Port forwarding seems simple, but it's a massive security risk for your smart home. Anyone wanting to access Home Assistant and similar services from the internet needs more than just a strong password. In this video I show you why – and which alternatives are significantly safer.
I’ve been diving deep into the topic of remote access to smart home systems lately – and one thing quickly becomes clear: there are now quite a few interesting options available, depending on your security needs, budget, and technical expertise.
Which makes it all the more alarming that many users still simply rely on port forwarding to make their home network services accessible from the internet. Why is that dangerous? Let’s take a closer look.
To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.
Hi and welcome! My name is Joachim and this is Smart Home? But Secure! I originally just wanted to put together a video showing you how I’ve been handling secure remote access to Home Assistant for years.
But in my research, I realized: there are now quite a few ways to solve the remote access problem elegantly and securely. Yet there are still a large number of users who rely on simple port forwarding (more technically known as port forwarding) to access their smart home systems while on the go. And honestly, that surprised me a bit.
If you’re thinking: “Sure, old news – you don’t need to explain that to me!” – then I’d invite you to subscribe to the channel. I have a feeling this topic has potential for more than one video, and there will definitely be a few more technical deep-dives to come.
But if you’re thinking: “Huh? What’s actually the problem with port forwarding?” – then let’s take a closer look right now.
Why Port Forwarding Is So Popular
First of all: it’s understandable why so many users go this route. It’s simple, quick to set up, and generally involves no additional costs.
And even the problem of a dynamic IP address can be solved quickly using a dynamic DNS service. But:
You have to be aware of what you’re doing: you’re putting your service – for example Home Assistant or OpenHAB – directly onto the internet, exposed exactly the same way it is on your local network.
First Risk: The Protection Layer of Your Home Network Disappears
Even if you’ve set a strong password for your service: your home network itself is an additional layer of protection. In general, far fewer malicious actors are lurking there than on the open internet.
With port forwarding, you remove exactly that protective layer. Your service is now directly reachable from the internet – for millions of users, hackers, and other bad actors.
And even if you use a secure password and 2FA – nobody can guarantee that a new security vulnerability doesn’t already exist that bypasses authentication entirely. Sure, you can install updates diligently, but those only protect against known and already-patched vulnerabilities.
That’s why you should replace that second protective layer – your home network – with something else whenever you want to expose your services on the internet.
Second Risk: Unencrypted Connections
There’s another factor to consider. As soon as your data travels over the internet, it must be encrypted – otherwise anyone can read or manipulate it.
Take Home Assistant as an example: the default connection is not encrypted. If you simply open a port to the internet, access is unsecured – just like at home, where that’s usually less of a concern.
Of course, you can secure it – for example with a free Let’s Encrypt certificate. But that means additional software and configuration. The “simple” port forwarding quickly turns into a complex software project – and that makes it not only more error-prone but often more insecure as well. A vicious cycle.
My Recommendation
My clear recommendation: don’t use port forwarding to make your smart home accessible from the internet.
Even if you don’t have particularly high security requirements, there are better alternatives:
VPN
VPN: If you have a FRITZ!Box or another router that supports it, a VPN can be a great choice. It’s free, significantly more secure, and usually easy to set up. The VPN authentication provides the second protective layer that I believe is so important for internet access.
Home Assistant Cloud
Home Assistant Cloud: The service from the HA team at Nabu Casa is easy to set up and takes care of encryption for you. You don’t have to deal with dynamic DNS either. But: it costs a monthly subscription fee – though at least that money goes to the company developing Home Assistant. The downside is that the second protective layer is still missing – the login screen is directly reachable from the internet, which you’ll quickly notice from “login failed” messages in your Home Assistant log.
Cloudflare
Reverse proxies such as Cloudflare: here you build an encrypted tunnel from your home network to the proxy. There are already many great videos about this from the big smart home channels on YouTube, but I strongly recommend enabling an additional authentication layer on the proxy (called “Access” in Cloudflare) – that gives you your second protective layer here as well. Cloudflare is a US-based provider, which may be a dealbreaker for those with privacy concerns. In my research I haven’t found a comparable European alternative – if you know of one, let me know in the comments!
Twingate
Twingate is a provider that enables zero-trust networking and promises a modern VPN alternative. Setup is surprisingly straightforward, clients are available for all platforms, and access to individual services can be controlled in a very granular way. Even though the service is primarily aimed at businesses, it can be interesting in a smart home context – especially if you want to secure multiple devices or users.
Tailscale
Tailscale takes a different approach: using WireGuard, it builds a private mesh network in which all your devices can reach each other directly – wherever they are. Particularly interesting is the newer Tailscale Funnel feature: it lets you expose a home network service publicly over the internet, including HTTPS and access control. Funnel isn’t available everywhere yet, but it’s a promising approach – especially for technically minded users.
I haven’t taken a closer look at either of these two options (Twingate and Tailscale) myself yet.
What role does remote access play in your smart home setup? Which solution are you using – or which one are you considering? Leave a comment below.
What I Use Personally
I’ve set up my own reverse proxy with the German hosting provider netcup. From my home network I establish an SSH tunnel that exposes only selected services toward the reverse proxy. The proxy itself is responsible for authentication and controls who can access what. I’ve configured it so that a client certificate is required for authentication. That’s how I’ve implemented my second protective layer – without opening any ports. At the same time it’s incredibly convenient, because authentication happens in the background and I don’t need to connect to a VPN or enter additional passwords. It’s certainly not the right solution for everyone – but for technically experienced users, it’s in my opinion a very elegant approach for the level of protection it provides.
Netcup is a German hosting provider I’ve been a customer of since 2011 — now with nine products (domains, web hosting, vServers and root servers). I’ve been consistently satisfied over all those years. I particularly want to highlight the reliable infrastructure, excellent support, and transparent pricing.
A real standout feature: special offers at Netcup are often permanent. That sets Netcup clearly apart from other providers where the price typically rises after the first year.
