Port Forwarding and Security

The blogpost is incorrect, as confirmed by Athom themselves on Slack (WeeJeWel is from Athom):

Because it’s stored on Athom’s cloud servers.

So, if I understand correctly, the app needs Homey servers for IP and authentication.

I fail to see the benefit for using port-forwarding…

According to Athom, it was a “long-awaited” feature (at some point I’ll just stop believing anything they say… :thinking:).

1 Like

Maybe , using jwt token , where you allow who can access ( scope, claims, .validity) and generate one for homey cloud to personal homey device and other devices for direct contact ( port forwarding) you will increase security

And a simple page to list, maintain, renew token is required

A variation of this feature that allows you to specify the local internal IP and Port (but no need to enable port forwarding on your router) allowing the client mobile app to detect and use the fast local wifi network would be ideal.

I’m happy for Homey to be slow when I’m on the move and outside the home network. But when at home, connected to the home wifi, it would be cool if the app could detect this and switch to local network mode.

That would be best of both worlds - secure and fast.

1 Like

It already does:

2 Likes

I had the exact same questions when reading the blog, so I was really excited to read through this thread.

I also agree with the assumption that the claims from Homey in regards to the cloud are false. The user identification must run via the cloud, and there must also be a mechanism linking the public IP of a user to the Homey Accounts or Homey Devices, otherwise the Homey App would have no clue where to find the open port.

I did enable the port forwarding, but I was completely unable to find any differences in speed compared to using the normal cloud connection. For that reason I am now trying to figure out the actual benefit for the user. Feels to me like the main benefit is on Homey by avoiding traffic over the cloud.

With all of that, I have disabled port forwarding again in my network and in the Homey App. I am really interested in learning more about all of this and will continue to read here.

I fully agree with this. I never open ports or use router forwarding.

A good alternative working for me is Twingate.

All it requires is an installation of controller software (small footprint) in your network and from there it offers Zero Trust Network Access. I run this controller in a docker container on a Synology NAS.

Maybe downsides are:

  • The controller must be up if to use remote access;
  • More advanced features are ofcourse paid. I’m not using those and none paid base functionality suits my needs;

Anyways, pros and cons for everything but it is way safer than portfwd / opening ports so hoping this to be a helpful tip :metal:.

So why not for the 2019 model?

There is an easy solution to this, and that is called Tailscale. Tailscale · Best VPN Service for Secure Networks

Its an VPN solution without having to open ports on you router.
I have diskussed it before but mr Klep is unwilling to see the benefit. however I solved my problem, I installed another Raspberry Pi with Tailscale on my other network. and by doing that I have full access to that network. I can even route traffic to it. Tailscale can run in a docker container, so if someone could set this up. Homey lacks support of systemd as the startup process, and tailscale depends on that. maybe someone have an idea to get a contaner that does support this?

And mr Klep, please avoid from answering this reply.

/Ulf

You want to give a VPN provider full access to your network instead of using the VPN solution built in in the router :thinking:

Please point to a post where I’m unwilling to see the benefit, because all I can remember is you stating that it shouldn’t be difficult to create a Tailscale app for Homey and me explaining why that is difficult. We never discussed the merits of Tailscale itself.

That’s not how the world works.

4 Likes

I use Headscale (selfhosted Tailscale) for all my things, so I’ve setup one of my devices to advertise a route to my homey device, so when my phone is connected to my VPN and I’m outside my house, it appears as if I’m connected locally, as all traffic is routed via Headscale.


If you’re an advanced user, you could instead run a reverse TCP proxy in front of your Homey so that you don’t port forward directly to the Homey, but rather expose the TCP proxy and have it forward it on your internal network. That way you can get more control of the traffic.

Internet->|Firewall|->TCP Proxy->Homey

Thanks for the hint!

Hi Ole-Martin

Yes i used Hadscale before the way you mentoned.
But the control you have on my Tailscale admin page, is much easier to maintain my Tailscale network. I have full control of the nodes, and what have access to it. And this on a simple webpage. I did have one headscale node in the Oracle cloud, but i had over 200 breakin attempts per day, so thats why i gave up.

Hi,

Had 3 intrusions from Bulgaria and Romania (last 2 days) to my Homey pro, Port forwarding is off now

intrusions or just connection attempts? (fe Port Scan’s , probing, etc. )

I guess the latest,
else you should say your system is compromised,
in that case they found a vulnerability or for example reused credentials.

But I guess (hope) it didn’t come that far and didn’t have acces to your Homey / automations and you could just choose too blacklist or block those ranges from Bulgaria and Romania.

The reality is that if you expose something to the Internet, you’re going to get scanned/probed. You can keep on blocking ranges but it’s a bit pointless.

1 Like

If you had an intrusion (meaning unauthorized access to your Homey) you should also report this to Athom.

Also like Dijker already asked; can you specify?