Hi, I'm Alex from Tailscale and in today's video we're going to talk about Home Assistant, specifically remote access via Tailscale. Home Assistant is one of my absolute favourite free and open source software projects. It lets me connect the Hue bulb above my head to the robot vacuum downstairs to my garage door. Why would I want to do that? Why wouldn't you want to do that? Today we're going to talk about accessing Home Assistant remotely over Tailscale, specifically using the unofficial add-on maintained by Frank, who's one of the Home Assistant developers. I find this most useful when I'm in that kind of Wi-Fi grey zone, just a few feet outside my Wi-Fi range, where my phone doesn't really quite know what's going on. If I'm connected over Tailscale, it doesn't matter if I'm on 5G or on Wi-Fi. And if you already have a working fully qualified domain set up with Home Assistant, I'll show you how to get that working with Tailscale as well. So I'm going to show you how to install Tailscale on a completely fresh Home Assistant system right here. Bottom left hand corner, click on settings, then go to add-ons, which is the fifth option in this list. Next, go ahead and click on add-on store. Just to be sure, click on check for updates first and then search for Tailscale. Now we can go ahead and click on install Tailscale. What this is going to do in the background is going to pull down a container, a docker container. When you run Home Assistant OS, which is what I'm doing here, it's a fully encapsulated system. So all of the stuff that happens that gets installed, all of these add-ons are containers running underneath on the Home Assistant OS. Once that's downloaded, go ahead and click on start and then click on the open web UI button. This is going to ask us to re-authenticate, although technically all we're doing is actually just authenticating. Next is going to follow the standard Tailscale auth procedure. So click on sign in with Google, follow the standard prompts that you're very used to by this point if you use Tailscale before. And then in the console, we can see right away we've now got Home Assistant showing up. So that's how easy it is to connect Tailscale with Home Assistant. Now if we go back to the add-on web UI, we can see that the Home Assistant node is now showing up in the web UI as well. And it's pretty happy about what's going on here. So now we have Tailscale installed on Home Assistant. Let's go ahead and try and connect to it. We're going to just jump into a new tab right here and use the fully qualified domain name that gets assigned to Home Assistant when it joins the tailnet. By the way, every single tailnet gets a domain through this DNS option up here. So my tailnet name is velociraptor-noodlefish.ts.net. Every tailnet gets one of these fully qualified domain names for free. You can go ahead and rename yours and roll the dice to come up with your own automatically generated name in the DNS tab over here. But when a node gets added to the tailnet, it automatically gets a fully qualified domain name that matches the name of the machine and then appends the velociraptor bit to it. So if I want to actually collect a Home Assistant right now, I still need to use a port. And that's because we haven't enabled Tailscale serve through the proxy yet. But you can see that this works. I'm able to connect to Home Assistant using port 8123 as you would do if you were using a normal IP address. This is cool, first of all, because this will work from any Tailscale device, whether it's in the same physical network or not. So if you're troubleshooting a remote system or something like that, you can use this option to connect to Tailscale remotely. No proxy is required. But I want to take this a step further and actually get us a proper TLS certificate. So this is going to be a little more involved, but it's not too bad. Under Home Assistant, we're going to go ahead now and install another add on. So I'm going to go ahead and install the Visual Studio Code Server add on. You just type the word studio into the search box, click install. This will take a moment to download the container underneath. It's quite a big one. But what's that's doing that I'm going to go ahead and go back to the Tailscale add on that we installed earlier and just grab the piece of configuration that we're going to need from the documentation. So the fastest way to do it is go to the Tailscale add on in the documentation page, do a command F or control F and search the page for 127.0. And there you go. We just need these four lines of code here. As you can see, Home Assistant by default blocks connections from untrusted proxies such as the Tailscale proxy. In this case, we're going to add the 127.0.0.1 as a trusted proxy in the list here. So I'm going to go ahead and copy this to my clipboard and hopefully by this point, the Visual Studio Code extension has downloaded. I'm going to go ahead and click on start and then also show in the sidebar. Once this has started up, just give it a second. I'm going to click on the menu button on the left hand side, Studio Code Server. And you can see we're basically in Visual Studio Code, but in a browser, and this is running directly on Home Assistant and has access to your configuration files and what have you underneath. All we need to do is paste those four lines into our configuration.yaml file and restart Home Assistant. So I've pasted the four lines. I'm going to go to the hamburger menu up here, click save and then settings and restart Home Assistant. Restarting Home Assistant can take anywhere from a few seconds to a minute or two, depending on how many devices you have. But once Home Assistant is back up and running, we want to go back to the add on section and under Tailscale, we're going to have to go to the configuration tab for the add on. Next, click on the show unused optional configuration options and click on Tailscale proxy. This is going to turn on Tailscale serve. This is what will automatically generate you a TLS certificate using Let's Encrypt for your tailnet.ts.net tailnet name. So if I click on save here, it will take a moment, but it's going to restart the Tailscale add on. And so now I should be able to go to https home assistant velociraptor.ts.net and it's going to load my entire Home Assistant instance over Tailscale with a TLS certificate using the name from my tailnet. And I can log in just as if I was using the IP address and port number that I was before. And you can use this name from anywhere on your tailnet. So any device that's connected to your tailnet, such as a phone, for example, that can now connect to Home Assistant, whether you're in the house or whether you're at the coffee shop or whether you're in Iceland looking at volcanoes. It doesn't really matter where you are. I find this particularly useful when I'm in that gray zone just in and around my house, just about on Wi-Fi, but not quite. And sometimes I just need my phone to open the garage door or turn off the lights or whatever it is that I forgot to do before I left the house. And I can now connect using Tailscale to my Home Assistant instance, whether I'm in the house or not. So this works well if you want to use the ts.net entry. But what if you already have a fully qualified domain name and a reverse proxy setup that you're happy with? Well, we can actually slot Tailscale into that existing setup as well. In my previous video, I showed you how to use CADI and CNAMES in Cloudflare to do this. But today we're going to use a self-contained solution or at least mostly self-contained running all on Home Assistant itself. So a couple of extra add ons we're going to need here. First is the Let's Encrypt add on. So let's get that installed. And then next is this Nginx Home Assistant SSL proxy add on. Now, most of you probably watching this section already have this stuff configured, but in case you don't, Let's Encrypt is a way to automatically generate certificates and the Tailscale proxy piece, the Tailscale serve thing that we did earlier. This is doing this for you automatically underneath. This part is only required if you want to use your own domain name. So alexshouse.com or whatever you want to do. Now, under the Let's Encrypt add on configuration, I'm going to click on the three dot menu here. Now, if you're not familiar with how to generate a Cloudflare API token, head over to your Cloudflare dashboard, get logged in and click on the my profile option up here in the top right. And then over here on the left, click on API tokens. And the permissions I generated with this scoped token were zone read, zone edit and then DNS edit. I had some questions about that in the last video. So I'm going to roll the tokens so I get a fresh token and click on copy. I'm then going to put this into this box just here under API token. Click on save. And now this is worth noting that this specific code snippet, which will be a link to in the description, by the way, this specific code snippet will work just fine with Cloudflare. If you're using a different DNS provider for your ACME challenge, your Let's Encrypt challenge, you will need to modify this code snippet slightly. Just, you know, you can see it's Cloudflare specific stuff here. You don't have to use Cloudflare, but it's just the one that I'm using that I'm the most familiar with. So let's go back to Let's Encrypt and start this up. Rolling Stone song initiate and it's going to generate me a new certificate here. So it's going to go ahead and request a certificate in real time. And if we look in the Cloudflare dashboard in just a second, we should actually see under the domain name of dots and stuff, .dev, we can actually see the ACME challenge happening in real time. So this is how Let's Encrypt is verifying ownership of my ownership of HA dots and stuff, .dev. It's actually using this token just here. Now, if we dig into the configuration a little further, I didn't actually point this out, did I? The domain name that we're going to register today is HA dots and stuff, .dev. And this is what's happening underneath in the Let's Encrypt add on. And now we have a Let's Encrypt certificate ready to go for this domain name. Next thing we're going to want to do is configure DNS. Now, I'm going to presume that most of you probably have some kind of a local DNS server, pihole or something like that running in your network. If you don't, though, you can actually use the Tailscale split DNS feature for specific name servers. I'm going to go ahead and click on custom just here and do the IP address of the actual Home Assistant instance itself. So in this case, I'm going to go to settings, system, network, click on the three dot menu here and click on IP information. Why is that not just shown at the bottom of the page? Anyway, I digress. 192.168.101.11. This is the value that we need. I'm going to go and put this in here and then click on split DNS. This is the magic source. So if I click on HA.dotsandstuff.dev, put this in here, anytime I make a request when I'm connected to my tailnet, the DNS server that gets configured as part of your Tailscale network will automatically route requests to that IP address. Now, the key note amongst you will have noticed that 192.168.101.11 is not a Tailscale address. We're going to have to enable the subnet routing feature on our Home Assistant box to do this. Now, thankfully, the add-on already requests subnet routing and exit node features out of the box. If you want to tweak that, by the way, you can do that. If you go into the add-ons configuration section over here and then show unused options, there's a bunch of stuff. You can configure funnel if you want to expose this to the Internet. Without any of this stuff, I really wouldn't recommend exposing your Home Assistant instance to the wider Internet, by the way. There's just no need with Tailscale. There are a bunch of other options, like I say in here. We already enabled the Tailscale proxy earlier, but this is where you would configure all sorts of other stuff, like accepting routes and advertising as an exit node and advertising the subnet routes. But by default, the add-on actually requests the Home Assistant subnet that it's in. So we can see here in the Tailscale dashboard, if I click on the three-dot menu here, edit route settings, it's asking to route the subnet 101.0 anyway. So if I go ahead and click on save, what this is going to allow us to do is actually connect to the Home Assistant front end from anywhere else on our tailnet. Word of caution, this will also enable us to connect to any other device on that subnet. So just be aware there are a couple of security implications there. And then the final thing that we're going to need to do is actually go ahead and configure our Nginx proxy. Now, under the configuration tab that's here, we're going to need to put in ha.dotsandstuff.dev and click on save. We are going to need to add this Nginx proxy to our Home Assistant configuration as well as another trusted proxy. This is exactly the same as we did in the previous step for the Tailscale proxy. I'm just going to paste this into my configuration.yaml, save this file and then restart Home Assistant. Once that's done, I'm going to go ahead and go back to the add-ons page, make sure start on boot is checked. I'm also going to do the watchdog so that if it crashes, it comes back up again and then click on start. And hopefully now if I go to ha.dotsandstuff.dev, we get the Home Assistant web page. Gosh, that was an excruciatingly long pause as it loaded there. And there we go. So what's happened here? We are connected through the Nginx reverse proxy running on Home Assistant using the subnet routing functionality of Tailscale to route the packets from a Tailscale connected device such as this laptop over your tailnet to Home Assistant using a custom domain. And we are also using one of the more advanced features of Tailscale under the DNS section called split DNS. And you can actually use this pretty much as a hack to use Tailscale as a fully fledged DNS server if you'd like and use split DNS across multiple different systems. Now it is worth noting at this point that the Home Assistant project also through their Nebu Casa project offers a subscription, I think it's $6 a month, to give you a cloud, very long obfuscated URL that is publicly routable across the public internet. Now I personally don't use the URL option. I just route everything over Tailscale. But I do support the Home Assistant project because I just think it's such a critical piece of infrastructure in our modern smart homes. So if you'd like to know more about self-hosting services and remotely accessing them over Tailscale, there'll be a video on screen somewhere right about now. I did a video on it a couple of weeks ago using CADI as a reverse proxy and using Cloudflare with a CNAME to do just that. So thank you so much for watching. I hope you found some utility in today's video. Go ahead and support the Home Assistant project. It's just a fantastic piece of software. Until next time, I've been Alex from Tailscale.
