Hi,
I’m thinking about buying a Homey and I also want to access it over the internet.
I was wondering if accessing homey over the itnernet can be done by opening a port on my router and forward the traffic to my Homey.
If i can access homey by opening a port, then it is also usefull to know if I can install an x509 certificate (https) on my Homey.
Thank you for your answers.
Hi, it is all done via the Athom server, no need to touch your router.
And my experience is that it works fast.
But is it possible without the interference of an Athom server?
I just don’t like the idea that an Athom server has control over who is granted access to my Homey.
If Homey can connect with the Athom cloud servers, it will.
And, from what I know, it will always be accessible through the “external” address (https://CLOUDID.connect.athom.com/, if I remember correctly), no way of turning that off (which is, of course, a bit silly if one of the big selling points of firmware v2 was “security”).
To connect to cloud server from homey upward, that is ok. This is for all the services like external api connect and similar. Relay service over CLOUDID.connect.athom.com is server side service which should be circumvented only by VPN. From security point of view ok one attack surface less but generally I wouldn’t disable it as I loose so much without it. Generally if someone wants to do it i think athom could really simply implement it. That is a matter of should I allow relay to CLOUDID.connect.athom.com or not.
Forwarding ports directly to homey itself is the worst someone can do…
P.s. If you are in the same LAN you can access the homey without the Internet. https://support.athom.com/hc/en-us/articles/360015365994-Do-I-need-internet-for-Homey-to-work-
I wonder if you could bypass the cloud servers by using a VPN on your home network… 
If you use VPN in bridging you would end up in the same broadcast domain. This is the same as connected to the same wlan or Lan as homey.
In that sense you would connect same as Lan clients. At least that would my logic apply. 
Exactly, really silly! In addition athom desided to use homey+cloudID as the hostname since firmware v2.1. Which means everyone who as access to your network an starts a networkscan, knows your cloudid. I don’t mean an attack, I just think of friends of mine, who sometimes get temorary access for different reasons.
