What port forwarding actually does
Port forwarding is a rule on your router that says: "any traffic arriving on this public port, send it to this device on the local network." Set it up for Home Assistant on port 8123, and your instance becomes reachable at your-public-ip:8123 — to anyone on the internet.
any IP, anywhere
Port 8123 open
192.168.1.50:8123
"Exposed to the entire public internet" is not a metaphor. Anyone, anywhere, can attempt to connect to your service — and "anyone" mostly means automated scanners.
What happens when you open a port today
Services like Shodan, Censys, and ZoomEye scan the entire IPv4 address space — all 3.7 billion publicly routable addresses — multiple times per day. A freshly opened port on a residential IP typically receives its first probe within minutes, gets fingerprinted within hours, and lands in public scan databases the same day. When a new CVE drops, every exposed instance gets tested automatically.
Search Shodan right now for "Home Assistant", "Plex Media Server", or "Synology" and you will see tens of thousands of exposed instances with their software versions indexed and visible. The same database is queried by attackers the moment a CVE is published.
The real risks (and why "strong password" is not the answer)
An exposed port exposes you to more than just login attempts:
- Service vulnerabilities and zero-days. Plex has had multiple critical CVEs allowing remote code execution. Synology and QNAP NAS devices were ransomwared at scale by DeadBolt and Qlocker precisely because their admin panels were reachable from the internet.
- Credential stuffing. Modern tooling tests billions of leaked credentials per day across exposed services. 2FA helps — unless there is an auth-bypass bug that skips the login entirely.
- Lateral movement. If the exposed service is compromised, the attacker is inside your home network. Most home networks are flat: any device that gets in can talk to every other device.
That helps with brute-force and known CVEs. It does not help with zero-days, auth-bypass bugs, or the fact that you are giving every scanner on the planet a permanent record of your services. A locked door is good. Not building the door on a busy street is better.
What tunneling does differently
A tunnel inverts the connection model. Instead of opening a port and letting the world reach in, your device makes an outbound connection to a relay server and keeps it open. External clients connect to the relay using a public domain name; the relay forwards their traffic through the tunnel to your device.
(from anywhere)
your-name.pluggie.net
Outbound tunnel only
The attack surface shifts dramatically. Your router stays closed to inbound traffic. Scanners hitting your IP find nothing to fingerprint. The exposed surface is now the relay's public hostname, not your home IP — and hardening that hostname is the relay operator's full-time job, not yours.
A tunneling layer also opens up controls that are painful to retrofit onto port forwarding. In the Pluggie dashboard, every connection has built-in Geo Blocking: pick an "Allow All / Deny Specific" or "Deny All / Allow Specific" policy, then tick whole continents or individual countries. Explicitly Allowed and Denied IP Ranges (CIDR notation) let you whitelist your own static IPs or block abusive ranges — directly in the web UI, no router config. HTTP Basic Auth can sit in front of the underlying service as a second login layer, configured on the client side (Home Assistant or Docker app) so credentials never reach the relay. And every tunnel has an Active toggle: one click to kill the connection instantly if something looks wrong, from any browser. On a port-forwarded setup, the same capabilities require a reverse proxy, fail2ban or CrowdSec, and ongoing rule maintenance.
Direct comparison
| Port Forwarding | Tunneling | |
|---|---|---|
| Home IP exposed to public internet | ✗ Yes | ✓ No |
| Found by automated scanners | ✗ Within minutes | ✓ Nothing to find |
| Works behind CGNAT / mobile / 5G | ✗ No | ✓ Yes |
| Router configuration required | ✗ Yes | ✓ None |
| Domain + TLS handled for you | ⚠ DIY | ✓ Yes |
| GeoIP / IP allow-list / basic auth / kill switch | ✗ Manual reverse proxy + fail2ban | ✓ Built into the tunnel layer |
| Depends on a third party | ✓ No | ✗ Yes — the relay operator |
The honest trade-offs
This article is published by a tunnel service, so it is worth being explicit about the other side.
Port forwarding still wins for bulk traffic. If you are streaming 4K video off your Plex server and your ISP gives you a public IP, port forwarding is more efficient — a tunnel adds a network hop and a bandwidth ceiling. The security cost above still applies; just be aware of the performance trade-off.
VPN is a complement, not a substitute. A VPN to your home network (WireGuard, Tailscale) is genuinely safer than port forwarding. It is the right answer when all your devices can install a client. A tunnel is the right answer when you need a publicly reachable hostname that works from any browser — family members, guests, webhook integrations.
Tunneling does not magically solve everything. Your service still needs a real password and current patches. You introduce a dependency on the relay operator — which is why end-to-end encryption with on-device key generation matters. And some restrictive networks (hotel, corporate, healthcare) block tunnels via SNI filtering on port 443.
For the standard "access my Home Assistant from my phone when I am not home" use case, opening a port on your router does exposure-as-a-service to the entire internet — forever — to save five minutes of setup. Tunneling has become the saner default for almost everyone.
How Pluggie fits
Pluggie establishes an outbound connection from your device (via the Home Assistant app or the Pluggie Docker container) to the Pluggie Relay. Your service becomes reachable at a pluggie.net subdomain — or your own custom domain on paid plans — without opening any inbound port. TLS certificates are generated on your device, so the relay forwards encrypted traffic without being able to decrypt it. We covered the precise limits of that model in "Can Pluggie See Your Traffic?".
The free tier includes one tunnel with a randomly generated pluggie.net subdomain. No email signup, no credit card. If your goal is to stop port forwarding, you can test whether a tunnel works for your setup in less time than it takes to log in to your router admin panel.
Further reading
- CGNAT: What It Is and How to Solve It — when port forwarding does not even work in the first place.
- Cloudflare Tunnel and TLS — the privacy trade-off in the most popular tunneling option.
- How to Access Home Assistant Remotely Without Port Forwarding — the concrete how-to.
