#Secure 遥控器 access to Home Assistant using Tor

Routers and gateways provided by broadband internet providers are very often limited regarding features and 配置 possibilities. Most of these limitations affect the opportunities that allow 用户 to set up port-forwarding, DMZ, and DHCP reservations since the suppliers figured that average 用户 does not want (or should not) deal with these. Making your Home Assistant instance available remotely (and securely), in this case, becomes more difficult. Are you one of those unlucky ones?

There are a couple of options available to achieve a 遥控器 (and secure) accessible Home Assistant instance. However, almost all of them require you to: open one or more ports on your router, expose a public IP address, and require you to reserve a fixed IP in your DHCP server (or set up a static IP address). Examples of these are:

• Combination of DuckDNS (or similar), Let's Encrypt (SSL), DHCP reservation, and forwarding a port to your 设备 running Home Assistant.
• 设置 a VPN, which often requires more hardware and software. Additionally, it also requires port-forwarding, DHCP reservation and most likely DuckDNS (or similar).
• SSH tunnel-ing. Which still requires port-forwarding, DHCP reservation and most likely (yeah, you've guessed it) DuckDNS (or similar).

There is, however, another option available that most people do not realize: Tor. Tor offers a capability that they refer to as Tor's Hidden 服务, which allows you to securely access your Home Assistant 安装 without the need for all these things. No need to forward and open ports, no need to expose your public IP, no DNS entry, no need for SSL certificates, and you do not have to assign a fixed IP to the 设备 running your Home Assistant.

The most amazing part? It is super easy to set up!

#Setting up Tor

The 设置 is straight-forward:

1. 安装 Tor. On a Debian-based system: $ sudo apt-get install tor. On Fedora: $ sudo dnf install tor

2. Modify Tor's main 配置 file /etc/tor/torrc to include the following lines:

   ############### This section is just for location-hidden services ###
   
   ## Once you have configured a hidden service, you can look at the
   ## contents of the file ".../hidden_service/hostname" for the address
   ## to tell people.
   ...
   HiddenServiceDir /var/lib/tor/homeassistant/
   HiddenServicePort 80 127.0.0.1:8123
   ...

3. 重启 Tor: $ sudo systemctl restart tor

4. The Tor-generated hostname file contains the hostname you need to access your 安装.

   $ sudo cat /var/lib/tor/homeassistant/hostname
   abcdef1234567890.onion

#Tor 插件 for Hass.io

Franck Nijhof (@frenck) 创建 the Tor add-on for Hass.io. This 插件 makes the 安装 and the 设置 extremely simple. Go to the Hass.io 面板, then to the Store, copy https://github.com/hassio-addons/repository into the text box of 插件 Repositories and save it.

A new entry Tor will show-up in the list of 插件. Click on it to 安装 it. The 配置 is done in Options. Please refer to the configuration 文档 for further details. A possible 配置 could look like the sample below (which is the default 配置).

{
  "log_level": "info",
  "socks": false,
  "hidden_services": true,
  "stealth": false,
  "client_names": [],
  "ports": [
    "8123:80"
  ]
}

When you are done, press Save and then Start. In the 日志 section, you can see what the 插件 is doing. Watch out for an entry like the one below, which will tell you your hostname on the Tor network.

INFO: -----------------------------------------------------------
INFO: Your Home Assistant instance is available on Tor!
INFO: Address: abcdef1234567890.onion
INFO: -----------------------------------------------------------

Don't worry if you missed it, restarting the 插件 will display it again. The details are also stored and available in the /ssl/tor/hidden_service/hostname file.

#Tor clients

To access you Home Assistant via the Tor Hidden 服务, you will need a Tor client. There are multiple clients, for different 设备 and platforms, available. The Tor Browser is by far the simplest option, which is available for Windows, MacOS & Linux.

Simply download and 安装 the Tor Browser, start it, and enter the "dot onion" address you've gained from the earlier steps (abcdef1234567890.onion in this case). Voila!

Some other clients:

• Orbot for Android
• Orfox for Android has been deprecated. Please use Tor Browser for Android. More information about the deprecation here.
• Onion Browser for iOS

#Cranking up security

The 设置 described in this 博客 post is easy and relatively secure, but anyone who knows your .onion address can still connect to your Home Assistant instance (Remember to use passwords!). With all of the discussion about putting your IoT on the Tor Network, maybe you want to add an extra layer of defense, especially if you’re going to be the only one that uses it. Tor offers an additional layer of security, called "Hidden 服务 认证", usually referred to as "Stealth"-mode.

This "Stealth"-mode adds an extra layer of security to your Hidden 服务 by only responding to a client that passes a unique secret cookie as it connects. Obviously, this requires additional 配置 on the Tor client applications.

The Tor Project itself provides details about a variety of topics in their 文档.