Home Assistant set-up question - sorting out external access

Forums › Gadgets, robotics, home automation, electronics (including wearables) › Home Assistant set-up question - sorting out external access

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#304297 21-Apr-2023 17:31

I've installed HA via Docker on a Synology NAS; installation went fine (and I was pleasantly suprised to see all our Mi bulbs already in there), but I've hit a snag at the first step of getting it to integrate with Google Home (we have GH devices in most rooms), ie exposing it to the internet.

I understand that my options are limited in that I'm not able to install add-ons given the type of HA install (eg, can't use Cloudflared or Tailscale); other than paying for a Nabu Casa sub, what are the best ways to link HA to GH?

Will the DuckDNS/Let's Encrypt method work, or are there other ways to do this? Or am I best to use a different installation method for HA that won't limit my options? (I do have a spare RPi, but would prefer to have it running on the NAS.)

Thanks for any assistance.

1 | 2

465 posts

Ultimate Geek

#3066697 21-Apr-2023 17:47

Which ISP are you with? Or do you know if you have a static/public IP address?

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3066698 21-Apr-2023 17:51

We're with 2D and we were behind CGNAT, but currently have a static IP (free for the next eight months or so, and then have to determine whether it's worth paying for...).

amanzi

Amanzi
1299 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3066700 21-Apr-2023 18:03

What are you wanting to integrate with Google? Do you want your HA devices to show up in Google Home?

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3066730 21-Apr-2023 19:49

Yep, I'm wanting to be able to use GH to provide voice control over devices adding directly to HA.

At this stage it's very much an experiment to see if I can get HA running properly before I fully commit to it, but I only need a few devices that connect directly into HA to reach that point: I'm thinking of using Tuya Local to control the various Tuya-based WiFi bulbs and plugs we've already got. But no point doing that until I can ensure we can control them via GH, hence needing to sort that out...

mattenz

190 posts

Master Geek

#3066898 22-Apr-2023 13:12

You're not really limited, HA add-ons are just Docker containers. However, you will be limited by how much you know/are willing to learn about Docker.

I'm running HA in a container on Unraid, and have an Nginx Proxy Manager container providing reverse proxy to a subdomain, but the DuckDNS route is also common.

Probably make sure that you enable 2FA before you start exposing things.

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3066923 22-Apr-2023 14:24

Thanks for the explanation; I get now that it’s possible, but would it be simpler for me to uninstall the current version of HA and replace it with the supervised version, as per these instructions? This way I understand comes with direct support for add-ons, so don’t need to manage them as separate containers. Or will there be other downsides from using the supervised version? (I’ve read it’s for ‘advanced’ users, which I’m never going to be, but the initial interface seems to be the same.)

Thanks, yep I have 2FA enabled; I wasn’t able to sort out https access for HA, though (I have it working for accessing the NAS’s DSM interface and other things on it, however) - is that an issue I also need to resolve?

Spyware

3764 posts

Uber Geek

Lifetime subscriber

#3067009 22-Apr-2023 15:51

jonathan18:

Thanks, yep I have 2FA enabled; I wasn’t able to sort out https access for HA, though (I have it working for accessing the NAS’s DSM interface and other things on it, however) - is that an issue I also need to resolve?

You need to elaborate and explain what you mean exactly. Reverse proxy doesn't work for some reason??

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

amanzi

Amanzi
1299 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#3067028 22-Apr-2023 17:43

jonathan18:

I wasn’t able to sort out https access for HA, though (I have it working for accessing the NAS’s DSM interface and other things on it, however) - is that an issue I also need to resolve?

Yes - this is the first thing you need to solve before trying to set up the Google integration. Google needs to be access your HA from the internet over HTTPS, which means you need a domain name and SSL cert. This is pretty straight forward to do, but I'm not sure how you would do this on your NAS.

If you aren't able to do this, then your other option is to pay Nabu Casa the monthly subscription and do it that way. They do offer a 1 month free trial.

spmiller

41 posts

Geek

Lifetime subscriber

#3067035 22-Apr-2023 18:12

My HA instance is exposed via a Cloudflare tunnel. I like this solution as it only makes the single service accessible onto the Internet, i.e. not all ports.

I also run HA in a container. The Cloudflare stuff is completely separate from it; HA doesn't 'know' that it is accessible via the Internet.

Jase2985

13463 posts

Uber Geek

ID Verified

Lifetime subscriber

#3067087 22-Apr-2023 23:11

i think i have just got my Home Assistant Docker install on a Synology NAS working with Google Assistant.

Was a bit of a mission but got there in the end, and i had to make sure things like Smart Life (Tuya alternative app) was disconnected from GA on my phone first to make sure it wasn't doing the work instead of HA.

I setup synology DDNS:
https://mariushosting.com/synology-how-to-enable-https-on-dsm-7/

Added a wildcard certificate to enable access and configured the reverse proxy for home assistant:
https://mariushosting.com/synology-how-to-add-wildcard-certificate/

Tested the above to see if i could access the HA instance via https://ha.myhostname.synology.me which worked.

This next process was the laborious and a right PITA, and and i don't know exactly what i did to get it to work but ill list the pages that helped.

https://www.home-assistant.io/integrations/google_assistant/

Under "Google Cloud Platform configuration" step 3 you need to do this as well

https://community.home-assistant.io/t/can-no-longer-link-google-assistant/409495/19
Click the deploy tab at the top then directory information on the left hand side, fill in the info in the above link.

Then carry on with step 4 "Go to Google Cloud Platform"

I had to open my firewall on the Synology to the USA as it wasn't receiving/seeing some of the smart switches, will look into that a little more later, but i think thats to do with where the Tuya Server is located, ill try setting up localTuya on HA next and see if that changes things.

I haven't gone much past that, i got it working from both a google speaker and via my phone on mobile data. Can see the logs in HA confirming that the commands were received.

Also did this:
https://www.home-assistant.io/integrations/google_assistant_sdk/

Also remember to make sure your firewall is setup on the NAS if your exposing it to the world, and go through best practices for DDNS and Docker
https://mariushosting.com/synology-best-practices-when-using-docker-and-ddns/

There was a bit of googling with some of the errors, and i cant remember everything i did, but even with all that it only took me about 2.5h to do.

And i do apoligize i fthere is something missing, if you get stuck somewhere let me know and ill see if i can remember what to do next/to fix it.

michaelmurfy

meow
13260 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3067091 22-Apr-2023 23:40

You CAN use Cloudflared on a Synology to expose your Docker container.

Just note - you actually don't need to forward any ports for this at all making it work well in conjunction with CG-NAT.

If you have a domain then great. If you don't then grab one from https://metaname.net

Set up Cloudflare on it then you're ready for Cloudflared:

Synology setup and general setup:

When you come to the step exposing your Home Assistant instance considering Cloudflared will be running in a docker container you need to specify the IP address of your Synology NAS in the hostname configuration (instead of "localhost") like so:

If you're using HTTPS then ensure you enable "No TLS Verify" in your Tunnel Public Hostname configuration in Zero Trust.

Happy to help out too if you have any questions - just post here. But I can confirm this also works well with Google Assistant (this is also what I do with many of my external services). The great thing about this solution is you can expose any webapp and also go one step further with setting up Zero Trust Auth on any app allowing you to secure all apps.

Cloudflare also has free email forwarding for your domain.

Also note - Tailscale also works well from behind CG-NAT and can be installed on Synology: https://tailscale.com/kb/1131/synology/
Follow this guide: https://tailscale.com/kb/1131/synology/#enabling-synology-outbound-connections to enable tunneled access. I just did this on a remote Synology successfully.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

jonathan18

7413 posts

Uber Geek

ID Verified

Trusted

#3068170 26-Apr-2023 15:16

Thanks, all, for the helpful and informative posts; I really do want to get this sorted and have HA running properly, especially since I found that our model of ducted AC can be fully controlled via it.

I've hit a snag, though, in getting HTTPS sorted on the NAS - I understand I need to get this working before tackling the wider issue of external access for HA, so will be back to read these posts more thoroughly and no doubt ask for further help when I inevitably get stuck again!

Silvrav

469 posts

Ultimate Geek

ID Verified

#3068171 26-Apr-2023 15:25

Just to add my 2c, redo HA with supervised version as inevitably you going to hit a snag in the future where you want problem-free access to all of HA and addons.

You can run it on your NAS via a VM if need be. if you want to run it on a Rpi I would recommend the SSD hack as memory card tend to fail and cause more frustration.

spmiller

41 posts

Geek

Lifetime subscriber

#3068215 26-Apr-2023 17:42

jonathan18:

I've hit a snag, though, in getting HTTPS sorted on the NAS - I understand I need to get this working before tackling the wider issue of external access for HA

Cloudflare does the HTTPS for my instance. When I'm at home I can access the box directly via HTTP if I want to.

I think this is safe because cloudflared sets up a Wireguard tunnel between my server and their endpoint, so the HTTP traffic is carried encrypted over that link before it is exposed to the Internet over TLS.

Jase2985

13463 posts

Uber Geek

ID Verified

Lifetime subscriber

#3068219 26-Apr-2023 18:16

jonathan18:

I've hit a snag, though, in getting HTTPS sorted on the NAS - I understand I need to get this working before tackling the wider issue of external access for HA, so will be back to read these posts more thoroughly and no doubt ask for further help when I inevitably get stuck again!

Does this help?

https://mariushosting.com/synology-how-to-enable-https-on-dsm-7/

1 | 2