Access Home Assistant without public IP

Oct 12, 2018, by Karolis Rusenas

automation docker home assistant raspberry pi tunnels

Access Home Assistant without public IP

Webhook Relay Add-on

Goal of this tutorial

Secure, end-to-end TLS encrypted access to your Home Assistant without configuring your router or having a static IP. Instead of HTTPS tunnels that are being terminated on Webhook Relay servers, we will be using TLS tunnels that are only being terminated at your end so even if we are forced to, we couldn’t intercept traffic without your browser notifying you.

What I assume about you

Webhook Relay Add-on

Before we begin

This tutorial will expect you to have:

To have a basic experience with fully encrypted end-to-end tunnels, choose Basic plan ($4.5/month), although you will not be able to set your own custom domain for it.

Quick Start

Installation of this add-on is pretty straightforward and not different in comparison to installing any other add-on:

  1. Add our add-ons repository URL to your instance: (If you are seeing this through your Home Assistant add-ons page, skip it)
  2. Install the “Webhook Relay” add-on.
  3. Generate token key & secret pair and add it to the add-on’s configuration.
  4. Get DuckDNS token and create your domain. Add those details to the “tunnels” config section and “duck_dns” section. Set “accept_terms” to true if you accept Let’s Encrypt ToS.
  5. Start the “Webhook Relay” add-on.
  6. Check the logs of the “Webhook Relay” add-on to see if everything went well. It should print out your public URL.

TLS pass-through add-on configuration

Once you have:

Use those details to populate add-on configuration:

"key": "your-webhookrelay-key",
"secret": "your-webhookrelay-secret",
"forwarding": [
"bucket": "ha",
"destination": ""
"tunnels": [
"name": "ha",
"destination": "",
"protocol": "tls",
"domain": ""
"duck_dns": {
"token": "your-duckdns-token",
"accept_terms": true
"tunnels_enabled": true,
"forwarding_enabled": false

Make sure that the “protocol” is set to tls, tunnels_enabled is set to true.

Add-on will automatically:

  1. Configure DuckDNS to point to a correct address (public tunnel endpoint IP)
  2. Configure and retrieve certificate and private key from Let’s Encrypt
  3. Store certificate & key in /data/ directory
  4. Configure Webhook Relay tunnel
  5. Starts serving traffic


That’s it, you should be able to access your Home Assistant through your domain that you have configured, in my case it’s We have got full, end-to-end encryption without configuring your router or getting a static IP:

Remote Access]

Also, instead of using DuckDNS & Let’s Encrypt, you can use any certificate you want or just don’t supply any certs to the add-on and terminate TLS on Home Assistant server. For that you will just have to specify HTTPS in the destination: "destination": ""


If you just want to receive webhooks, feel free to use our free tier! Or if you feel broke, email us at [email protected] and we might think of something :)

Not using Check out my previous blog post that details a simple setup with Docker here.