Hi everyone
So, that’s a 2 in 1 post. First a more general question then looking for advice for a friend.
-
What is your preferred way to access HA from outside (and why)?
-
a friend of mine use duckdns and I often read (recently) that some people are having issue with it. Is wireguard a better way or another solution that is not too techy to deal with?
Very different solutions.
- DuckDNS: you expose your HA to the internet like a public website and register it’s address with DuckDNS so you can look it up.
- Wireguard: you VPN to inside your firewall and can access anything on your private network.
Wireguard all the way. Exposing just a VPN endpoint that can’t be connected to without the right cryptographic keys is a much more secure and maintainable attack surface.
BTW I assume that’s what you meant by “DuckDNS”. Using that service is orthogonal to making HA visible externally, but is (I think) the common pairing.
Thanks, wireguard sound much better then for just accessing HA, wonder why is duckdns so popular then
Because DuckDNS means you don’t have to buy your own domain. I don’t know their product offerings; they might offer VPN services, like Mullvad.
Wireguard doesn’t provide you with a DNS entry. Without a domain name, you’ll have to always either edit your hosts file on every computer you use, or access your services via IP (https://65.147.69.34:8080/), whether or not you have Wireguard. DuckDNS lets you create http://pafha.duck.dns (or whatever). Using subdomains also helps with reverse proxying, because routing rules are usually configured by host name. For example, your proxy server can route pafha.duck.dns requests to port 8124, which is where your Home Assistant is listening; while pafmympd.duck.dns proxies to port 8091 which is where your MyMPD server is listening. If you own your own domain, you don’t need DuckDNS. If you don’t, it’s very useful.
Wireguard gives you a VPN. It’s for creating encrypted subnetworks. Security, and privacy. It doesn’t solve the DNS problem.
Tailscale.
Apples and oranges.
Wireguard is a VPN technology. DuckDNS is a service that lets you create a subdomain on the duckdns TLD and point it at your server. They do completely different things.
You would use DuckDNS if you don’t want to rent your own domain (“rent” because it’s a recurring payment for something over which you have only nominal control). It provides no security, no access control, and it creates no network. It’s just a pointer in the global DNS DB.
Wireguard is a VPN technology, for creating private networks.
One is like a mailing address. The other is like a strongbox. You could give the strongbox to a friend to deliver it to someone who has the key (Wireguard). Or you could write a message on a postcard and mail it (DuckDNS). Or you could put the address on the strongbox and mail it (DuckDNS + Wireguard). The point is, they serve completely different functions.
The two could be used together.
Different services for different use cases.
I use nginx reverse proxy behind Duckdns for anything that requires public access, or that I use very frequently, like jellyfin or immich
I use Wireguard for everything else, to expose as little as possible.
If anything, I would say that Duckdns is harder to setup than Wireguard. You will need something like nginx reverse proxy if you want to host multiple services, and also deal with SSL certificates.
Can you explain why you don’t use wireguard for jellyfish/lmmich?
(Network things are something I never get to fully understand)
To use Wireguard, you need to:
- provision a client tunnel for every device, or at least every person who needs to access your network
- have Wireguard downloaded and installed on every device, with the tunnels all imported.
Basically, Wireguard works really well for services that only you use, on your own devices. You set it up once per device, and you have access to every service you host on your network.
For the DuckDNS / reverse proxy route, you need to configure the reverse proxy for every service you want to expose, but don’t need to configure anything on the end user’s device.
For Jellyfin, since I have users that are not me, it is impractical to expect them to go through all the hoops to get Wireguard running just to watch some movie or tv show. I also don’t want to make new Wireguard client tunnels for every single friend that I add to my jellyfin server. This also means I can access jellyfin on devices that aren’t my own such as a friend’s TV.
For immich, my phone is a bit wonky with keeping Wireguard connected in the background, and I just don’t want to worry about if I’m connected to my vpn just so my photos will get backed up.
I just realized that this is the homeassistant community and not something more generic.
Specifically for homeassistant, Wireguard should be fine, unless you plan to do some more advanced stuff like use Alexa without a nabu casa subscription.
The times where you need access to your HA instance without being able to connect to Wireguard should be pretty limited.
I consider myself a novice but this is how I do it too (ngnx reverse proxy handling SSL in conjunction with Duckdns domain. Wireguard for remote access to everything else). Both Nginx & duckdns are fairly straightforward to set up through Docker/Portainer.
Should the need arise I’ll look at Tailscale.
I dont use HA yet, it’s something I’d like to get into if I can figure out VLAN in order to keep IoT stuff away from the rest of the network.
Tailscale, because it’s a peer-to-peer VPN based on WireGuard with very little setup and Cloudflare Tunnel for external access to HA
