---
title: "Home Assistant remote access add-on | WebhookRelay"
meta:
  "og:description": "Reverse tunnels for testing and development environments"
  "og:title": "Home Assistant remote access add-on"
  description: "Reverse tunnels for testing and development environments"
---

![Stripes](https://webhookrelay.com/blog/hassio-tls-tunnels-duckdns/images/stripes.svg)

# **Home Assistant remote access add-on**

Reverse tunnels for testing and development environments

Webhook Relay [add-on](https://github.com/webhookrelay/home-assistant) allows remote access to Home Assistant without configuring your router, firewall or having a static public IP. It works by creating secure reverse tunnels back to the cloud service.

![Webhook Relay Add-on](https://webhookrelay.com/blog/hassio-tls-tunnels-duckdns/images/blog/hassio-addon/ha-duckdns.png)

## [Goal of this tutorial](#goal-of-this-tutorial)

Secure, end-to-end TLS encrypted access to your Home Assistant without configuring your router or having a static IP. Instead of HTTPS tunnels that are being terminated on Webhook Relay servers, we will be using [TLS tunnels](https://docs.webhookrelay.com/products/tunnels/tls-tunnels#tls-pass-through) that are only being terminated at your end so even if we are forced to, we couldn't intercept traffic without your browser notifying you.

## [Before we begin](#before-we-begin)

This tutorial will expect you to have:

- **Basic** plan subscription ($9.99/m) which enables whitelisted domains and TLS pass-through tunnels. Check plans and pricing [here](https://webhookrelay.com/pricing). We do offer a 7-day money back guarantee. Subscribe to it on your [accounts](https://my.webhookrelay.com/account/plan) page. If you don't want to commit, drop us an email at [info@webhookrelay.com](https://webhookrelay.com/blog/hassio-tls-tunnels-duckdns//mailto:info@webhookrelay.com) and we will set up a trial for you.
- [DuckDNS](https://www.duckdns.org/) account to get your own free domain and retrieve TLS certificate through [Let's Encrypt](https://letsencrypt.org/).

## [Quick Start](#quick-start)

- Create Webhook Relay account [here](https://my.webhookrelay.com)
- Create [DuckDNS](https://www.duckdns.org/) account:

![DuckDNS configuration](https://webhookrelay.com/blog/hassio-tls-tunnels-duckdns/images/blog/hassio-addon/duckdnsconfig.png)

Installation of this add-on is pretty straightforward and not different in comparison to installing any other [Hass.io](https://hass.io) add-on:

1. Add our Hass.io add-ons repository URL to your Hass.io instance: [https://github.com/webhookrelay/home-assistant](https://github.com/webhookrelay/home-assistant).
2. Install the “Webhook Relay” add-on.
3. Generate [token key & secret pair](https://my.webhookrelay.com/tokens) and add it to the add-on configuration.
4. Get [DuckDNS](https://www.duckdns.org/) token and create your domain. Add those details to the "tunnels" config section and "duck_dns" section. Set "accept_terms" to true if you accept [Let's Encrypt ToS](https://community.letsencrypt.org/tos).
5. Start the “Webhook Relay” add-on.
6. Check the logs of the “Webhook Relay” add-on to see if everything went well. It should print out your public URL.

### [TLS pass-through add-on configuration](#tls-pass-through-add-on-configuration)

Once you have:

- Webhook Relay key & secret
- DuckDNS domain
- DuckDNS token

Use those details to populate add-on configuration:

```
{
    "key": "your-webhookrelay-key",
    "secret": "your-webhookrelay-secret",
    "forwarding": [
      {
          "bucket": "ha",
          "destination": "http://127.0.0.1:8123"
      }
    ],
    "tunnels": [
        {
            "name": "ha",
            "destination": "http://127.0.0.1:8123",
            "protocol": "tls",          
            "domain": "your-domain.duckdns.org"         
        }   
    ],
    "duck_dns": {
        "token": "your-duckdns-token",
        "accept_terms": true
    },
    "tunnels_enabled": true,
    "forwarding_enabled": false
}
```

Make sure that the "protocol" is set to `tls`, `tunnels_enabled` is set to **true**.

Add-on will automatically:

1. Configure DuckDNS to point to a correct address (public tunnel endpoint IP)
2. Configure and retrieve certificate and private key from Let's Encrypt
3. Store certificate & key in `/data/` directory
4. Configure Webhook Relay tunnel
5. Starts serving traffic

### [Wrapping up](#wrapping-up)

That's it, you should be able to access your Home Assistant through your domain that you have configured, in my case it's [https://auto-ha.duckdns.org](https://auto-ha.duckdns.org). We have got full, end-to-end encryption without configuring your router or getting a static IP:

[!\[Remote Access\]](https://webhookrelay.com/blog/hassio-tls-tunnels-duckdns/images/blog/hassio-addon/domain-ss.png)](/images/blog/hassio-addon/domain-ss.png)

Also, instead of using DuckDNS & Let's Encrypt, you can use any certificate you want or just don't supply any certs to the add-on and terminate TLS on Home Assistant server. For that you will just have to specify HTTPS in the destination: `"destination": "https://127.0.0.1:8123"`

### [P.S.](#ps)

If you just want to receive webhooks, feel free to use our free tier! Or if you don't want to commit but would really like to try it, email us at [info@webhookrelay.com](https://webhookrelay.com/blog/hassio-tls-tunnels-duckdns//mailto:info@webhookrelay.com) and we might think of something :)

Not using Hass.io? Check out my previous blog post that details a simple setup with Docker [here](https://webhookrelay.com/blog/hassio-tls-tunnels-duckdns/blog/2018/09/03/home-assistant-remote-access/).