How to Access Home Assistant Remotely (Complete 2026 Guide)
Localtonet gives your Home Assistant instance a secure public HTTPS URL so you can control your smart home from anywhere, without port forwarding, a static IP, or router changes. This guide covers the required configuration.yaml changes that most tutorials skip, full setup instructions for every platform, how to keep the tunnel running after a reboot, and answers to the most common Home Assistant remote access questions.
Why Use a Tunnel for Home Assistant Remote Access?
Home Assistant can be made accessible remotely through port forwarding, but this approach has serious limitations. It requires your router to support UPnP or manual port forwarding configuration, a static or dynamic DNS-tracked IP address, and a direct inbound connection to your home network. Many ISPs now use CGNAT (carrier-grade NAT), which makes inbound connections impossible without paying extra for a dedicated IP. Even when port forwarding works, it leaves port 8123 directly exposed on your public IP address.
A Localtonet tunnel solves all of this. It creates an outbound encrypted connection from your Home Assistant machine to Localtonet's servers. No inbound ports need to be open. The result is a stable, secure public HTTPS URL that works on any network including mobile data with CGNAT.
With Localtonet Tunnel
- Works behind NAT, double NAT, and CGNAT
- No router or firewall changes needed
- Port 8123 never exposed on your public IP
- Automatic HTTPS with no certificate setup
- Stable URL even when your home IP changes
- Works on Windows, Linux, macOS, Docker, and HAOS
Port Forwarding Limitations
- Fails behind CGNAT (common on mobile and some residential ISPs)
- Requires router access and UPnP or manual config
- Exposes port 8123 directly on your public IP
- Dynamic IP changes break the connection without DDNS
- SSL certificate setup required separately
Critical: Configure Trusted Proxies in Home Assistant
When Home Assistant receives requests through a tunnel or reverse proxy, all traffic appears to come from a single local IP address (the tunnel process) rather than from the real remote client. Home Assistant treats unrecognized proxy traffic as a potential IP spoofing attack and rejects it. You must add the tunnel's IP to trusted_proxies in configuration.yaml, otherwise the connection will fail or Home Assistant will log errors about an unrecognized reverse proxy.
Add the following to your configuration.yaml file:
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- ::1127.0.0.1 covers connections from localhost (where Localtonet runs on the same machine). ::1 is the IPv6 equivalent. If Localtonet runs on a different machine or Docker container, also add that machine's local IP address (e.g., 192.168.1.50).
Open configuration.yaml
On Home Assistant OS (HAOS): go to Settings → System → Storage → Open File Editor (or install the File Editor add-on). On other installations: edit the configuration.yaml file directly in your config directory.
Add the http block
If an http: section already exists, add the two lines under it. Do not create a second http: block. If there is no http: section, add the entire block:
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- ::1Restart Home Assistant
Go to Settings → System → Restart. Home Assistant must restart for the configuration change to take effect.
Also add ip_ban_enabled: true and login_attempts_threshold: 5 to your http block. This bans IP addresses after 5 failed login attempts, which is important for any publicly accessible Home Assistant instance:
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- ::1
ip_ban_enabled: true
login_attempts_threshold: 5How Localtonet Works with Home Assistant
Home Assistant runs locally on your device on port 8123. Localtonet creates an encrypted HTTP tunnel from that port to a public HTTPS URL. When you visit that URL from anywhere, the request travels through the tunnel to your Home Assistant instance. Your device never needs an open inbound port.
Configure trusted proxies in configuration.yaml (see above)
Do this before creating the tunnel to avoid connection errors.
Install and authenticate Localtonet
Install Localtonet on the same machine running Home Assistant. Authenticate with your AuthToken from Dashboard → My Tokens.
Create an HTTP tunnel for port 8123
Go to localtonet.com/tunnel/http. Select your Process Type (Random Subdomain, Custom Subdomain, or Custom Domain), select your AuthToken, choose a server, enter IP 127.0.0.1 and port 8123. Click Create.
Start the tunnel
Press Start in the tunnel list. Your public HTTPS URL appears immediately (e.g., https://myhome.localto.net).
Open Home Assistant via the tunnel URL
Open the URL in any browser or enter it in the Home Assistant Companion App as your external URL. Log in with your Home Assistant credentials.
When creating the tunnel, select Custom Subdomain and enter a name like myhome. Your URL will always be https://myhome.localto.net across restarts and IP changes. You can also connect your own domain via the Localtonet DNS Manager by updating your nameservers to ns1.localtonet.com and ns2.localtonet.com.
Setup Guide: Windows
Home Assistant + Localtonet on Windows
Confirm Home Assistant is running
Open http://localhost:8123 in your browser to confirm the interface loads.
Install Localtonet
Option A (Microsoft Store): Search for Localtonet in the Microsoft Store and install it. Option B (Binary): Download the correct ZIP for your architecture (64-bit, 32-bit, or ARM64) from localtonet.com/download and extract it.
Authenticate
localtonet --authtoken YOUR_TOKEN_HERECreate the HTTP tunnel in the dashboard
Go to localtonet.com/tunnel/http. Select your AuthToken, enter IP 127.0.0.1 and port 8123. Click Create, then Start.
Optional: Install as a Windows Service
localtonet --install-service --authtoken YOUR_TOKEN_HERE
localtonet --start-service --authtoken YOUR_TOKEN_HEREVerify in services.msc: Localtonet should show Status = Running.
Setup Guide: Linux
Home Assistant + Localtonet on Linux
Install Localtonet (one-line script)
curl -fsSL https://localtonet.com/install.sh | shThe script auto-detects your CPU architecture (x64, ARM, ARM64, MUSL). Verify: localtonet --version
Authenticate
localtonet --authtoken YOUR_TOKEN_HERECreate the HTTP tunnel in the dashboard
Go to localtonet.com/tunnel/http. Select your AuthToken, enter IP 127.0.0.1 and port 8123. Click Create, then Start.
Install as a systemd service
sudo localtonet --install-service --authtoken YOUR_TOKEN_HERE
sudo localtonet --start-service --authtoken YOUR_TOKEN_HEREVerify: systemctl status localtonet
Setup Guide: macOS
Home Assistant + Localtonet on macOS
Install Localtonet via Homebrew (recommended)
brew tap localtonet/tap
brew install localtonetWorks on both Intel and Apple Silicon (M1/M2/M3). No Gatekeeper issues. If you do not have Homebrew, install it from brew.sh first.
Authenticate
localtonet --authtoken YOUR_TOKEN_HERECreate the HTTP tunnel in the dashboard
Go to localtonet.com/tunnel/http. Select your AuthToken, enter IP 127.0.0.1 and port 8123. Click Create, then Start.
Install as a launchd service
sudo localtonet --install-service --authtoken YOUR_TOKEN_HERE
sudo localtonet --start-service --authtoken YOUR_TOKEN_HEREVerify: launchctl list | grep localtonet
Setup Guide: Docker
Home Assistant + Localtonet on Docker
Confirm your Home Assistant container is running
docker ps | grep homeassistantPull and run the Localtonet image
docker pull localtonet/localtonet
docker run localtonet/localtonet --authtoken YOUR_TOKEN_HERECreate the HTTP tunnel in the dashboard
Go to localtonet.com/tunnel/http. Enter the correct IP and port 8123. Click Create, then Start.
If Localtonet and Home Assistant run in separate containers, the tunnel traffic will arrive from the Docker bridge IP, not from 127.0.0.1. Add the Docker bridge IP to your trusted_proxies list. The typical Docker bridge IP on Linux is 172.17.0.1. On Docker Desktop for Windows and macOS, use host.docker.internal as the tunnel IP and add the resolved IP to trusted_proxies. Also use --network=host or configure both containers on the same Docker network.
Setup Guide: Home Assistant OS (HAOS)
Home Assistant OS + Localtonet
Home Assistant OS is a full operating system image designed for dedicated hardware like Raspberry Pi and the official HA Green and Yellow devices. It does not allow direct terminal access to install binaries, but you can run Localtonet in a Docker container via the Advanced SSH & Web Terminal add-on or by using the zero-install SSH tunnel method.
Install the Advanced SSH & Web Terminal add-on
Go to Settings → Add-ons → Add-on Store. Search for Advanced SSH & Web Terminal and install it. Enable Show in sidebar and set a password. Start the add-on.
Run Localtonet via Docker in the SSH terminal
Open the SSH terminal from the sidebar and run:
docker pull localtonet/localtonet
docker run --network=host localtonet/localtonet --authtoken YOUR_TOKEN_HEREUsing --network=host ensures the container can reach Home Assistant on 127.0.0.1:8123.
Create the HTTP tunnel in the dashboard
Go to localtonet.com/tunnel/http. Enter IP 127.0.0.1 and port 8123. Click Create, then Start.
If your Home Assistant is already accessible locally, you can create the tunnel from any other machine on your network using the zero-install SSH method. Go to the Localtonet dashboard, create an HTTP tunnel, open its settings, and copy the SSH command. Run it from any terminal on any machine. No binary installation needed anywhere.
Configuring the Home Assistant Companion App
The Home Assistant Companion App for iOS and Android uses separate internal and external URLs. After setting up the tunnel, configure the app to use the tunnel URL when outside your home network.
Open the Companion App settings
In the app, go to Settings → Companion App → Home Assistant URL (on some versions: tap the three-dot menu → App Configuration).
Set the External URL
Enter your Localtonet tunnel URL as the External URL, for example https://myhome.localto.net. Keep the Internal URL as your local address (e.g., http://192.168.1.x:8123).
Test outside your home network
Disable Wi-Fi on your phone to use mobile data, then open the Companion App. It should connect using the external tunnel URL. Location sensors and automations will continue to work.
Keeping the Tunnel Running After a Reboot
A Home Assistant tunnel is only useful if it stays active after restarts. Localtonet has a built-in service mode that registers it as a system service on Windows, Linux, and macOS using the same commands across all platforms.
Service Commands (All Platforms)
Install the service
sudo localtonet --install-service --authtoken YOUR_TOKEN_HEREStart the service
sudo localtonet --start-service --authtoken YOUR_TOKEN_HEREVerify
# Linux:
systemctl status localtonet
# macOS:
launchctl list | grep localtonet
# Windows: open services.msc, find LocaltonetStop or remove if needed
sudo localtonet --stop-service --authtoken YOUR_TOKEN_HERE
sudo localtonet --remove-service --authtoken YOUR_TOKEN_HERESecurity Best Practices
🔒 Enable MFA on your Home Assistant account
Go to your User Profile → Multi-factor Authentication and enable TOTP (an authenticator app like Google Authenticator or Authy). This protects your Home Assistant login even if someone discovers your tunnel URL. MFA is strongly recommended for any publicly reachable Home Assistant instance.
🛡 Enable Localtonet SSO or HTTP authentication on the tunnel
Add an extra authentication layer in front of Home Assistant by enabling SSO (Google, GitHub, Microsoft, GitLab) or username/password authentication on the Localtonet tunnel. This means anyone reaching the tunnel URL must authenticate with Localtonet before they even see the Home Assistant login screen.
🚫 Enable login attempt rate limiting
Add ip_ban_enabled: true and login_attempts_threshold: 5 to your http: block in configuration.yaml. This bans the source IP after 5 failed login attempts and is important for any internet-facing Home Assistant instance.
🔄 Keep Home Assistant and Localtonet updated
Run Home Assistant updates regularly from Settings → System → Updates. Update Localtonet by stopping the service, replacing the binary, and restarting the service. Security patches in both are important for a publicly accessible setup.
🌐 Use a Custom Subdomain or Custom Domain
A random tunnel URL like abc123.localto.net changes if the tunnel is recreated. Use a Custom Subdomain or your own domain for a stable URL that you can also add to your Home Assistant's external_url setting for proper URL resolution in notifications and integrations.
Home Assistant Remote Access Methods Compared
| Method | Port Forwarding | Works Behind CGNAT | HTTPS Auto | Cost | Difficulty |
|---|---|---|---|---|---|
| Localtonet Tunnel | Not needed | ✓ | ✓ | From $2/tunnel/mo | ⭐ Easy |
| Nabu Casa (Home Assistant Cloud) | Not needed | ✓ | ✓ | $6.99/mo | ⭐ Easiest |
| Cloudflare Tunnel | Not needed | ✓ | ✓ | Free (HTTP only) | ⭐⭐ Medium |
| Port Forwarding | Required | ✕ | Manual | Free | ⭐⭐ Medium |
| Tailscale VPN | Not needed | ✓ | App-level | Free (personal) | ⭐⭐ Medium |
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| HA logs show "HTTP integration not set up for reverse proxies" | trusted_proxies not configured | Add use_x_forwarded_for: true and trusted_proxies: - 127.0.0.1 to configuration.yaml, then restart HA |
| Tunnel URL loads but HA shows blank screen or "Unable to connect" | WebSocket connection blocked or trusted_proxies missing | Ensure trusted_proxies is set. HTTP tunnels pass WebSocket connections through automatically. |
| Companion App works on Wi-Fi but not on mobile data | External URL not set in the app | Set the tunnel URL as External URL in Companion App settings |
| Tunnel disconnects after reboot | Localtonet not running as a service | Run --install-service and --start-service |
| Docker: Localtonet cannot reach HA at 127.0.0.1 | Separate container network namespaces | Run Localtonet container with --network=host, or use the host bridge IP in the tunnel config |
| macOS Gatekeeper blocks Localtonet binary | Unsigned binary warning | Use Homebrew install instead: brew install localtonet |
| Notifications and integrations use wrong URL | external_url not set in HA | Go to Settings → System → Network and set your tunnel URL as the External URL |
Frequently Asked Questions
What is the easiest way to access Home Assistant remotely?
The easiest no-configuration option is Nabu Casa (Home Assistant Cloud), which is built directly into the Home Assistant UI and requires no technical setup. For a more flexible and lower-cost option, a Localtonet HTTP tunnel works on all platforms, requires no port forwarding, and provides a stable HTTPS URL. Both options work behind CGNAT. Localtonet requires one additional step: adding trusted_proxies to configuration.yaml.
Why can't I access Home Assistant remotely?
The most common reasons are: your ISP uses CGNAT so port forwarding does not work; the tunnel or proxy is not listed in trusted_proxies in configuration.yaml so Home Assistant rejects the connection; the tunnel is not running or has disconnected; or the Companion App External URL is not configured. Check the Home Assistant logs under Settings → System → Logs for specific error messages.
What is CGNAT and why does it prevent Home Assistant remote access?
CGNAT (carrier-grade NAT) is a technique ISPs use to share a single public IP address among multiple customers. When you are behind CGNAT, your home network does not have a unique public IP address, so inbound connections (including port forwarding for Home Assistant) are not possible. This is increasingly common on mobile networks and some residential broadband providers. A Localtonet tunnel solves this because it uses an outbound connection from your device, bypassing the CGNAT barrier entirely.
What port does Home Assistant use?
Home Assistant uses port 8123 by default for its web interface. This is the port you enter when creating a Localtonet HTTP tunnel. You can change it in configuration.yaml under the http: section using server_port: YOUR_PORT, but 8123 is the default for all installations.
Why do I need to configure trusted_proxies for a tunnel?
When Home Assistant sits behind a tunnel or reverse proxy, all incoming requests appear to come from the proxy's local IP rather than from the real remote client. Home Assistant treats unrecognized proxy traffic as a potential IP spoofing attack and rejects it. Adding use_x_forwarded_for: true and the proxy IP to trusted_proxies in configuration.yaml tells Home Assistant to trust the forwarded IP headers from that proxy and accept the connections.
Can I use a custom domain for Home Assistant with Localtonet?
Yes. Add your domain to the Localtonet DNS Manager, then update your domain's nameservers to ns1.localtonet.com and ns2.localtonet.com at your registrar. After DNS propagation, select Custom Domain when creating the HTTP tunnel. Your Home Assistant will be accessible at a URL like https://home.yourdomain.com with automatic HTTPS. Then set this URL as the External URL in Home Assistant settings for correct notification and integration behavior.
How do I keep the Home Assistant tunnel running after a reboot?
Install Localtonet as a system service by running sudo localtonet --install-service --authtoken YOUR_TOKEN followed by sudo localtonet --start-service --authtoken YOUR_TOKEN. This works on Windows (registers a Windows Service), Linux (creates a systemd unit), and macOS (sets up a launchd job). Localtonet will start automatically on every boot and restart itself if it crashes.
Control Your Smart Home from Anywhere
Secure HTTPS tunnel to your Home Assistant. No port forwarding. No static IP. Works behind CGNAT. Free to start.
Get Started Free →
