My smart home had a problem. No, it wasn't the myriad of devices from different manufacturers, although that was making it worse. It was that every device on my home network was implicitly trusted once I took the steps to connect it, leaving my home with any number of unpatched or unreported security holes. The more I learned about cybersecurity, the less I liked the idea, and that got me thinking about solutions.
I'd thought that remotely accessing my smart home would be the tricky part, but it turned out to be the easiest. What did take time was blocking every IoT device from accessing the WAN, adjusting firewall and device settings, and integrating everything into Home Assistant for local control. Smart home devices often trade security for convenience, but I wanted to push the pendulum the other way and take control of my smart home, on my terms, and after some hard work, I'm close.
I run my entire smart home from a single mini PC with Home Assistant
If you'd have told me my smart home would be controlled from one box I wouldn't have believed you
I didn't like the thought of devices I didn't trust being able to access the WAN
The Internet is a scary place
The Internet has always been a scary place, but automated scanning, scripting, and now AI, have made it even more so in recent years. Add the proliferation of barely-secured IoT devices, and you end up with thousands of zombie devices waiting to be called into action in botnets like Mirai.
I knew enough about things to put the IoT devices on their own VLAN and block them from connecting to the Internet, and I managed to bring more devices under local control, so that they didn't need cloud services. But I liked being able to change my thermostat settings on the way home, or check in on the security cameras, and I couldn't do that when those devices were blocked from the outside world.
To fix the situation, I either had to allow my local control system through to the outside world, or use a remote access tool to make it seem like my smartphone was on the local network. Either would have worked, and the Nabu Casa cloud subscription for Home Assistant is one option, but I decided to use Tailscale instead.
Please stop exposing your IoT devices on the internet; your smart light might betray you
If you're not careful, your IoT devices could allow an attacker access to your home network.
Time to take control back from the cloud
The first step is always the hardest
The first step was to get all my smart home devices under the control of a singular entity. Home Assistant is my smart home management tool of choice, but you could use Hubitat or any other option as long as it allows local control. Any Wi-Fi-connected smart home devices have been put on their own access point, on a dedicated VLAN for IoT devices. And I fully leveraged the fact that many devices supported Zigbee, an entirely local protocol, so I didn't have to worry about securing them in the same way.
I didn't find many smart devices that couldn't be integrated this way, but the few that I did were replaced with newer, compatible ones. And I spun up a local LLM and connected it to Home Assistant for voice control that didn't require cloud services.
How I linked my NAS, Home Assistant, and self-hosted AI tools into a single "home cloud"
Look at me, I'm the cloud now
Now to block communications I don't want (and enable those I do)
A combination of firewall rules and a simple-to-use VPN tool
Since all my smart home devices are now on a single VLAN, the number of firewall rules I needed in OPNsense was drastically reduced. Enable Home Assistant to talk to the main LAN, block anything on the other VLAN from communicating back. The mini PC I have Home Assistant on has two network ports, so I could have used it as the segregation method, with one LAN port on the IoT VLAN and one on my main network, but I wanted active firewall rules just in case. The last piece of the puzzle was setting up mDNS reflection so that any local smart device services could still work even if they couldn't reach the internet, and a stateful rule so that IoT devices could return traffic to the main network when asked to do so.
So, no more internet access for my smart devices, except for Home Assistant, which can talk to my LAN, and a couple of quality-of-life adjustments so IoT devices can talk to the main network in some circumstances. The last step was to set up Tailscale with the Home Assistant add-on, with subnet routing enabled so that my local subnets are advertised to my tailnet:
advertise_routes:
- 192.168.1.0/24 # Main network
- 192.168.20.0/24 # IoT VLAN
After approving those in the Tailscale admin console, any device on my tailnet can control Home Assistant as if it was on the LAN. With the Home Assistant and Tailscale apps on my smartphone, I now have remote access from anywhere, without worrying that my smart home can access the internet on its own.
5 ways I'm using Tailscale for more than just remote access
Tailscale is far more powerful than a simple remote access tool
Your smart home is only as clever as you make it
I don't trust most devices on my home network and would much rather go to the trouble of implementing my own access tools. That meant local control as the default, but sometimes it's nice to be able to control things when I'm not at home, and Tailscale gives me the tools and peace of mind to do just that. I've also set up automations for when I leave the house, so that I don't have to remember to remote in, and the two systems work for my needs.