How to access Home Assistant and your internal network with Twingate. No port forwarding needed!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you to twin gate for sponsoring this video in previous videos i've talked about different ways to access home assistant from cloudflare to nabu casa to duck dns to nginx reverse proxy and maybe others i can't even remember but today i want to talk about zero trust networking and a company called twin gate that allows you to set up a zero trust network between your home assistant instance or really anything inside your local network or any network and a client device or any of your devices so let's jump right into it we'll talk about what twin gate is and then how i can set up a quick configuration to talk to my internal network including home assistant [Music] so let's talk a moment about twin gate and what it does twin gate is a way to replace your traditional vpn and talk to stuff on your local network it enables organizations to rapidly implement a modern xero trust network that is more securable maintainable than vpns it's a cloud-based service but it allows you to make point-to-point connections over tls with your infrastructure it also sets up a defined perimeter without changing your infrastructure and it can essentially manage user access to internal apps whether they are on premise or they're in the cloud and one of the things we talk about here is the difference between twin gate and a traditional vpn this is the typical twin gate setup you have a twin gate controller which is a centralized web-based management tool it's a console that allows you to set things up then you have an identity provider and there are a number of them this one lists octa but there's google and microsoft and some other ones that are built in to use your own identity provider if you want to there's also zero trust access that allows you to give access to applications from devices and this limits the blast radius and in a blast radius what that means is if one thing gets compromised on a network it limits it to that one area rather than spreading through everything within your network or potentially even farther than that so your network itself is invisible to the internet so you're basically creating a tunnel between your device and your network and the internet doesn't see that and then you have split tunneling split tunneling allows traffic to pass through the network only if necessary and sends everything else out directly to the end point it needs to go to so if you're doing video conferencing you don't need it to go over your internal network or your vpn first it can go directly to the video conferencing endpoint and so this allows you to do this split tunneling now with a vpn these are some of the issues you have you have slow connections because all your traffic goes to the vpn your vpn gateway is a target it has to be known on the internet everyone knows where it is and it can be attacked and then you get backhaul traffic so in the case of a video conference it all goes to the video or through the vpn gateway and back out again so with split tunneling that twin gate does it eliminates that as well so some other points basically it's built for it admins easy set up rapid deployment performance and reliability uh so it does all of this without having the infrastructure needed to be in place uh simplifies administrative workloads effortless for users you turn it on and it does its thing everything is handled at the administrative console users just turn on their device and get access to the stuff that they need to get access to so it's always on transparent security easy on-boarding uh better online experiences for business it's better it reduces costs reduces risk and increases agility and then this course it's future proof so let's talk about how we can use home assistant with this setup so you can install twin gate on your local network where your home assistant device resides you can set it up on a raspberry pi if you have access to install docker containers and other stuff via the console you have to have console access now you can do that with home assistant it takes a little bit of work if you have something like a vm running on windows where you're running a ubuntu operating system or some other uh supported operating system that's probably a better place to put it but once you have it set up on your network you can connect from any device uh through that local network to your home assistant as long as everything's on the same network segment uh here's some other points to make about this when in terms of setting these things up your your common remote access approach such as a vpn you have to set that up you have to open for forwarding you have to deal with dynamic ip addresses fiddle with the configuration of vpn settings on the remote devices and offers often require some sort of page subscription if you're going to set up a non-open source vpn with twin gate on the other hand there's no vpn there's no need to use port forwarding there's a connector that makes an outbound connection that tells everything where it is no static ip addresses or dynamic dns so you don't even have to worry about setting up something to resolve and domain to it it all can work transparently without that remote access client apps for your laptops and mobile phones and it's free for the non-business account now this page has a whole quick start guide that talks about how to set this up and i'll link that down below but i'm going to go ahead and go through it i'm going to use a docker container on one of my virtual machines that i'm running within my network the concept is the same if you can install this on your raspberry pi via a console setup or a console ssh terminal or something like that then you can run it there as well so you can have it on your uh same device as you're running home assistant that is not necessary to use it but you can do that all right so the first thing you're gonna do is you're gonna create a twin gate account once you get an account created and you're signed you just add a remote network and you have some choices of type here aws is your google cloud on-premise or other i'm going to choose on-premise i'm going to call it my home network i'm going to add it and now i have a home network and what i'm going to show you is how easy and fast this is so next thing you're going to do is you're going to deploy connectors and you have two different connectors here to choose from i'm just going to choose the fifth first one here we're going to deploy that connector and you have choices on the deployment method doctor helm azure linux aws ecs aws ami or manual i am going to use a docker container because i already have docker running on my home assistant or on my vms so we're going to generate tokens you need to re-authenticate to generate these tokens so once i click on generate tokens it's going to ask me to log in again and that's what it tells you here so we're going to authenticate sign in with google that's my my sso or single sign-on provider that i'm using and once you have authenticated you will now have your tokens right here and you're going to use these tokens in a customized docker command okay so we're going to copy the command this command is self-contained including the tokens that you need to have the connector establish a connection back to twin gate servers we will copy the command we will go over to our terminal and we will paste that in so i'll just paste it now i will have to do sudo because i am not super user so i will type sudo this whole command will do everything you need to get the docker container installed and running and make the connection it needs to make con out to twin gate so just hit enter now it's going to go pull all of the information it needs all of the images and now it's up and running now if you're running something like portainer you can actually come over to pertainer and see that it's up and running so if i go to containers here it is now starting twin gate and now it's up and running and it's healthy so now we have twin gate running on our system and let me take a pause real quick to kind of help you understand a little bit about how this works because for me i needed to understand what twin gate was doing it's so simple and so behind the scenes and so easy that i was a little concerned about how it works so i want to take just a moment we'll talk through how this works a little bit and then we'll come back and finish the install of this okay so this is the architecture overview and the reason i wanted to know this i just mentioned is i really want to understand how this all works so it relies on four components and this is helpful to understand when you're creating the different components on the admin console what they do there's the controller clients connectors and relays they ensure that only the authenticated users are able to access these resources and so what you have here is you have the controller the controller is the central coordination component for twin gate it's a multi-tenant component that stores configuration changes via the admin console it registers the connector so right now the connector we just installed is now talking to the controller and it's the only component that does not interact with any data flow so it has a bunch of responsibilities and you can read all of this here the client is a software component that is installed on the user's devices its role is to act as the authentication and authorization proxy for requests so again that's where it sends the client itself listens for the request and sends them where they need to go all the white listing all the authentication all of the acls are done on the client side so it does a bunch of stuff handling user authentication obtaining a signed acl detecting network connection requests to protected resources and that's where it sends it over to the correct place proxy and dns requests you can have local dns resolution or it uses local dns resolution while it's looking at those resources proxy and tcp and udp traffic and establishing a certificate pin tls tunnel with the appropriate connector so remember we just installed the connector on our vm now there's a tie into my local network from that connector the client is responsible for establishing the tunnel with the appropriate connector to access a protected resource the tls tunnel is established based on the anonymous unique connector id and is pinned to the specific connector based on a sign connection token received from the controller all right so there's that then the connector is the mirror component to the client but it has a simpler set of responsibilities so the client connects to this connector it authenticates and maintains connected with the controller so the connector all we or the client always knows where the connector is it connect mains connectivity with the relays uh and it verifies integrity of clients performs local dns resolution of proxied requests so like i said local dns resolution is performed by the connector before forwarding traffic to the resolved ip address so if you have a fully qualified domain name of something inside your local network it's going to resolve that before it sends it to the ip address inside the local network and then of course the relay is the simplest component there's no data or network identifiable information stored in the relay and no data carrying connections are terminated at the relay it's just a pass-through it serves as a registration point for connectors and serves as a connection point for clients looking to establish connections to the connectors and you can see all of that up here on this diagram so your client goes through the controller it authenticates and then it creates a tunnel which goes through the relay and talks back to your connector and this is assumed this is my vm so that's how all of that works what i want to do now is continue the setup if we go back over to our our connection status you can see both the controller which remember we talked about the controllers here and the relay are both active or they're both connected and so the next thing we need to do is go back over to our home network and we want to add a resource a resource is a thing that you want to connect to within your network so here's the actual network that we're connected to this is where the connector is now i'm going to add a resource in this student we're going to choose cider instead of dns for this one since we'll be using the ip address this will be home assistant pi which is my home assistant pi instance and the ip address we're going to put in is that right there and we can add a port restriction you can enter a single port a port range or multiple ports separated by commas so since home assistant is running on port 8123 i'm going to go ahead and put in port 8123 as my part restriction that prevents anybody else from accessing any resources on this ip address unless they're going directly to port 8123 so not only can you lock stuff down in uh two ip ranges or hosts but you can also limit stuff to specific ports on the host and i'm gonna give access to everyone for this because that's the only group i have set up right now click on add one group and now we have the home assistant pi resource and this is a resource that can be accessed when you're connected on these home on this home network remote network connector nothing else in my internal network is exposed through this connector this is all set up based on the acls and everything that are sent to the client when the client connects all right let me show you an example of the client i'm going to show you this on a windows machine because for the video it's just easier to do that it's the same concept on a mobile device there's an app for ios and app for android and then there are windows clients as well and i'm going to use the windows client so let's go over there and do that now okay so here we are on the laptop and under download you have a number of options mac os windows linux ios android and chrome interestingly enough i'm going to use windows today i'm going to download that and i'm going to install it go through all of the install steps nothing really to do here other than just to get it up and running all right we're finished and the first time you run it it's going to ask you to join a network so i'll join my network that i created when we talk about a network and i i probably got these uh terms a little bit confused but if we look at this network this is the network that is connected to my or this is my home network this is not necessarily the network we're talking about here this is the network they're talking about in terms of signing into twin gate on the laptop or a client so don't get these terms confused you can call this whatever you want their term for network is basically the account so you're signing into the account so don't get those too confused like i just did all right so we're going to put in my account name i'm going to join the network it's going to go through the whole authentication setup or authentication process like we did before so we'll sign in with google and you can see down here that this is turned white because we're connected to twin gate so every request that we try to send for our home assistant uh that we show right here is going to go through the twin gate adapter and the way we demonstrate that is i'm going to connect my laptop to my phone's hotspot so it's not on my local network and i should be able to get to this non-routable ip address if it isn't working i won't be able to get there okay so now i've got my laptop connected to my phone's hotspot so i am not on my public or i'm not on my private network internally so if i go to a non-out routable ip address my home assistant instance it should take me there and it does so i've got to log in of course and now i'm logged into my home assistant instance on a non-radical ip address so this resource right here is going through twin gate because otherwise i wouldn't be able to get to it if i disconnect twin gate as an example now i'm logged out of twin gate if i refresh this page it should not get to it you can see it's spinning up here maybe hard to see but it is trying to get to that non-routable ip address and you also can see down here that it's lost its connection to home assistant so this just proves that without the twin gate connector it's not going to be able to connect to that particular ip address so we can add additional resources to this as well if i wanted to add my plex server for example i would just add that and then the address and i could do a part restriction as well plex is on 32 400 and then just add that resource and i can grant it to everybody and now i have plex as available to this as well so i've got two different resources that are now available internally to this home network that can be reached from twin gate so you just sign into twin gate fire it up on your client and then you're able to access these as well it's a very simple zero trust network setup to put together and deploy and it can be done very quickly i spent more time explaining it that i did actually setting it up but it's very very simple now some of the faqs talks about here what it is what is zero trust networking if you don't know what that means it basically says that you don't trust anybody or anything and so you only want to let in people or or clients or whatever that you actually trust because we work in a distributed environment these days remote workers you can't come inside and put everybody inside your local network and block everything else out this allows you to essentially trust nobody even inside your local network and then offer resources to them specifically based on what they do and of course it talks about how it differs from a vpn we talked about that a little bit the beginning twin gate runs on all the different platforms you don't need to have any technical knowledge what changes do you need to make do i have to disable my vpn all kinds of answers to frequently asked questions here on their website that you can go view at your leisure now there is a little bit different scenario that i'm going to talk about here for a moment and that is me running something with a local domain so if we go into this again i'm going to create one more resource so i'm going to add a resource this one's going to be dns i'm going to call this local h a oops that's a label let's just use local h a and i will put in the dns address here and you can add port restrictions to this one as well i'm going to i'm just going to leave it open for now and i'm going to add this resource and i'm going to grant it to everybody so what this will do now and this is where we talked about the dns part of this the architecture overview talks about how this works in general but let's talk about dns working so there's this big flow of how dns resolution works and essentially your client will make a connection it'll come back uh and be intercepted by twin gate twin gate then responds with an ip address assigned to the resource which is this right here and then the application on the user's device initiates communications with the twin gate ip so here's the communication with the twin gate ip the connector receives the connection request sends the dns request to the private dns on the local network and then the private dns server responds with the ip address the private ip address of the resource which in my case this particular resource has a local private i p address that my ad guard server sends back to my client that tells it how to get to this particular resource and then the connector initiates communication with the requested resources private ip proxying traffic through the applications device or the the user's device so there we go uh it sends back the request and then it goes all the way through to the actual private i p address so when i go to local h a dot mostly chris.com you can't get that that's not resolvable on the public internet that's only resolvable internally to my private dns server so when i put that in my browser after connecting to twin gate it's going to connect to my local instance here's a caveat to things like the home assistant companion app you set a public and you set a private url so the app knows which network you are on if you set local h a or whatever your local thing is and you set that up here as your local domain name inside your network your companion app can connect when it's on the local network and then when you go outside the network it will try to connect your public address uh if you're running twin gate only to connect to your home assistant instance and you always want twin gate up and running to connect to it then you would put this as both your public and private in the app now there are ways around that one of the things you can do is set up an nginx reverse proxy and you can put localha chris in your browser or in that proxy and have it proxy back to your home assistant instance you can set up set it up so that it only allows that from your local ip address range on your local network that way if you have the proxy open to the world it's not going to accept it from outside of your network if you're using something like twin gate and you're using the app my suggestion is that you just put the url for your local instance in your home assistant so let's go in here and let's just do this real quick if i go back over to my laptop and i type in local ha first of all i got to get back on twin gate so make sure i'm signed into twin gate so i'm signed back into twin gate if i put in local h a because i've got this set up as a resource on my uh in my system or in my admin panel so here's the resource twin gate is going to intercept this url and send it through twin gate system to resolve to my private on my private dns server locally uh on my network so let's go look at that now if i hit enter it should take me over to my home assistant instance and it does and so now i'm connected to my home assistant instance using the local h8 at mostlychris.com you can see here that i'm on this local ha which is not resolvable outside of my private network and actually twin gate has resolved that for me that's one way you can use the local resolution or you can use this to intercept that call to send it through twin gate and then it resolves on your local private dns server and that gives you a zero trust network to connect from anywhere to your local network or your on-premise remote network one of the final things i want to caution you about is using when you're talking about doing this dns stuff is not to use a public dns service to resolve private i p addresses because you can have a dns rebind issue so anything that you have that resolves to an internal address should be run on a local server like either pi hole or even ad guard which is what i use remember address resolution of resources is performed from the connector on the remote network that a particular resource is associated with this means that both local ip addresses and local private dna dns names will resolve for remote users connected to twin gate the only thing you got to be sure of is that when you're doing this that you can resolve that locally so if i want to do local h a it can resolve this ip address if it doesn't resolve on the machine the connector is running from then it's not going to work for you so make sure it does resolve from the connector machine all right so that's how you set up twin gate and use it i i made it more complicated than it needs to be in my discussion but i wanted to give you an overview of the whole thing from how it works to how to set it up on an application like this or in an application like this so if you have any questions about it let me know in the description or in the comments down below you can also ask me on discord this is just another way for you to connect to your home assistant instance from a remote location securely and from a zero trust standpoint so try it out see what you think you can use it up to a certain point for free so you get five users two devices per user at one remote network the admin api and the community support forum uh if you want to do bigger stuff for business or enterprise uh you can do up to 150 users five devices 10 remote networks resource level control uh identity provider integration email support for ten dollars i think this is where i'm at right now in terms of a trial when you first sign up you get you get a trial and then it goes away and it reverts back to free if you're just using home assistant then you you can get away with the free version all right thanks for watching and we'll see on the next one [Music] you

Info

Channel: mostlychris

Views: 17,522

Rating: undefined out of 5

Keywords: Smart Home, Home Assistant, zero trust security model, zero trust explained, zero trust network, zero trust network access, zero trust security, zero trust implementation, zero trust vs vpn, vpn explained, vpn, twingate reviews, twingate demo, twingate vpn, remote access computer anywhere, remote access windows 10, remote access tool, remote access ipad, remote access mac from iphone, remote access server, remote access mac from pc

Id: KLb-iY6hcNg

Channel Id: undefined

Length: 25min 40sec (1540 seconds)

Published: Sun Apr 03 2022