You are over complicating it. I suggest starting out with some sort of VPN. Wireguard is super simple to setup with a wg-easy container
this post was submitted on 09 Mar 2025
19 points (95.2% liked)
homeassistant
13617 readers
180 users here now
Home Assistant is open source home automation that puts local control and privacy first. Powered by a worldwide community of tinkerers and DIY enthusiasts. Perfect to run on a Raspberry Pi or a local server. Available for free at home-assistant.io
founded 2 years ago
MODERATORS
Plus one for the wg-easy container. It's dead simple!
HA on your private network. Tailscale or Wireguard into that network. Problem solved.
Tailscale is magic for me. It just works.
Just run HA on the network you prefer and add firewall rules to cross to the other network as needed. Don't need to overcomplicate things!
If vanilla Wireguard is too complicated to set up for you: try tailscale.
If you don't trust the central tailscale server: rent a vps and set up headscale on that.
I pay what I consider a pretty affordable price for this ($65/yr), and support HA dev community. It also allows auto-syncing devices to my Google Assistants. No affiliation but an easy way to get something more and give a little back.
I am not sure how two synced HA instances (if that's even possible) would help. You would need to allow your IoT devices to be accessible by the Home Assistant instance you want to use with your personal devices. If that seems like a risk to you, then why not run HA in the DMZ alltogether?
You can configure HA to use an external database, so you could (presumably) config two instances to use the same DB. Not sure how much conflict that would cause for entities that are only attached to one of those instances, but it seems like both should have the same access to state data and history. Could probably even set one instance up with read-only DB access to limit data conflicts, although I imagine HA will complain about that.
Even with an external database, HA still uses its internal DB for some things, so I don't think you'd ever get identically mirrored instances.
Theres a subscription for this that works kinda like that.
Otherwise a vpn into your hone network gives you access from your devices. Maybe your router already supports this, otherwise tailscale or zerotier and similar can be a good solution.
I dont have issues exposing my ha to the internet through caddy, but i filter traffic based on country of origin (geoip2). Used to have separate auth in front but i removed that a few months ago
Edit: not too much use of running two containers if you expose the same storage to both. Better option would be to have two reverse proxies, one for local and one for internet, both proxyinf the same ha instance. That way you can get ha on normal https port with certs.
Imo you are pretty safe with a reverse proxy with an extra layer of security.
A DMZ is a decent idea, but you can do the same thing with vLAN and it would be less of a PITA.
I recommend just doing a vLAN and disable outside connection to your network. Use Wireguard to VPN in, and access local services via the VPN.
For notifications, you can use Gotify.
I’m thinking about the possibility of running two containers, one on my trusted network and one on my DMZ. I could sync them up or give them access to the same storage areas maybe.
It is, but it could/would cause huge complications when both containers attempt to access the same resource which is already in use. I wouldn't recommend running 2 containers from in the same location. It's a bit antithetical to what docker is used for.
Not sure about linking 2 HAs together, that could get complicated real quick.
If you have your DMZ setup, put HA in that and only allow web access from your main network. Also with camera, there is a feature to allow direct access if you and the camera are on the same network.
Why not use cloudflare with client certs?