Architecture

Home Assistant VPN

You want to check on or control your smart home from outside your house, without exposing Home Assistant directly to the internet.

COSTFrom around £4/month for the VPS AUDIENCEHome

The problem

Home Assistant is designed to run on your home network, close to your smart devices. That is great for reliability, but it means there is nothing reachable from outside your house by default – which is exactly the point, until you want to check your cameras or turn the heating on before you get home.

The tempting shortcut is to forward a port on your router straight to Home Assistant. Do not. That puts your entire smart home dashboard directly on the public internet, one vulnerability away from a stranger controlling your locks.

The architecture

A small VPS sits between you and your home network as a WireGuard relay. Your Home Assistant box at home holds an outbound WireGuard tunnel to the VPS. Your phone holds a second WireGuard tunnel to the same VPS. The VPS routes traffic between the two – nothing about Home Assistant itself is ever exposed to the public internet.

  • VPS: runs WireGuard only – no need to run Home Assistant itself remotely
  • Home network: Home Assistant plus a WireGuard client holding the tunnel open
  • Your phone: WireGuard client, connects through the VPS whenever you are away from home

What you need

  • A VPS running WireGuard – a £4/month tier is enough
  • Home Assistant already running at home
  • 15-20 minutes to generate keys and write three short config files

Security considerations

Only the VPS has a public IP exposed to the internet, and it runs nothing but WireGuard – there is no web server or dashboard listening for anyone to attack. Restrict the WireGuard peer configuration so your phone can only reach Home Assistant’s IP and port, not your entire home subnet.

Backup considerations

Back up the WireGuard configs from all three points (VPS, home gateway, phone) alongside your normal Home Assistant snapshot routine. If the VPS is lost, a fresh one with the same config files is back up within minutes – the VPS holds no Home Assistant data itself.

Frequently Asked Questions

Do I need a static IP at home?

No. The VPS gives you a stable public address, your home connection just needs to maintain an outbound WireGuard tunnel to it - this works fine behind CGNAT.

Is this the same as using Nabu Casa?

Conceptually similar - both give secure remote access without forwarding ports - but here you control the server, the cost, and the data path.

Does this slow down Home Assistant?

No noticeable difference for typical dashboard and automation use. WireGuard's overhead is small enough that a £4 VPS keeps up easily.