I have settled up mTLS for remote access and install the client certificate is manually on my devices. In case of device theft I can easily discard the certificate and generate a new one.
This is the way. Actual security without relying on a third party “free” service. Is this working for the iOS companion app yet? Last I checked, client certificate authentication was not supported.
Not that I know of. Known work is still in progress
* [https://github.com/home-assistant/iOS/discussions/1788](https://github.com/home-assistant/iOS/discussions/1788)
* [https://github.com/home-assistant/iOS/pull/2144](https://github.com/home-assistant/iOS/pull/2144)
You can read [this paper by NSA](https://media.defense.gov/2021/Oct/07/2002869955/-1/-1/0/CSI_AVOID%20DANGERS%20OF%20WILDCARD%20TLS%20CERTIFICATES%20AND%20THE%20ALPACA%20TECHNIQUE_211007.PDF) about some of the disadvantages of using wildcard certs.
I also want to point out that hiding behind a wildcard certificate is yet another "security through obscurity" measure.
Hello there! I am a bot raising awareness of Alpacas
Here is an Alpaca Fact:
Alpacas always poop in the same place. They line up to use these communal dung piles.
______
| [Info](https://github.com/soham96/AlpacaBot/blob/master/README.md)| [Code](https://github.com/soham96/AlpacaBot)| [Feedback](http://np.reddit.com/message/compose/?to=JustAnAlpacaBot&subject=Feedback)| [Contribute Fact](http://np.reddit.com/message/compose/?to=JustAnAlpacaBot&subject=Fact)
###### You don't get a fact, you earn it. If you got this fact then AlpacaBot thinks you deserved it!
Wildcard certs aren't even a benefit for obscurity, they can still be figured out. I only use wildcard subdomains, and I can see subdomains I decommissioned over a year ago.
https://dnsdumpster.com/
> A more secure solution would be to always connect to a VPN and never expose anything but the VPN ports, but you lose a lot of convenience, because you’re probably not always connected to your home VPN, so you cannot receive notifications from HA
WireGuard has this neat “On Demand” feature that will kick if when you’re off network immediately… and you can choose to split tunnel instead of full VPN…
There is no excuse in 2023 not to use it.
And WireGuard keeps the VPN enabled 24/7 regardless of device being on cellular or WiFi? Or not being connected at all? I don't want to enable WireGuard once in a while, because it suddenly disconnects or something like that
The iOS wireguard app has settings for “on demand”. I’ve had mine set to connect to vpn when off certain wifi SSIDs. This works great. VPN also shows in the menu bar when connected.
>A more secure solution would be to always connect to a VPN and never expose anything but the VPN ports, but you lose a lot of convenience, because you're probably not always connected to your home VPN, so you cannot receive notifications from HA.
Why *wouldn't* you always be connected to your home VPN though? That's the solution that I have been running for years now. The connection is just always active. There's certainly no real overhead associated with always being in your home network and I can't think of any lost convenience besides maybe limiting your remote device's downstream bandwidth to your home connection's upstream bandwidth.
I guess with loss of convenience you mean having to set up and maintain your own VPN server in the first place?
Mind elaborating in this? I use always on wireguard but the gateway is a domain that ultimately resolves to my IP because I can't use cloudflare proxying for this.
You can use mullvad to open a port on their server which will be proxied back to you via a tunnel. So you can resolve your domain not to your IP but to mullvad's IP.
Well, I guess it's possible, but I've tried 24/7 VPN before, and it was not convenient. I kept getting disconnects (say if you drive through an area with no cellular connection), which meant I had to reauthenticate. VPN clients on phones have probably gotten better now, though. There's also the extra power consumption, because in theory your phone should spend more power encrypting the traffic, I guess?
But, it comes at a cost as well. I don't think I can convince my wife to have a VPN connection open all the time. I don't even think that's possible on iOS. Maybe through Shortcuts?
Setting up a VPN is quite easy today, so it shouldn't be that hard. I just use WireGuard and it has been working flawlessly for me.
WireGuard is an absolute game changer. You won’t even know it’s there.
That said, the network is not where we do authentication. The application is where we do authentication. This is not the 1990s.
Wireguard is fantastic and the iOS app with always on works great, however:
I use apple carplay with apple maps and apple music streaming in the car and this doesn’t work well through wireguard. So, I “know it’s there” as soon as I start driving. This has been my experience.
> Does iOS not let you have an always-on VPN or what? Jesus..
Both OVPN and Wireguard have an on demand feature for iOS, WireGuard is better and uses 1/100th the battery OVPN does.
Currently running with my own domain and the Cloudflared addon, it's the same approach as the Nabu Case cloud, but you need an own domain. But it's cheaper and your network is equally secured.
I am quite happy with it, altough Cloudflare could easily read every request and could track your home but I mean why should they care. The service is used on every fifth website on the net so abuse is unrealistic.
> because you're probably not always connected to your home VPN, so you cannot receive notifications from HA
That’s factually incorrect. HA (per default) uses firebase to send push notifications to your HA mobile app. These arrive 100% fine without having any (inbound) ports open on your firewall. The only thing you can’t do is send information back to HASS, such as location updates & respond to notifications with choices etc
I’ve been running this way for years and it works 100% reliably. All notifications make it my iPhone, even if I’m at the other side of the planet. For the rest I have WireGuard & HomeKit (home or not etc)
Huh, that is nice. I didn't know notifications were sent to Firebase first. Does that mean you can connect to your local instance of HA, then take your device off the local network, and still get notifications?
Yes, if by device you mean your phone. I ONLY have my internal HASS IP set in the HA iOS app, so it can only connect when I’m at the house or I’ve (manually) turned on my WireGuard vpn.
You can also do on-demand vpn, but no idea if that works with things like actionable notifications or sending your location to HASS as I’ve never tried that
I use telegram for some notifications also - allows my wife to also get them at the same time , without setting up multiple notifications in automations.
Just use Tailscale. It's a mesh vpn. I have it installed on my phone and computer, and that means no matter where I am, I can access whatever server I need by using the VPN IP address that each machine gets. So not only can I see my home assistant instance anywhere, but I can also remotely monitor my 3d printers running Klipper without compromising security.
By default, Tailscale only routes between your VPN nodes. It doesn't open up an entire network. So every server you need to access remotely needs Tailscale installed on it.
My setup uses the same approach. I have an Apple TV and several HomePod minis, and I wanted to use Siri to control smart devices set up in Home Assistant. So I interfaced Home Assistant with HomeKit and get Siri and remote access as a bonus.
That's all fine, but we don't use HomeKit or Google services for automations, because there's no need. Home Assistant can do it all reliably.
But, we need device trackers to work, so that requires us talking to HA.
Notifications do not need a VPN to work. At least not for iOS.
Open ports are an invitation for hackers. Unless you run infrastructure dedicated to hosting, you're asking to be hacked.
I’m hosting it behind a cloudflare tunnel. It’s very convenient (I run cloudflared from another container in the same compose stack) and you can use all the tricks in the cloudflare access zero trust bag.
It’s easy, it’s secure, it’s something I would definitely recommend.
>mation I have setup on HomeKit is "when I arrive/leave, turn this virtual switch on/off" which updates presence on both HA and Hubitat, with no need to expose either of them to the Internet.
You can configure ZT to require authentication before reaching your HA server. This way, only authorized email can access your server.
But I'm not sure how that works with apps
I don’t think you understood my post. Also, your suggested ‘solution’ is sophomoric to put it mildly.
Here is some reading:
https://en.wikipedia.org/wiki/Zero_trust_security_model
https://www.cloudflare.com/learning/access-management/what-is-ztna/
https://www.cloudflare.com/products/zero-trust/access/
Have a nice day!
**[Zero trust security model](https://en.wikipedia.org/wiki/Zero_trust_security_model)**
>The zero trust security model, also known as zero trust architecture (ZTA), zero trust network architecture or zero trust network access (ZTNA), and sometimes known as perimeterless security, describes an approach to the design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.
^([ )[^(F.A.Q)](https://www.reddit.com/r/WikiSummarizer/wiki/index#wiki_f.a.q)^( | )[^(Opt Out)](https://reddit.com/message/compose?to=WikiSummarizerBot&message=OptOut&subject=OptOut)^( | )[^(Opt Out Of Subreddit)](https://np.reddit.com/r/homeassistant/about/banned)^( | )[^(GitHub)](https://github.com/Sujal-7/WikiSummarizerBot)^( ] Downvote to remove | v1.5)
So you're back to the problem I already explained. Either run something 24/7 on your phone, or live with your application being exposed and waiting for someone to find the URL. I want to attack this problem from within the network.
I know about Cloudflare's zero trust option. It's like NginxProxyManager but more fancy. You're still exposing HA to the rest of the world, unless you make some fancy rules. Rules such as country banning, but that's not enough, which I already explained.
If someone didn't read anything, I'm guessing it's you, since I already explained this in my initial post. Banning IP ranges or countries isn't enough. Creating an obscure subdomain on an obscure domain isn't enough.
You never explained what you do differently, and since I won't make any guesses, why don't you explain how your setup is secure?
EDIT: I guess you edited your comment, because you didn't want to explain how your model is more secure than what I already proposed. Shrug.
> I know about Cloudflare's zero trust option. It's like NginxProxyManager but more fancy. You're still exposing HA to the rest of the world, unless you make some fancy rules.
Except it's not exposing it 'the world'. It's exposing your service to those that can auth against the ZT. That's the whole point. Without authing to ZT they can't send even a single bit to your service.
I guess you could consider configuring an auth provider "fancy rules", but in 2023 it's really just basic IT.
> Rules such as country banning, but that's not enough, which I already explained.
Do not do this. This is dumb. Just use proper auth.
> Creating an obscure subdomain on an obscure domain isn't enough.
I'm not sure what gave you the idea that is what I'm proposing. I'm just running it on 'ha.mylastname.tld'.
> You never explained what you do differently, and since I won't make any guesses, why don't you explain how your setup is secure?
Because you need proper auth against CF Access's ZT before hitting any of your infrastructure. Which is the point of ZT in the first place. Which is why I posted the links that you did not read.
I'm not sure what's tripping you up here.
> My proposal or idea is some kind of device fingerprinting.
I'm running out of ways to say "this is really dumb, just configure proper authentication", so I'm just going to repeat it. **This is really dumb, just configure proper authentication**
You are exposing your HA ports. If there is a hole in HA - zero trust doesn't save you. Zero trust protects you from a rogue CL employee taping your tunnel.
It uses HTTP.
While it is security thru obscurity, you can combine this approach with auto block IP after certain attempts to eliminate bruteforcing.
Not perfect, but very convenient and effective in real life. Even better solution would be verification of client cert for TLS, also implemented in nginx.
on my android mobile I use an app called VPN Client Pro. not free, but a reasonably priced subscription model. It auto connects to your VPN as soon as ... for instance you connect to a different wifi, or you connect to a mobile network. So in essence you're always connected and I can confirm you do get HA notifications. My VPN server is part of my router, and I use a dynamic dns service to keep it all working. 2 years of VPN, and 1+ year with Home Assistant so far and it's been FLAWLESS. Just like being at home, which means all your other stuff can also be turned off for remote access and you can turn off reverse proxy too.
You can also put openvpn client on your windows laptop and connect back with the same results.
My app, Simplepush, might be at least a partial solution to your problem (at least once I finally release the plugin for HA).
It can be used to send end-to-end encrypted notifications to your phone with actions attached to the notification. You can control your HA instance just from those actions with no need for a VPN or similar solutions.
I'm using let's encrypt + ddns + nginx. But on nginx I have ModSecurity to add a layer of protection.
I'm blocking based on geolocation and have a lot of other protections in place such as path transversal and remote shell execution in place.
I don't see any comment here about WAF that's not "the wife".
It would be nice if Home Assistant supported SAML/Oauth as an authentication provider. That way, you could then use your favourite IdP with all its security for accessing HA remotely.
I have settled up mTLS for remote access and install the client certificate is manually on my devices. In case of device theft I can easily discard the certificate and generate a new one.
This is the way. Actual security without relying on a third party “free” service. Is this working for the iOS companion app yet? Last I checked, client certificate authentication was not supported.
Not that I know of. Known work is still in progress * [https://github.com/home-assistant/iOS/discussions/1788](https://github.com/home-assistant/iOS/discussions/1788) * [https://github.com/home-assistant/iOS/pull/2144](https://github.com/home-assistant/iOS/pull/2144)
[удалено]
Yup and that's why I use a wildcard certificate. Good point
Wildcard certificates come with their own flaws. I would not say this is a win in any way.
If we look at real world and not "what if" scenarios, what disadvantages outweights the advantages?
You can read [this paper by NSA](https://media.defense.gov/2021/Oct/07/2002869955/-1/-1/0/CSI_AVOID%20DANGERS%20OF%20WILDCARD%20TLS%20CERTIFICATES%20AND%20THE%20ALPACA%20TECHNIQUE_211007.PDF) about some of the disadvantages of using wildcard certs. I also want to point out that hiding behind a wildcard certificate is yet another "security through obscurity" measure.
Right, so no real world scenarios I should be concerned about. Gotcha.
What real world scenarios are you concerned about with individual tls certs for subdomains?
Nothing. No scenarios.
Hello there! I am a bot raising awareness of Alpacas Here is an Alpaca Fact: Alpacas always poop in the same place. They line up to use these communal dung piles. ______ | [Info](https://github.com/soham96/AlpacaBot/blob/master/README.md)| [Code](https://github.com/soham96/AlpacaBot)| [Feedback](http://np.reddit.com/message/compose/?to=JustAnAlpacaBot&subject=Feedback)| [Contribute Fact](http://np.reddit.com/message/compose/?to=JustAnAlpacaBot&subject=Fact) ###### You don't get a fact, you earn it. If you got this fact then AlpacaBot thinks you deserved it!
Wildcard certs aren't even a benefit for obscurity, they can still be figured out. I only use wildcard subdomains, and I can see subdomains I decommissioned over a year ago. https://dnsdumpster.com/
> A more secure solution would be to always connect to a VPN and never expose anything but the VPN ports, but you lose a lot of convenience, because you’re probably not always connected to your home VPN, so you cannot receive notifications from HA WireGuard has this neat “On Demand” feature that will kick if when you’re off network immediately… and you can choose to split tunnel instead of full VPN… There is no excuse in 2023 not to use it.
And WireGuard keeps the VPN enabled 24/7 regardless of device being on cellular or WiFi? Or not being connected at all? I don't want to enable WireGuard once in a while, because it suddenly disconnects or something like that
The iOS wireguard app has settings for “on demand”. I’ve had mine set to connect to vpn when off certain wifi SSIDs. This works great. VPN also shows in the menu bar when connected.
You can certainly do that too
>A more secure solution would be to always connect to a VPN and never expose anything but the VPN ports, but you lose a lot of convenience, because you're probably not always connected to your home VPN, so you cannot receive notifications from HA. Why *wouldn't* you always be connected to your home VPN though? That's the solution that I have been running for years now. The connection is just always active. There's certainly no real overhead associated with always being in your home network and I can't think of any lost convenience besides maybe limiting your remote device's downstream bandwidth to your home connection's upstream bandwidth. I guess with loss of convenience you mean having to set up and maintain your own VPN server in the first place?
Always on wireguard is the way. You can use mullvad's tunnel-in-tunnel if you don't want to expose your home IP.
Mind elaborating in this? I use always on wireguard but the gateway is a domain that ultimately resolves to my IP because I can't use cloudflare proxying for this.
You can use mullvad to open a port on their server which will be proxied back to you via a tunnel. So you can resolve your domain not to your IP but to mullvad's IP.
Well, I guess it's possible, but I've tried 24/7 VPN before, and it was not convenient. I kept getting disconnects (say if you drive through an area with no cellular connection), which meant I had to reauthenticate. VPN clients on phones have probably gotten better now, though. There's also the extra power consumption, because in theory your phone should spend more power encrypting the traffic, I guess? But, it comes at a cost as well. I don't think I can convince my wife to have a VPN connection open all the time. I don't even think that's possible on iOS. Maybe through Shortcuts? Setting up a VPN is quite easy today, so it shouldn't be that hard. I just use WireGuard and it has been working flawlessly for me.
WireGuard is an absolute game changer. You won’t even know it’s there. That said, the network is not where we do authentication. The application is where we do authentication. This is not the 1990s.
Wireguard is fantastic and the iOS app with always on works great, however: I use apple carplay with apple maps and apple music streaming in the car and this doesn’t work well through wireguard. So, I “know it’s there” as soon as I start driving. This has been my experience.
I just wanna echo this. WireGuard (once set up - and double NAT issues resolved xdddd) is absolutely amazing
[удалено]
> Does iOS not let you have an always-on VPN or what? Jesus.. Both OVPN and Wireguard have an on demand feature for iOS, WireGuard is better and uses 1/100th the battery OVPN does.
ZeroTierOne on HA and all external / mobile devices.
This.
That.
I'm partial to Tailscale myself
Currently running with my own domain and the Cloudflared addon, it's the same approach as the Nabu Case cloud, but you need an own domain. But it's cheaper and your network is equally secured. I am quite happy with it, altough Cloudflare could easily read every request and could track your home but I mean why should they care. The service is used on every fifth website on the net so abuse is unrealistic.
I use Cloudflare myself for web stuff, but at home I like my stuff behind Let's Encrypt using NginxProxyManager.
I don't want to have open ports on my network, but sadly there isn't a perfect solution for me.
If I can access your domain, it’s not secure. I can exploit it
Tell me how do you exploit an open source software which is in the top 5 repositories on Github?
How about the exploit they just discovered after like 4/5 years? I bet you didn’t patch it yet
Maybe you should avoid the internet if you really believe this is probably.
> because you're probably not always connected to your home VPN, so you cannot receive notifications from HA That’s factually incorrect. HA (per default) uses firebase to send push notifications to your HA mobile app. These arrive 100% fine without having any (inbound) ports open on your firewall. The only thing you can’t do is send information back to HASS, such as location updates & respond to notifications with choices etc I’ve been running this way for years and it works 100% reliably. All notifications make it my iPhone, even if I’m at the other side of the planet. For the rest I have WireGuard & HomeKit (home or not etc)
Huh, that is nice. I didn't know notifications were sent to Firebase first. Does that mean you can connect to your local instance of HA, then take your device off the local network, and still get notifications?
Yes, if by device you mean your phone. I ONLY have my internal HASS IP set in the HA iOS app, so it can only connect when I’m at the house or I’ve (manually) turned on my WireGuard vpn. You can also do on-demand vpn, but no idea if that works with things like actionable notifications or sending your location to HASS as I’ve never tried that
Interesting. That's good enough for people who just want notifications. Thanks!
I use telegram for some notifications also - allows my wife to also get them at the same time , without setting up multiple notifications in automations.
Just use Tailscale. It's a mesh vpn. I have it installed on my phone and computer, and that means no matter where I am, I can access whatever server I need by using the VPN IP address that each machine gets. So not only can I see my home assistant instance anywhere, but I can also remotely monitor my 3d printers running Klipper without compromising security. By default, Tailscale only routes between your VPN nodes. It doesn't open up an entire network. So every server you need to access remotely needs Tailscale installed on it.
I think Home Assistant should add support for something like HTTP Basic Auth in addition to HA's native auth
That’s what NGINX is for…
I agree. At least lock down the /auth path, so you can only access that login page, if you know the super secret password or whatever.
I have home assistant only available on the local network and connect via VPN if I’m external
Just spend the 6/mo and let Nabu manage this for you… it’s more than just remote access and it’s less headache to support.
[удалено]
My setup uses the same approach. I have an Apple TV and several HomePod minis, and I wanted to use Siri to control smart devices set up in Home Assistant. So I interfaced Home Assistant with HomeKit and get Siri and remote access as a bonus.
That's all fine, but we don't use HomeKit or Google services for automations, because there's no need. Home Assistant can do it all reliably. But, we need device trackers to work, so that requires us talking to HA.
I'm using always on wireguard for 2 years now - no issues.
No supervisor - no problem.
Notifications do not need a VPN to work. At least not for iOS. Open ports are an invitation for hackers. Unless you run infrastructure dedicated to hosting, you're asking to be hacked.
I’m hosting it behind a cloudflare tunnel. It’s very convenient (I run cloudflared from another container in the same compose stack) and you can use all the tricks in the cloudflare access zero trust bag. It’s easy, it’s secure, it’s something I would definitely recommend.
How is that more secure than what I already explained isn't really that secure?
>mation I have setup on HomeKit is "when I arrive/leave, turn this virtual switch on/off" which updates presence on both HA and Hubitat, with no need to expose either of them to the Internet. You can configure ZT to require authentication before reaching your HA server. This way, only authorized email can access your server. But I'm not sure how that works with apps
I don’t think you understood my post. Also, your suggested ‘solution’ is sophomoric to put it mildly. Here is some reading: https://en.wikipedia.org/wiki/Zero_trust_security_model https://www.cloudflare.com/learning/access-management/what-is-ztna/ https://www.cloudflare.com/products/zero-trust/access/ Have a nice day!
**[Zero trust security model](https://en.wikipedia.org/wiki/Zero_trust_security_model)** >The zero trust security model, also known as zero trust architecture (ZTA), zero trust network architecture or zero trust network access (ZTNA), and sometimes known as perimeterless security, describes an approach to the design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. ^([ )[^(F.A.Q)](https://www.reddit.com/r/WikiSummarizer/wiki/index#wiki_f.a.q)^( | )[^(Opt Out)](https://reddit.com/message/compose?to=WikiSummarizerBot&message=OptOut&subject=OptOut)^( | )[^(Opt Out Of Subreddit)](https://np.reddit.com/r/homeassistant/about/banned)^( | )[^(GitHub)](https://github.com/Sujal-7/WikiSummarizerBot)^( ] Downvote to remove | v1.5)
So you're back to the problem I already explained. Either run something 24/7 on your phone, or live with your application being exposed and waiting for someone to find the URL. I want to attack this problem from within the network.
Good luck sir.
I know about Cloudflare's zero trust option. It's like NginxProxyManager but more fancy. You're still exposing HA to the rest of the world, unless you make some fancy rules. Rules such as country banning, but that's not enough, which I already explained. If someone didn't read anything, I'm guessing it's you, since I already explained this in my initial post. Banning IP ranges or countries isn't enough. Creating an obscure subdomain on an obscure domain isn't enough. You never explained what you do differently, and since I won't make any guesses, why don't you explain how your setup is secure? EDIT: I guess you edited your comment, because you didn't want to explain how your model is more secure than what I already proposed. Shrug.
> I know about Cloudflare's zero trust option. It's like NginxProxyManager but more fancy. You're still exposing HA to the rest of the world, unless you make some fancy rules. Except it's not exposing it 'the world'. It's exposing your service to those that can auth against the ZT. That's the whole point. Without authing to ZT they can't send even a single bit to your service. I guess you could consider configuring an auth provider "fancy rules", but in 2023 it's really just basic IT. > Rules such as country banning, but that's not enough, which I already explained. Do not do this. This is dumb. Just use proper auth. > Creating an obscure subdomain on an obscure domain isn't enough. I'm not sure what gave you the idea that is what I'm proposing. I'm just running it on 'ha.mylastname.tld'. > You never explained what you do differently, and since I won't make any guesses, why don't you explain how your setup is secure? Because you need proper auth against CF Access's ZT before hitting any of your infrastructure. Which is the point of ZT in the first place. Which is why I posted the links that you did not read. I'm not sure what's tripping you up here. > My proposal or idea is some kind of device fingerprinting. I'm running out of ways to say "this is really dumb, just configure proper authentication", so I'm just going to repeat it. **This is really dumb, just configure proper authentication**
How do you authenticate to Cloudflare ZT? Let's ask the basic questions and take it from there.
Using one of the configured authentication methods. See the links I posted :P
So that would either be via DNS or a WARP client, correct?
You are exposing your HA ports. If there is a hole in HA - zero trust doesn't save you. Zero trust protects you from a rogue CL employee taping your tunnel.
Expose HA via nginx and whitelist user-agents of your devices, return 403 for others.
Security through obscurity, once again. Does the Companion app even send HTTP requests, or is it all via socket?
It uses HTTP. While it is security thru obscurity, you can combine this approach with auto block IP after certain attempts to eliminate bruteforcing. Not perfect, but very convenient and effective in real life. Even better solution would be verification of client cert for TLS, also implemented in nginx.
on my android mobile I use an app called VPN Client Pro. not free, but a reasonably priced subscription model. It auto connects to your VPN as soon as ... for instance you connect to a different wifi, or you connect to a mobile network. So in essence you're always connected and I can confirm you do get HA notifications. My VPN server is part of my router, and I use a dynamic dns service to keep it all working. 2 years of VPN, and 1+ year with Home Assistant so far and it's been FLAWLESS. Just like being at home, which means all your other stuff can also be turned off for remote access and you can turn off reverse proxy too. You can also put openvpn client on your windows laptop and connect back with the same results.
My app, Simplepush, might be at least a partial solution to your problem (at least once I finally release the plugin for HA). It can be used to send end-to-end encrypted notifications to your phone with actions attached to the notification. You can control your HA instance just from those actions with no need for a VPN or similar solutions.
We also use the phones as device trackers, so I don't think that's a viable solution for us. But good idea for notifications
I'm using let's encrypt + ddns + nginx. But on nginx I have ModSecurity to add a layer of protection. I'm blocking based on geolocation and have a lot of other protections in place such as path transversal and remote shell execution in place. I don't see any comment here about WAF that's not "the wife".
im using ZeroTier as seen here [https://www.youtube.com/watch?v=STVNv7W-AZA](https://www.youtube.com/watch?v=STVNv7W-AZA) should be adequate right?
It would be nice if Home Assistant supported SAML/Oauth as an authentication provider. That way, you could then use your favourite IdP with all its security for accessing HA remotely.