You built a local smart home. Now you want to check cameras, flip lights, or adjust the thermostat while you're out. Here are five ways to access Home Assistant remotely, from dead simple to fully self-hosted. Pick the one that matches your skill level and budget.
Jump to a method
A smart home that only works when you're connected to your Wi-Fi is half a smart home. Remote access lets you monitor cameras, control devices, and receive alerts no matter where you are. But doing it wrong can expose your entire network. Here's how to do it right.
Check if you locked the door. Turn off the iron. Set the thermostat before you get home. The Home Assistant companion app works great, but only with remote access enabled.
Motion detected at the front door? Water leak in the basement? Smoke alarm triggered? Without remote access, those notifications can't reach your phone when you're away.
Frigate detects a person at your door. You pull up the live feed on your phone, see it's the delivery driver, and open the garage remotely. That's only possible with remote access.
Every method gets you remote access. The difference is how much work you want to do, how much you want to pay, and how much control you want over the setup.
Official cloud service. Zero config, supports the project financially.
Free tunnel through Cloudflare's network. Needs a domain name.
Mesh VPN that connects your devices. Free for personal use.
Self-hosted VPN. Fast, secure, no third parties involved.
Nginx or Caddy with Let's Encrypt. Maximum flexibility, most exposed.
The official remote access service built by the Home Assistant team. If you just want it to work and don't mind paying a few dollars a month, this is the answer.
Nabu Casa creates an encrypted tunnel from your Home Assistant instance to their cloud relay. Your HA connects outward (no incoming ports needed), and you access it through a unique URL like https://abcdef.ui.nabu.casa. It also enables Google Assistant and Alexa voice control integration.
โ Great for
โ ๏ธ Consider alternatives if
Free, secure, and works behind CGNAT. You need a domain name ($10 to 15/year), but after that, Cloudflare handles the tunneling. This is the go-to for tech-savvy users who don't want to pay monthly.
The cloudflared daemon runs on your HA machine and opens an outbound connection to Cloudflare's edge network. Traffic to your domain routes through Cloudflare's servers, through the tunnel, and hits your local HA instance. No ports open on your router.
ha.yourdomain.com) to the tunnelhttp://homeassistant:8123configuration.yaml under http: โ use_x_forwarded_forAdd Cloudflare Access policies to restrict who can reach your tunnel. You can require email verification, limit access to specific countries, or add a second authentication layer on top of your HA login. This turns a basic tunnel into a proper zero-trust setup.
A mesh VPN that makes all your devices appear on the same network. Install it on your HA machine and your phone, and they can talk to each other as if you're home. Free for up to 100 devices.
Tailscale builds on WireGuard and creates a peer-to-peer encrypted connection between your devices. Each device gets a stable IP (like 100.x.y.z) that works from anywhere. No port forwarding, no DNS tricks. If both devices run Tailscale, they can connect.
http://100.64.0.1:8123)Every device that needs access must have Tailscale installed and running. You can't just share a URL with a family member. They need to install the app, join your Tailnet, and keep it active. For a single user or couple, that's fine. For a household with kids and guests, Nabu Casa or Cloudflare might be simpler.
The self-hosted VPN option. WireGuard is fast, lightweight, and trusted by the Linux kernel team. You get a full VPN to your home network, not just access to Home Assistant. But you need a public IP and one open port.
WireGuard creates an encrypted tunnel between your phone/laptop and your home router or HA device. You forward one UDP port (typically 51820) on your router. When connected, your device behaves as if it's on your home Wi-Fi. You can access HA, your NAS, printers, everything on your LAN.
Unlike tunnel solutions that only expose HA, a WireGuard VPN gives you access to everything on your home network. SSH into your server, access your NAS files, print to your home printer. If you're already self-hosting other services, WireGuard pays for itself in convenience.
The traditional approach. You point a domain at your home IP, run a reverse proxy with SSL certificates, and forward traffic to Home Assistant. Maximum control, but also maximum responsibility.
Nginx or Caddy sits in front of Home Assistant and handles SSL termination. Let's Encrypt provides free certificates. You forward ports 80 and 443 on your router, point a domain at your public IP (with dynamic DNS), and the proxy routes HTTPS traffic to HA on your local network.
This approach exposes ports directly to the internet. One misconfiguration and your home network is reachable by anyone. You need to keep the proxy updated, manage SSL renewals, handle rate limiting, and monitor for intrusion attempts. For HA-only access, Cloudflare Tunnel gives you similar results with far less risk.
If you already run a reverse proxy for other self-hosted services (Nextcloud, Jellyfin, Gitea), adding Home Assistant is just another upstream. In that case, you've already accepted the security trade-off and have the infrastructure in place. Just make sure HA has 2FA enabled and you're monitoring access logs.
Regardless of which method you choose, these four things are non-negotiable. Skipping any of them is asking for trouble.
Go to your profile in Home Assistant and set up TOTP (time-based one-time passwords). Use an app like Aegis or Google Authenticator. This single step blocks most attacks.
Use a unique, long password for your HA account. Not the one you use for everything else. A password manager makes this painless.
Security patches ship with every release. Run updates monthly at minimum. Check the release notes for anything marked "security" and apply those immediately.
Home Assistant has a built-in IP ban feature. After a configurable number of failed login attempts, the IP gets blocked. Enable it in configuration.yaml under http: โ ip_ban_enabled: true.
Go with Nabu Casa. Five minutes to set up, supports the project, and you'll never have to troubleshoot DNS or tunnels. The $6.50/month is worth the simplicity.
Cloudflare Tunnel is the sweet spot. Free, no open ports, works behind CGNAT. You'll need a domain name and 30 minutes of setup. Once it's running, you can forget about it.
Tailscale for easy setup, WireGuard if you want zero third-party involvement. Both give you full LAN access, not just HA. Tailscale is simpler; WireGuard is more private.
You probably already have a reverse proxy running. Add HA as another upstream. Just make sure 2FA is on and your firewall rules are tight.
First, make sure your devices work with Home Assistant. Our free scan checks compatibility in 30 seconds.
Nabu Casa (Home Assistant Cloud) is the easiest option. You enable it in Settings, pay $6.50 per month, and get instant remote access with no port forwarding, no DNS setup, and no firewall changes. It works in under 5 minutes.
Yes. Cloudflare Tunnel, Tailscale, and WireGuard VPN all provide free remote access to Home Assistant. Cloudflare Tunnel and Tailscale are the easiest free options. WireGuard requires more setup but gives you a full VPN to your home network.
It depends on the method. Port forwarding with a reverse proxy is the riskiest because your server is directly reachable from the internet. Tunnel-based solutions like Cloudflare Tunnel, Tailscale, and Nabu Casa are safer because they use outbound connections only, so nothing is exposed on your router. Always enable two-factor authentication regardless of which method you choose.
Not with most modern methods. Nabu Casa, Cloudflare Tunnel, and Tailscale all work without opening any ports. Only a traditional reverse proxy or WireGuard VPN setup requires port forwarding. If your ISP uses CGNAT (common with 4G/5G home internet), port forwarding may not even be possible, making tunnel solutions your only option.
CGNAT (Carrier-Grade NAT) means your ISP shares one public IP address among multiple customers. You cannot forward ports because you do not have your own public IP. This is common with mobile broadband, some fiber providers, and budget ISPs. If you are behind CGNAT, use Nabu Casa, Cloudflare Tunnel, or Tailscale instead of port forwarding.