Rack 2 Reality

Tag: VPN

  • How to Access Home Assistant Remotely with Tailscale on a NAS (No Port Forwarding Required)

    How to Access Home Assistant Remotely with Tailscale on a NAS (No Port Forwarding Required)

    One of the biggest things I wanted after setting up Home Assistant was reliable remote access.

    At first, I assumed this would be simple. Install Home Assistant, install the mobile app, sign in remotely somehow, and that would be the end of it.

    The deeper I got into self hosting though, the more I realised remote access is one of those areas where things become complicated surprisingly quickly. Every guide seemed to recommend something different, from opening ports on the router to setting up reverse proxies, SSL certificates, Cloudflare tunnels and domain names.

    None of those things are inherently bad, but when you are still building your understanding it becomes difficult to know what is actually necessary and what is just adding complexity.

    There was another factor as well: subscriptions. I completely understand why Home Assistant Cloud exists and for many people it is probably the right solution. But like a lot of people these days, it feels as though everything wants a monthly fee.

    I was not trying to avoid spending money entirely. I just wanted to see if I could achieve reliable and secure remote access using the hardware and software I already had, without exposing Home Assistant directly to the internet while I was still figuring things out.

    That is what led me to Tailscale. It gave me a way to get remote access working without turning it into a much bigger networking project.

    My setup

    For reference, this is the setup I am currently running.

    The NAS itself is a UGREEN NASync DXP2800 running Docker containers for both Home Assistant and Tailscale. If you’re interested in the hardware itself, I covered my experience in my  UGREEN NASync DXP2800 Review After 2 Months.

    There is no port forwarding, no reverse proxy, no public Home Assistant exposure, and no Home Assistant Cloud subscription.

    That probably sounds restrictive at first, especially if you spend enough time reading forums where people are building very advanced setups. But honestly, that was exactly the point.

    Despite working in IT, I did not want this to become a project that required constant maintenance. I wanted something that was secure, made sense, and just worked day to day without needing to be constantly revisited.

    Just because a solution is more advanced does not automatically make it better for your situation. For me, the goal was not to build the most complex setup possible. It was to build one that was secure, reliable, and easy to live with long term.

    That is what pushed me towards Tailscale.

    Why I chose Tailscale

    The biggest reason was simplicity, not because the alternatives were beyond me, but because I was trying to solve a specific problem rather than build a networking project.

    There are plenty of ways to provide remote access to Home Assistant. You can use reverse proxies, SSL certificates, Cloudflare tunnels, domain names, port forwarding and various other combinations depending on how much control you want.

    The problem is that every additional layer becomes something else to configure, secure and maintain.

    For some people that is part of the hobby, and there is nothing wrong with that. For me, the goal was simply to access Home Assistant securely when I was away from home.

    Tailscale felt like a very clean solution to that problem. Instead of exposing Home Assistant publicly and then protecting it afterwards, it creates a private encrypted network between devices you already trust.

    In practice, that meant my phone could communicate directly with my NAS without Home Assistant ever being exposed to the public internet.

    That shift in approach made everything much easier to reason about. I was not publishing a service and securing it, I was extending a private network.

    For a home setup, that balance between simplicity, security and reliability was hard to ignore.

    The benefit I was not expecting

    When I first started looking at remote access, I was focused almost entirely on Home Assistant. The goal was simply to be able to open dashboards and make sure automations worked when I was away from home.

    What I did not really think about at the time was that I was solving a much bigger problem.

    Once Tailscale was working, Home Assistant was only one of the things I could access remotely. I also had other services running on my NAS, including my Recipe App and Home Dashboard. Several of these are applications I discussed in my  Docker Containers I Still Use One Year Later article, and Tailscale effectively gave me secure remote access to all of them at the same time.

    That was the point where it clicked. Tailscale stopped feeling like a Home Assistant tool and started feeling like part of the underlying infrastructure of my home network. The more services I added locally, the more useful it became.

    The Home Assistant benefits were still significant. Presence detection became more reliable, location updates worked more consistently, and geofenced automations behaved the way I expected them to.

    But the bigger takeaway was that I only needed to solve remote access once. Every service I run now, and anything I add in the future, can use the same setup.

    Before you start

    This guide assumes you already have Home Assistant running and accessible on your local network.

    If you are starting from scratch, make sure you can access Home Assistant locally first, for example:

    http://192.168.x.x:8123

    Do not move on until this works reliably. Otherwise you end up troubleshooting multiple things at once.

    Checking Home Assistant locally

    Before adding Tailscale, confirm Home Assistant is actually listening on port 8123.

    sudo ss -tulpn | grep 8123

    You should see Home Assistant (usually as python3) listening on that port. If not, fix that first.

    Installing Tailscale in Docker

    Tailscale running as a Docker container on a UGREEN NAS alongside other self-hosted applications.
    Tailscale running as a Docker container on my UGREEN NAS.

    Install Tailscale as a Docker container on your NAS.

    docker pull tailscale/tailscale:latest
    docker run -d \
      --name=tailscale \
      --hostname=nas \
      --network=host \
      --cap-add=NET_ADMIN \
      --cap-add=NET_RAW \
      -v tailscale-data:/var/lib \
      tailscale/tailscale:latest

    Check the logs to get the authentication link:

    docker logs tailscale

    Open the URL shown, sign in, and approve the device.

    Make sure to click this link right away, as Tailscale login URLs expire after a few minutes. If it has expired, simply restart the container or re-check the logs to generate a new one.

    Note: In this example, Tailscale stores its configuration in a Docker named volume called tailscale-data. If you prefer to keep your container data in a specific folder for easier backups or management, you can replace the named volume with a local path that suits your environment.

    For example:

    -v /path/to/tailscale-data:/var/lib

    The exact location will depend on your operating system, NAS, or Docker setup.

    Verify the connection:

    docker exec -it tailscale tailscale status

    Setting up Tailscale on your phone

    Tailscale mobile app showing connected devices and assigned tailnet IP addresses.
    The Tailscale app lets you confirm your devices are connected and quickly find your NAS Tailscale IP address.

    Installing Tailscale on the NAS is only half of the setup. You also need it running on the device you actually want to connect from, which in my case is my iPhone.

    Download the Tailscale app from the App Store and sign in using the same account you used to authenticate the NAS. Once signed in, your phone will appear in your Tailscale admin console alongside your NAS.

    At that point, your phone is part of the same private network. Your phone is no longer “connecting into” your home network, it is effectively part of it.

    One useful thing is that the Tailscale app shows all connected devices and their assigned IP addresses. That means you can quickly check your NAS Tailscale IP directly from your phone without needing to SSH in.

    This is useful when setting things up or troubleshooting because you can confirm:

    • your NAS is online
    • your phone is connected to the tailnet
    • the correct Tailscale IP is being used

    Finding the Tailscale IP

    Get the Tailscale IP:

    docker exec -it tailscale tailscale ip -4

    You will get something like:

    100.x.x.x

    Use that to access Home Assistant remotely:

    http://100.x.x.x:8123

    This uses HTTP, not HTTPS. Tailscale already encrypts the connection, so forcing HTTPS here will break things.

    Configuring the Home Assistant Companion App

    Home Assistant Companion App server settings showing internal and external URL configuration.
    Directly after “Configuring the Home Assistant Companion App” and before you explain Internal vs External URLs.

    In the Home Assistant Companion App, you need to set the Internal URL and External URL.

    On iPhone, open the app and go to:

    Settings → Companion App → Server Settings

    (If you have multiple servers configured, tap your server first, then open Server Settings.)

    Use your local IP for Internal URL:

    http://192.168.x.x:8123

    Use your Tailscale IP for External URL:

    http://100.x.x.x:8123

    Both should use HTTP. Tailscale already encrypts the connection, so you do not need HTTPS here.

    Once set, back out of the menu and give the app a few seconds to reconnect. If everything is correct, it should connect both on WiFi and over Tailscale without any errors.

    VPN On Demand on iPhone

    One thing I highly recommend enabling is VPN On Demand inside the Tailscale app.

    Enable it for both WiFi and cellular so the connection is automatic. That way you do not need to remember to manually connect before opening Home Assistant.

    This makes the whole setup feel much more seamless day to day and also improves reliability for things like presence detection and geofenced automations because your phone maintains a consistent connection back to Home Assistant.

    The issue that caused the most confusion

    The biggest problem I hit was not Home Assistant. It was Tailscale Serve taking over port 8123.

    sudo ss -tulpn | grep 8123

    If you do not see Home Assistant on that port, something else has taken it.

    Fix it with:

    tailscale serve reset

    Hardware I Use

    Before I wrap up, a quick note: some of the links below are Amazon affiliate links. If you choose to purchase through them, I may earn a small commission at no additional cost to you. I only recommend products I personally use or have hands-on experience with.

    The software in this guide is free, but if you’re curious about the hardware behind my setup, this is what I currently use:

    I’ve been using this setup for Home Assistant, Docker containers, remote access through Tailscale, and various self-hosted projects. If you’re building something similar, these are the components I have the most hands-on experience with.

    Final thoughts

    Tailscale ended up being one of the most useful additions to my setup, not because it was flashy, but because it removed friction.

    Once it was configured, I stopped thinking about remote access entirely. Combined with a stable home network, which I discussed in  What Actually Happens on Your Network (Why WiFi Feels Inconsistent), it became one of those rare pieces of infrastructure that simply fades into the background and does its job.

    There are more advanced ways to achieve the same result, and for some setups they will make sense. But for me, this struck the right balance. It solved the problem I actually had without introducing more moving parts to maintain.

    Looking back, that was the biggest win. Not just remote access, but a simple foundation I can keep building on without having to rethink it every time I add something new.

  • NAS Security Best Practices: How to Protect Your Smart Home Storage in 2025

    NAS Security Best Practices: How to Protect Your Smart Home Storage in 2025

    Smart homes are only as strong as their weakest link — and for many people, that link is their NAS. Whether you’re backing up family photos, streaming media, or running Docker apps like Home Assistant, your NAS is central to daily use. But with that convenience comes risk: if left unsecured, it can be a prime target.

    In this post, we’ll look at practical security measures anyone can take, along with real-world examples of how they’re applied.

    Why NAS Security Matters

    Your NAS is more than just storage. It can hold personal documents, sensitive media, or even act as a server for automation. If compromised, you risk data loss, identity theft, or someone using your device as part of a botnet. NAS attacks often involve ransomware, where hackers encrypt your files and demand payment for the key. Others exploit weak passwords or outdated firmware.

    Securing your NAS doesn’t just protect your files. It safeguards your privacy, prevents downtime for your smart home, and ensures your backups are truly reliable.

    Step 1: Enable Two-Factor Authentication (2FA)

    Passwords alone are no longer enough. Attackers often use brute-force attacks or leaked credentials to get into devices. Two-factor authentication (2FA) adds a crucial extra step, requiring both your password and a second code (usually sent to your phone or generated by an authenticator app).

    Why it matters:

    • Protects you if your password is leaked in a data breach.
    • Makes brute-force attacks nearly impossible.
    • Adds security for admin accounts that have full system access.

    On modern NAS platforms like Synology, QNAP, UGREEN, Asustor, and TerraMaster, enabling 2FA takes only a few minutes. It’s one of the simplest but most effective steps you can take.

    Step 2: Secure Remote Access

    One of the biggest mistakes NAS owners make is exposing their system directly to the internet with port forwarding. Hackers constantly scan for open NAS ports, making this extremely risky.

    Safer alternatives:

    • Vendor Remote Access Services: Systems like Synology QuickConnect, QNAP myQNAPcloud, and UGREEN Link let you connect remotely without opening ports. These encrypt your traffic and relay it through secure servers.
    • VPN Access: A VPN connection to your home network gives you direct access to your NAS while keeping it hidden from the wider internet.

    Why it matters:

    • Prevents unauthorised scanning and login attempts.
    • Keeps your NAS invisible to opportunistic attacks.
    • Ensures encrypted communication when you’re away from home.

    If you value convenience, stick with the vendor’s remote access app. If you want maximum control, set up a VPN on your router.

    Step 3: Keep Firmware and Apps Updated

    Outdated firmware and apps are one of the most common ways attackers break into devices. Security patches fix vulnerabilities, but only if you install them.

    Why it matters:

    • New exploits are constantly discovered and shared online.
    • Running old firmware is like leaving your front door unlocked.
    • Updates also improve stability and sometimes add new features.

    Best practice:

    • Enable auto-updates where possible.
    • Manually check for firmware or Docker container updates once a month.
    • Subscribe to vendor newsletters or RSS feeds to stay aware of security advisories.

    Step 4: Backups Beyond RAID

    A common misconception is that RAID = backup. It doesn’t. RAID only protects against drive failure, not against ransomware, accidental deletions, or theft. To keep data truly safe, you need a separate copy stored elsewhere.

    Backing up NAS data to Azure Blob storage ensures off-site redundancy and protection against disasters.

    There are several approaches:

    • External HDDs: Rotate them regularly and keep one off-site.
    • Cloud storage: Services like Backblaze B2, Google Drive, or Dropbox can work well with NAS sync tools.
    • Hybrid setups: Use both local and cloud storage for maximum redundancy.

    In my case, I use Azure Blob Storage as my off-site backup. It integrates with my NAS through rclone, a powerful command-line tool for syncing files to cloud storage providers. Once configured, it allows my NAS to automatically copy critical folders to Azure, giving me a secure, off-site backup that isn’t affected by local issues like drive failure, ransomware, or even physical damage.

    🔗 For a full walkthrough, check out my dedicated post on Automating NAS Backups to Azure with rclone.

    Why this matters:

    • Protects against ransomware wiping out your NAS data.
    • Provides recovery if your house suffers fire, flood, or theft.
    • Gives peace of mind knowing you have a copy far away from your home setup.

    Step 5: Strengthen Your Network

    Your NAS security depends heavily on your network. Weak Wi-Fi or outdated routers leave doors open for attackers, and insecure IoT devices can be an easy way in.

    What to do:

    • Use WPA3 or WPA2 encryption with a long, unique passphrase to secure your Wi-Fi.
    • Segment IoT devices (cameras, bulbs, sensors) onto a separate VLAN or guest Wi-Fi so they can’t directly reach your NAS. This prevents a compromised smart bulb or camera from giving access to your storage.
    • Update router firmware and disable unused services like UPnP, which can automatically open ports without your knowledge.
    • Enable firewall rules on your router if available, restricting which devices can talk to your NAS.

    In my own home, I’ve segmented IoT devices onto a separate network, keeping them isolated from my NAS and main devices. This way, even if a low-cost smart plug is compromised, it can’t talk directly to my storage or other critical systems.

    Why it matters:

    • Prevents weaker IoT devices from being exploited as entry points.
    • Stops attackers from using compromised devices to pivot to your NAS.
    • Improves overall network hygiene and peace of mind.

    For more detail and a step-by-step breakdown, check out my guide on How to Set Up a Secure Home Network the Right Way.

    Step 6: Control User Access

    Not every account needs admin rights. Many breaches cause maximum damage because compromised accounts had unnecessary privileges.

    Best practice:

    • Create a separate admin account you rarely use.
    • Use standard accounts for day-to-day access.
    • Restrict shared folder permissions so each user only sees what they need.

    Why it matters:

    • Limits the scope of damage if one account is compromised.
    • Prevents malware from spreading across all shares.
    • Keeps sensitive data private even within households or teams.

    Step 7: Monitor Logs and Alerts

    Most NAS systems include logs and alert systems — but many users ignore them. Checking them regularly gives early warning of issues, but you can go further by enabling real-time notifications.

    What to watch:

    • Repeated failed login attempts
    • Unknown IP addresses trying to connect
    • Unexpected spikes in CPU or network activity

    How to stay on top of it:

    • Enable email or mobile app notifications for login failures, drive health problems, or service errors.
    • Configure thresholds for CPU, memory, and storage so you’re warned before problems escalate.
    • Use push notifications from your NAS app for immediate alerts.

    Why it matters:

    • Lets you respond before an attack succeeds.
    • Helps identify misconfigured devices or apps.
    • Reduces the need for constant manual log checks.

    Challenges and Trade-Offs

    Securing your NAS brings major benefits, but it isn’t without compromises. Understanding these trade-offs helps set realistic expectations:

    Convenience vs Security
    Extra steps like VPN logins or 2FA make systems safer but can feel less convenient. Vendor apps are easier but require trusting their infrastructure.

    Performance Costs
    Features such as drive encryption or real-time virus scanning can reduce speeds, especially on lower-powered NAS units.

    Compatibility Issues
    Older devices may not support WPA3 Wi-Fi, 2FA, or stricter firewall rules, which could limit some security options.

    Financial Costs
    VPN subscriptions, higher-end routers, and cloud backups like Azure or Backblaze all add to running expenses. External drives or UPS units also add to the budget.

    Learning Curve
    Configuring VLANs, VPNs, or tools like rclone takes technical know-how. Beginners may want to start with basics such as updates, strong passwords, and vendor apps before moving to advanced setups.

    Final Thoughts

    Securing your NAS isn’t about making it complicated. It’s about layering simple, practical defences that drastically reduce risk. With 2FA, safe remote access, regular updates, strong backups, and basic network hygiene, you can protect your files and your smart home from the most common threats.

    I’ve applied these measures to my own NAS setup, and the peace of mind is well worth the effort. Whether you’re using a Synology, QNAP, UGREEN, or another brand such as Asustor or TerraMaster, the principles remain the same — a little preparation now avoids much bigger problems later.

    💡 If you’re just getting started with NAS, check out my post on Setting Up the UGREEN NASync DXP2800: A Beginner-Friendly Guide. For a longer-term perspective, I also reviewed it after 2 months of daily use here.