Using Tailscale to access Home Assistant from everywhere
When you start using Home Assistant, you’ll quickly find yourself wanting to access it from everywhere, not just from your couch while being connected to the home wifi.
There are many ways to achieve this, but the easiest is problably the Home Assistant Cloud integration. They offer a subscription based service that also allows you to easily integrate Amazon Alexa and Google Assistant.
But the great thing about Home Assistant is that they allow you to do things more than one way, and there are actually even more ways to open your Home Assistant instance to the internet. I’ll just briefly mention that you can open a port on your router and use a service like DuckDNS to give you a URL to access Home Assistant, but this is hard to make right regarding security and is sometimes even impossible if your ISP only issues IP v6 addresses or has a double NAT setup. If you’ve never heard of these things, be prepared for a long journey - or use Home Assistant Cloud or the Tailscale method this post is about.
If you chose this method and don’t need the other features Home Assistant Cloud offers, consider subscribing anyway! By subscribing, you help fund the development of Home Assistant.
What is Tailscale
Their headline says “Tailscale makes networking easy”. And that’s not an understatement. If you’ve worked with router configurations, VPNs, secret keys, SSL certificates and all those things before, you’ll appreciate how easy and fast it is to connect devices and services using Tailscale.
The core feature of Tailscale is a VPN, where you can connect devices without actually having to do all the networking normally required. If you’ve never heard of Tailscale before, I recommend reading What is Tailscale? from their documentation. If, after reading this article, you decide that you want to use Tailscale, you can read their Quickstart guide which leads you through creating an account and adding a machine to it.
Here is a Screenshot of my tailnet:
From now on, I’ll assume that you have a Tailscale account with your computer connected to your tailnet (their name for the VPN all your devices are in).
A newer feature of Tailscale is Tailscale Funnel, which allows you to access a service from your tailnet via the public internet. This is what we’ll use to make Home Assistant accessible from the internet.
What to expect
We’ll setup Home Assistant to join your tailnet, configure Tailscale, and then make Home Assistant available on a URL that looks like this:
We’ll need to change some things in the Tailscale admin console. First, you’ll have to enable HTTPS support, which you can do by following their guide Enabling HTTPS. Next, we will enable Tailscale Funnel. For this, follow their guide Tailscale Funnel on how to edit the tailnet policy file. For me, it was as simple as pressing a button on the right side of the code editor there, but editing the file by hand is not much harder.
That’s it already for this part.
Adding Home Assistant to your tailnet
Start by opening the addon store and install the Tailscale addon.
After installing, go to configuration, click on the three dots in the top right corner and edit as YAML. There, you can paste this config:
funnel: true proxy: true userspace_networking: false
Click save, then start the addon. Open the web ui of the Tailscale addon and authenticate.
Congratulations, your Home Assistant instance is now part of your tailnet and available from the internet.
Check the logs for an entry that looks like this to find out the address:
[20:51:32] INFO: Tailscale Funnel is enabled: [20:51:32] INFO: Your Home Assistant instance is publicly available on the internet at [20:51:32] INFO: https://homeassistant.yak-bebop.ts.net
You can now connect to Home Assistant from everywhere:
We now have an easy and secure way to connect to a Home Assistant instance via the internet “without fiddling with router settings or ssl certificates” (although still more steps than Home Assistant Cloud).
You can also configure the Tailscale addon to act as an exit node, which enables you to access other devices on the same network that are not part of the tailnet via any machine connected to the tailnet. Check out the addon documentation for more info on that.