Why remote access to Home Assistant is harder than it should be

Home Assistant runs on your local network. By default, it is only reachable from devices connected to the same Wi-Fi or Ethernet network. To access it from outside — from your phone on mobile data, from a hotel, from another country — traffic from the internet needs to reach your home network.

The traditional approach involves port forwarding: you configure your router to forward a specific port to your Home Assistant device, set up dynamic DNS so you have a stable address, and configure SSL certificates so the connection is encrypted. Each of these steps has its own complexity and failure modes.

And increasingly, port forwarding is not even possible. If your ISP uses CGNAT, all inbound connections to your home are blocked at the ISP level, and no amount of router configuration will fix it.

✗ Traditional approach

Port forwarding + DDNS + SSL

  • Configure router port forwarding
  • Set up dynamic DNS service
  • Obtain and renew SSL certificates
  • Manage firewall rules
  • Broken by CGNAT, double NAT
  • Exposes your home IP address
  • Ongoing maintenance required
✓ Tunnel approach (Pluggie)

Install app → done

  • No router configuration
  • No DNS setup
  • SSL certificates generated automatically
  • No firewall changes
  • Works behind CGNAT, any network
  • Your home IP stays private
  • Zero maintenance

What you need

Setup: Home Assistant App (recommended)

If you are running Home Assistant OS, the easiest method is the Pluggie app. This runs alongside Home Assistant and manages the tunnel automatically.

1

Add the Pluggie repository

The quickest way is to click the button below to add the Pluggie repository directly to your Home Assistant:

Add Pluggie repository to Home Assistant

Alternatively, add the repository manually: go to Settings → Add-ons → Add-on Store, click the three dots in the top right corner, select Repositories, and add:

https://github.com/tiborgres/ha-pluggie
2

Install the Pluggie app

After adding the repository, run "Check for updates" and refresh the Add-on Store. You should see Pluggie listed. Click it and click Install.

3

Configure your access key

Go to my.pluggie.net, log in (or sign up), and create a connection. Copy the access key. In the Pluggie app configuration tab, paste the access key. Then follow the One-Time Setup instructions.

4

Configure trusted_proxies

Home Assistant needs to know that requests arriving through the Pluggie app are legitimate. Edit your configuration.yaml and add:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.32.0/23  # Pluggie App

Restart Home Assistant after saving the file.

5

Start the app

Click Start. The app will establish an outbound tunnel to Pluggie's relay infrastructure, generate a TLS certificate on your device, and make your Home Assistant available at your assigned Pluggie subdomain.

On the free tier, you will receive a randomly generated pluggie.net subdomain to choose from. Open it in any browser, from any network, and you will see your Home Assistant login page.

✓ Encryption note

The TLS certificate is generated and stored on your Home Assistant device. Pluggie's relay servers forward your encrypted traffic without being able to read it. For a detailed explanation of how this works and what its limits are, see our transparency post on Pluggie's encryption model.

Setup: Docker

If you prefer Docker, you can run the Pluggie Docker container alongside any web-enabled service, including Home Assistant.

1

Create a data directory

Create a directory where Pluggie will store its configuration and certificates:

mkdir -p /YOUR_HOMEDIR/.pluggie
2

Run the Pluggie container

Run the Pluggie Docker container. By default it exposes a local web interface on port 8678 where you complete the setup:

docker run -d \
  --name docker-pluggie \
  --restart unless-stopped \
  --cap-add=NET_ADMIN \
  -p 127.0.0.1:8678:8099 \
  -v /etc/localtime:/etc/localtime:ro \
  -v /YOUR_HOMEDIR/.pluggie:/data \
  ghcr.io/tiborgres/docker-pluggie:latest

Replace /YOUR_HOMEDIR/.pluggie with the actual path to the data directory you created. Adjust the host port (8678) and listen address (127.0.0.1) if needed.

3

Complete setup via the web interface

Open http://127.0.0.1:8678 in your browser. The Pluggie web interface will guide you through entering your access key (from my.pluggie.net) and configuring the target service.

4

Configure trusted_proxies (for Home Assistant)

If you are tunnelling Home Assistant, you need to edit configuration.yaml to add trusted_proxies so that Home Assistant accepts requests from the Pluggie container. The Pluggie web interface will show you the exact configuration to use.

5

Access remotely

Once the tunnel connects, your service is live at your assigned pluggie.net subdomain. Open it from any browser, anywhere.

Using the Home Assistant Companion app

The Home Assistant Companion app for iOS and Android works perfectly with Pluggie. In the app, set your External URL to your Pluggie subdomain:

  1. Open the Companion app
  2. Go to Settings → Companion App → Server
  3. Under External URL, enter your Pluggie subdomain URL (e.g. https://abc123.pluggie.net)
  4. Leave the Internal URL as your local IP (e.g. http://192.168.1.50:8123) so the app uses a direct connection when you are home

The app will automatically use the local connection when on your home Wi-Fi and switch to the Pluggie tunnel when you are away. Notifications, location tracking, and all other companion app features work normally.

Optional: your own domain

On Pluggie's paid plans, you can use your own domain instead of a pluggie.net subdomain. Point a CNAME record to zeus.pluggie.net at your domain registrar, and access Home Assistant at something like home.yourdomain.com. Pluggie handles the SSL certificate automatically.

💡 Tip

Using your own domain is useful if you want a memorable URL, or if you plan to share access with family members. home.smith.family is a lot easier to remember than a randomly generated subdomain.

What about Nabu Casa?

Nabu Casa is the official remote access service from the Home Assistant team. It works well and directly funds Home Assistant development — which is a meaningful benefit if you want to support the project.

Pluggie and Nabu Casa have very similar architectures: both generate TLS certificates on your device and relay encrypted traffic through a proxy server. The main differences are:

Both are good options. If you use only Home Assistant and want voice assistant integration, Nabu Casa is worth considering. If you want to tunnel multiple services, prefer a free tier, or value automated security verification, Pluggie may be a better fit.

Troubleshooting

Home Assistant shows "400 Bad Request" or blocks the connection

This means the trusted_proxies configuration is missing or incorrect. Make sure you have added the http section to your configuration.yaml as described in the setup steps above, and that you have restarted Home Assistant after saving the file.

I am behind CGNAT — will this work?

Yes. Pluggie establishes an outbound connection from your device, which is never blocked by CGNAT. See our deep dive on CGNAT for more details on why this works.

I am on a restrictive network (hotel, corporate, healthcare)

Pluggie requires outbound HTTPS access on port 443. If your network blocks port 443, performs SNI-based filtering, or categorises and restricts traffic to Pluggie's servers, the tunnel will not connect. This can happen on some hotel Wi-Fi, corporate, healthcare, and government networks. We are working on improving connectivity through restrictive firewalls in a future update.

📬 Need help?

If you run into issues not covered here, email us at support@pluggie.net with your setup details (Home Assistant installation type, Pluggie app or Docker, and any error messages). We usually respond within a few hours.