self-hosting

Accessing Home Assistant From Outside the House

I wanted to reach Home Assistant from my phone when I'm away from home. I looked at three options and ended up with Cloudflare Tunnel for the app and Tailscale for the server.

Running Home Assistant locally is easy enough. The harder part is making it useful when you are away from home. Automations running on your local network are fine, but notifications with no way to act on them, or a dashboard you can only see when you are on the WiFi, limits what the whole thing is actually worth.

I wanted to open the app on my phone from anywhere and have it just work. The question was how to do that without either paying for a subscription or opening my home network to the internet.

The three options I considered

The obvious starting point is Nabu Casa, the official cloud service offered by the Home Assistant project. It handles remote access and cloud backups for a monthly subscription fee. At the time of writing that fee is around $6.50 per month. For most people it is probably the right answer. It works, it is supported by the project, and the subscription directly funds Home Assistant's development. I seriously considered it.

The second option was Cloudflare Tunnel. This creates an outbound encrypted connection from the Pi to Cloudflare's network, so public traffic reaches Home Assistant without opening any ports. It is free for personal use if you have a domain managed through Cloudflare. Traffic passes through Cloudflare's infrastructure, which is worth knowing.

The third option was Tailscale, a mesh VPN built on WireGuard. Devices enrolled in a Tailscale network communicate directly with each other over encrypted tunnels, with no traffic routed through a third party. From the phone, Home Assistant would look the same as it does on the local network, but it requires connecting to the tailnet first and disconnecting afterwards.

Why I chose Cloudflare Tunnel

In practice, I settled on Cloudflare Tunnel for Home Assistant. The reason is straightforward: it requires no action on my phone before I can use the app. I open Home Assistant and it loads. There is no VPN to connect first and disconnect afterwards.

It has been the most reliable free solution I have found. Home Assistant has been consistently accessible with no configuration to maintain and no certificates to manage manually. The trade off of traffic routing through Cloudflare's infrastructure is real, but in practice it has not been a reason not to use it.

Where Tailscale fits instead

I do use Tailscale on the same setup, but for a different purpose: accessing the Pi itself. SSH into the server, checking logs, running commands remotely. For that kind of deliberate server access, connecting to the tailnet first is a natural workflow. For a home automation dashboard you want to open instantly on your phone, it is not.

The two tools solve different problems. Cloudflare Tunnel for the always-on apps that should just open. Tailscale for deliberate server access where a VPN connection makes sense.

Keeping access minimal

Applying least privilege to the Cloudflare Tunnel setup means only exposing the specific services that genuinely need to be publicly reachable. Not every service on the home lab needs a tunnel. Home Assistant does. Most others do not. Cloudflare Access rules can restrict who can reach an exposed service if needed, adding an additional layer of control.

What surprised me

The thing I had not anticipated was how much more useful Home Assistant became the moment remote access worked. Automations that had been curiosities became genuinely useful. Notifications that had been information became prompts you could actually act on.

For setup detail, the Cloudflare Tunnel documentation at developers.cloudflare.com and the Home Assistant community documentation are the right places to look. Both are well maintained.