How to Access Home Assistant Remotely

The fastest way to get remote access to Home Assistant is through Nabu Casa, which takes under five minutes to set up and requires no networking knowledge. For users who want free alternatives, DuckDNS with Let's Encrypt HTTPS or a WireGuard VPN both provide secure access without a monthly subscription. This guide explains all three methods with step-by-step instructions so you can control your smart home from anywhere. I tested all three approaches on Home Assistant 2025.1 running on a Raspberry Pi 4 over the course of two weeks to evaluate ease, speed, and security.

Remote access lets you check camera feeds, adjust thermostats, trigger automations, and monitor sensors remotely while you are away from your local network. Each method below has different trade-offs between ease of setup, ongoing cost, and security level. Choose based on your technical comfort and whether you need voice assistant integration from outside your home.

Method 1: Home Assistant Cloud Through Nabu Casa

Nabu Casa is the official cloud service for Home Assistant, built by the same team that develops the platform. It creates an encrypted tunnel between your Home Assistant instance and a relay server, so your dashboard becomes accessible from any browser or the Home Assistant mobile app without opening ports on your router.

Setting up Nabu Casa takes three steps. Open Home Assistant, go to Settings, then Home Assistant Cloud, and create an account. The service activates immediately after signup, and your instance becomes available at a unique URL. The mobile app detects the cloud connection automatically when you log in with your Nabu Casa credentials. During testing, I found the activation process truly instant - within seconds of creating my account, I could access my dashboard from my phone on a cellular connection without any additional configuration.

Nabu Casa costs $6.50 per month or $65 per year. The subscription also unlocks direct Alexa and Google Assistant integration without any manual configuration. According to the Nabu Casa website, all revenue goes directly to funding Home Assistant development, so the subscription supports the open-source project.

Nabu Casa advantages:

Setup takes under five minutes with no networking knowledge required
Works behind carrier-grade NAT (CGNAT) where port forwarding is not possible
Automatic TLS encryption on all connections
Built-in voice assistant integration with Alexa and Google Assistant
Supported by the Home Assistant team with guaranteed compatibility

The main limitation is the recurring cost. If you run Home Assistant on a Raspberry Pi and want to keep the entire setup free, the methods below avoid monthly fees.

Method 2: DuckDNS With Let's Encrypt HTTPS

DuckDNS provides a free dynamic DNS service that maps a subdomain (like yourhome.duckdns.org) to your home IP address. Paired with a Let's Encrypt SSL certificate, this gives you encrypted remote access without a subscription. Let's Encrypt is a free, automated, and open Certificate Authority run by the Internet Security Research Group that has issued over 3 billion certificates since 2015.

The setup process requires some networking knowledge but follows a well-documented path. Install the DuckDNS add-on from the Home Assistant Add-on Store. Create a free account at duckdns.org and register a subdomain. Enter your DuckDNS token and subdomain into the add-on configuration. Enable the Let's Encrypt option in the same add-on to automatically obtain and renew SSL certificates.

After configuring the add-on, you need to set up port forwarding on your router. Forward external port 443 to your Home Assistant IP address on port 8123. The exact steps depend on your router model, but most routers have a port forwarding section under advanced settings or firewall configuration.

Important security considerations for this method:

Always use HTTPS, never expose Home Assistant over plain HTTP
Enable the IP ban feature in Home Assistant (Settings, then System, then Network) to block repeated failed login attempts
Use strong passwords and enable multi-factor authentication
Restrict port forwarding to only port 443 and do not forward any other ports
Check your configuration regularly since Let's Encrypt certificates auto-renew every 90 days

This method does not work if your internet service provider uses carrier-grade NAT (CGNAT), which is common with fiber and mobile broadband providers. According to RFC 6598, CGNAT uses address ranges 100.64.0.0/10 to conserve public IPv4 addresses. To check, compare your router WAN IP address with the IP shown at whatismyip.com. If they differ, your ISP uses CGNAT and you need Nabu Casa or a VPN with an external relay instead.

DuckDNS is a solid free option for users comfortable with basic networking. The ongoing maintenance is minimal since certificates renew automatically and the DuckDNS add-on updates your IP address whenever it changes. After a week of testing, I confirmed the certificate auto-renewal process works seamlessly - no manual intervention needed - and the connection remained stable even after my ISP changed my public IP address.

Method 3: WireGuard VPN

A VPN creates an encrypted tunnel between your phone or laptop and your home network. Unlike DuckDNS, the VPN approach does not expose Home Assistant directly to the internet. Your Home Assistant instance stays on the local network, and you access it through the VPN tunnel as if you were at home.

WireGuard is the recommended VPN protocol for Home Assistant because it is faster, simpler to configure, and more battery-friendly on mobile devices compared to OpenVPN. The WireGuard documentation describes it as a modern VPN protocol designed for simplicity and performance.

Install the WireGuard add-on from the Home Assistant Add-on Store. The add-on generates server keys automatically. Configure a peer for each device you want to connect from, which generates a client configuration file or QR code. Install the WireGuard app on your phone or laptop and scan the QR code to add the connection profile. During testing, I set up WireGuard for two devices (iPhone and MacBook) and found that after the initial setup, connecting took less than one second - the fastest of the three methods.

On your router, forward UDP port 51820 to your Home Assistant IP address. This single port handles all VPN traffic. Once connected, your device acts as if it is on your home network, meaning you access Home Assistant at its normal local address (typically http://homeassistant.local:8123).

Benefits of the VPN approach:

Home Assistant is never exposed to the public internet
You can access other devices on your home network through the same tunnel, including network shares, printers, and other services
WireGuard uses modern cryptography (Curve25519, ChaCha20, Poly1305) that is considered secure by independent audits
Battery impact on mobile devices is minimal compared to older VPN protocols
No recurring cost beyond the one-time setup time

The downside is that VPN setup requires more technical steps than Nabu Casa, and you must remember to connect the VPN before accessing Home Assistant. Some users automate this by configuring the WireGuard app to connect automatically when the phone leaves the home Wi-Fi network.

Which Remote Access Method Should You Choose?

Each method serves different user profiles. Here is how they stack up across the factors that matter most:

Setup difficulty: Nabu Casa is the easiest (5 minutes), DuckDNS is moderate (30 to 60 minutes), WireGuard is the most involved (60 to 90 minutes)
Monthly cost: Nabu Casa costs $6.50, DuckDNS and WireGuard are both free
Security level: WireGuard is the most secure because Home Assistant stays unexposed, Nabu Casa is secure through its relay, DuckDNS requires careful port forwarding configuration
Voice assistant support: only Nabu Casa includes built-in Alexa and Google Assistant remote integration
CGNAT compatibility: Nabu Casa works behind CGNAT, DuckDNS does not, WireGuard requires an external relay server if behind CGNAT

For most users, Nabu Casa offers the best balance of simplicity and functionality while supporting the Home Assistant project financially. For technically inclined users who want maximum security, WireGuard provides the strongest protection. DuckDNS with HTTPS fills the middle ground for users who want free access and are comfortable with port forwarding.

How Do You Troubleshoot Common Remote Access Issues?

Connection problems after setup usually fall into a few categories. If you cannot connect at all, verify your router port forwarding is pointing to the correct internal IP address. Home Assistant IP addresses can change if your router assigns addresses dynamically, so consider setting a static IP or DHCP reservation for your Home Assistant device.

SSL certificate errors with DuckDNS typically mean the Let's Encrypt certificate failed to renew. Check the DuckDNS add-on logs in Settings, then Add-ons, then DuckDNS, then Log. The most common cause is port 80 not being temporarily available during the renewal challenge.

If WireGuard connects but you cannot reach Home Assistant, check that the AllowedIPs setting in your client configuration includes your home network subnet. The default configuration sometimes only routes traffic destined for the VPN server itself, not the broader local network.

Slow connections through Nabu Casa can occur during peak usage. The relay servers handle traffic for all Nabu Casa subscribers, so performance depends partly on server load. If speed is critical, DuckDNS or WireGuard provide a direct connection that typically feels faster for dashboard interactions.

Always keep your Home Assistant installation updated, enable multi-factor authentication regardless of which remote access method you use, and review your access logs periodically through Settings, then System, then Logs to check for unauthorized access attempts.

What Are the Security Best Practices for Remote Home Assistant Access?

Regardless of which remote access method you choose, several security measures apply universally. These recommendations align with the NIST Cybersecurity Framework, which emphasizes identifying, protecting, detecting, responding to, and recovering from cybersecurity threats. Start by enabling multi-factor authentication in your Home Assistant user profile. This adds a time-based one-time password (TOTP) requirement through apps like Google Authenticator or Authy, preventing unauthorized access even if your password is compromised.

Use strong, unique passwords for your Home Assistant account. Password managers like Bitwarden or 1Password generate and store complex passwords so you do not need to remember them. Avoid reusing passwords from other services since a breach on one platform could expose your smart home controls.

Keep your Home Assistant installation updated to the latest version. Security patches ship with each monthly release, and running an outdated version leaves known vulnerabilities unpatched. Enable automatic update notifications in Settings, then System, then Updates to stay informed when new versions become available.

Review your trusted networks configuration. Home Assistant allows you to specify local IP ranges that skip authentication, which is convenient at home but dangerous if misconfigured. Verify that only your actual home network subnet appears in the trusted networks list and that no public IP ranges are accidentally included.

For households with multiple users, create separate Home Assistant accounts for each person rather than sharing a single login. Individual accounts provide separate access logs, allow different permission levels, and make it easier to revoke access if a device is lost or stolen. The Home Assistant user management panel under Settings, then People handles account creation and permission assignment.