up on an Asus router:
- Service name: ha_lets_encrypt
- Port Range: 80
- Local IP: Your_Home_Assistant_IP
- Local Port: 80
- Protocol: Both
Note: Some Internet service providers block port 80, so if you do not have access to this port, you can set up the port forwarding rule to forward to port 443 instead.
After the port forwarding rule is set up, go back to the SSH connection. You should still be in the duckdns folder so use the command cd to go back to the root directory. Now, we need to create a new directory for the cerbot software then, download it and give it the appropriate permissions using the following commands:
mkdir certbot cd certbot wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
Next, to get the SSL certificate, run the following command and enter your email address and the Duck DNS URL in the appropriate areas:
./certbot-auto certonly --standalone --preferred-challenges http-01 --email your@emailaddress.com -d examplehome.duckdns.org
After cerbot has run, it will create an SSL certificate and other files and place them in the folder /etc/letsencrypt/. You can verify that the data is there, by using the following command, ls /etc/letsencrypt/live/. This command will show a file names after your DuckDNS URL.
The Home Assistant user needs access to the letsencrypt folder so enter the following commands to change the permissions:
sudo chmod 755 /etc/letsencrypt/live/ sudo chmod 755 /etc/letsencrypt/archive/
Step 4 – Edit the configuration.yaml file and test the connection
Ok, so the certificate is now created. If you had to use port 443 instead of port 80 for the ha_lets_encrypt port forwarding rule, you should delete it now. If you used port 80, then you can leave it as it is. Then, create a new port forwarding rule using the following information:
- Service name: ha_ssl
- Port Range: 443
- Local IP: Your_Home_Assistant_IP
- Local Port: 8123
- Protocol: Both
After that, we need to access the configuration.yaml file and enter the following information under HTTP to reflect the SSL certificate information and the base URL:
Remember to change the examplehome subdomain to your subdomain.
http: api_password: YOUR_PASSWORD ssl_certificate: /etc/letsencrypt/live/examplehome.duckdns.org/fullchain.pem ssl_key: /etc/letsencrypt/live/examplehome.duckdns.org/privkey.pem base_url: examplehome.duckdns.org
There are more options that you can set up to further secure your HTTP connection. You can click here to check all the available options. Next, save the changes and restart Home Assistant via SSH using the command:
sudo systemctl restart home-assistant.service
Before, to access Home assistant from inside the home network, we needed to type the devices IP address plus port 8123. (e.g., http://192.168_._:8123). Now, we can access it using the DuckDNS URL and securely with https.
https://examplehome.duckdns.org
Step 5 – Set up a sensor to monitor the SSL certificate expiration date
Certificates provided by Let’s Encrypt only last for 90 days. We can set up a sensor on the Home Assistant web interface to monitor how long we have left before we have to renew the certificate.
First, we are going to install the SSL certificate checker program so SSH to your Raspberry Pi and enter the following command:
sudo apt-get update sudo apt-get install ssl-cert-check
Then, open the configuration.yaml file from your Samba shared folder and enter the following:
Remember to change the examplehome subdomain to your subdomain.
sensor:
- platform: command_line
name: SSL ETA
unit_of_measurement: days
scan_interval: 10800
command: "ssl-cert-check -b -c /etc/letsencrypt/live/examplehome.duckdns.org/cert.pem | awk '{ print $NF }'"
Save the changes to the configuration.yaml file and restart home Assistant. Then, reopen home assistant, and you should now have a sensor at the top showing the remaining days of the SSL certificate.
Step 6 – Set up automatic renewal for the SSL certificate
Ok, so the last thing that we need to do is set up the Let’s Encrypt certificate to auto-renew. To accomplish this, we are going to schedule a task in Cron. SSH to your Raspberry Pi and open the Cron table with the command crontab -e then scroll all the way down and paste the following:
- If you set port 80 for the ha_lets_encrypt port forwarding rule in step 3 then paste this command
30 2 * * 1 ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
- If you set up port 443 instead then use this command
30 2 * * 1 ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop home-assistant@homeassistant.service" --post-hook "sudo systemctl start home-assistant@homeassistant.service"
When done entering the commands, save the changes to the Cron table by pressing Ctrl+X and then Y. Now what’s going to happen is that when there are less than 30 days left for the certificate to expire, the script will automatically run and renew it.
Ok so there you have it, we were able to set up remote access to Home Assistant and set up the certificate to auto-renew. In future articles, I will cover how to set up !secrets, and I will also go over the configuration.yaml file so you can have a better understanding of how it works.
Don’t forget to follow me on social media and YouTube, so you do not miss any future written guides, tutorial videos and product reviews.