Secure Remote-Accessible Home Assistant Webhooks With Tailscale
Webhooks are extremely useful tools for creating all manner of automations.
But from a security standpoint, when used in the context of home automation, they cause justifiable concern.
Nobody wants to accidentally have their webhook scraped and have their smart lock / HVAC / lighting controlled by a random hacker.
After some trial and error, I discovered a way to create webhooks that resolve from the WAN using Tailscale.
Here’s a quick rundown of the steps needed.
Configure A Static Local IP For Your HA Instance
Firstly you’ll want to give your Home Assistant instance a static IP on the local area network.
I can’t think of a situation in which this _wouldn’t_ be a good idea, but if we’re creating webhooks, we’re going to need to do this (I’m sure there’s a way to get homeassistant.local URLs to resolve from the WAN but .. it isn’t easy).
Next, you’re going to want to add this integration:
Deploy Tailscale On Your Home Assistant And Advertise A Subnet Route
Next we’re going to want to install Tailscale onto our Home Assistant OS and — so that it can resolve the local IPs remotely — advertise a subnet route.
To do this refer to the latest tutorials/instructions on configuring Tailscale on your Home Assistant:
Here’s the integration:
Make sure not to skip the subnet route as it’s essential to getting this working.
Create Webhooks To Drive Automations
Home Assistant (out of the box) has the ability to create locally-hosted webhook endpoints which is amazing for creating automation triggers.
Create a webhook (When -> Automation -> Webhook).
Make sure that the webhook is relative to your static local IP path and not homeassistant.local.
Also make sure that you enable GET. You can (and should) keep the local-only option on because … when authenticated with Tailscale the connection “looks” local to Home Assistant:
Write A Webhook To An NFC Tag For Testing
To test this out, let’s create an NFC tag (or QR code) with the webhook.
Then to validate, let’s do the following:
- Connect to Tailscale.
- Turn off WiFi if we’re on a mobile device to move ourselves outside of the LAN.
- Scan your NFC tag to trigger your webhook (or simply visit the URL in your browser). The automation should work even when you’re not physically at home!
