Why a VPS instead of a direct port-forward?
Opening port 8123 on your home router sounds simple, but it puts your smart home dashboard directly on the internet. One misconfigured account or unpatched HA release and someone else controls your lights — and potentially your locks. A VPS in the middle gives you a hardened chokepoint: you control TLS termination, rate limiting, and auth in one place, and your home IP stays private.
I run this setup myself — the VPS is small and cheap, and nothing else has to change on your home network. Check out the best VPS options for self-hosting if you haven’t picked one yet.
Option A: WireGuard tunnel (recommended for full local access)
This approach creates an encrypted tunnel between your VPS and your home network. Once connected, your VPS can reach Home Assistant as if it were on the same LAN. It’s the cleanest option if you want to access other home services too.
On your home server, install WireGuard and generate keys:
sudo apt install wireguard
wg genkey | tee home-private.key | wg pubkey > home-public.keyOn your VPS, install WireGuard and generate its own keypair:
sudo apt install wireguard
wg genkey | tee vps-private.key | wg pubkey > vps-public.keyVPS WireGuard config (/etc/wireguard/wg0.conf):
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <vps-private-key>
[Peer]
# Home server
PublicKey = <home-public-key>
AllowedIPs = 10.10.0.2/32Home server WireGuard config (/etc/wireguard/wg0.conf):
[Interface]
Address = 10.10.0.2/24
PrivateKey = <home-private-key>
[Peer]
# VPS
PublicKey = <vps-public-key>
Endpoint = <your-vps-ip>:51820
AllowedIPs = 10.10.0.1/32
PersistentKeepalive = 25Bring both up with sudo wg-quick up wg0 and enable on boot with sudo systemctl enable wg-quick@wg0. Once the tunnel is live, your VPS can reach Home Assistant at 10.10.0.2:8123.
With the tunnel in place, add Nginx or Nginx Proxy Manager on the VPS to serve HTTPS traffic. Point your domain at the VPS, get a Let’s Encrypt cert, and proxy requests to 10.10.0.2:8123. The Nginx Proxy Manager setup guide covers this step in detail.
Make sure you’ve also locked down the VPS itself — UFW rules, fail2ban, and SSH key-only auth are the baseline.
Option B: Reverse proxy only (simpler, no VPN)
If your home router supports port-forwarding and you’re comfortable forwarding one internal port, you can skip WireGuard. Forward port 8123 from your router to your Home Assistant box, but bind it only to localhost or a non-public interface. Then on the VPS, set up Nginx to proxy to your home IP.
This works, but it does expose your home IP to the VPS. For most home users that’s acceptable; if you want full privacy, stick with Option A.
Running Home Assistant Container on a VPS directly
If your use case is cloud-only integrations (weather, calendars, remote sensors that report over the internet) and you don’t need local device discovery, you can run Home Assistant Container on the VPS itself.
# docker-compose.yml
services:
homeassistant:
image: ghcr.io/home-assistant/home-assistant:stable
container_name: homeassistant
restart: unless-stopped
privileged: true
network_mode: host
volumes:
- ./config:/config
environment:
- TZ=Europe/Berlindocker compose up -dHome Assistant will be available on port 8123. Put Nginx in front of it for TLS — see the proxy manager guide linked above. Keep in mind: without a bridge back to your home LAN, Zigbee, Z-Wave, and most local integrations won’t work. This mode suits a secondary HA instance or a pure-cloud dashboard.
Before you go live, point your domain to the VPS and confirm DNS propagation.
Keeping it secure
A few things I always do before exposing any HA instance:
- Enable multi-factor authentication in HA (Settings → People → your account)
- Set
trusted_networksinconfiguration.yamlto avoid MFA prompts only from the WireGuard tunnel IP range - Keep Home Assistant updated — subscribe to release notes, since security patches ship regularly
- Review your VPS firewall rules so only ports 80, 443, and 51820 (WireGuard) are open
Which option should you choose?
For most people with a local smart home setup, Option A (WireGuard + reverse proxy) is the right call. It keeps your home IP private, gives you full access to local integrations, and the VPS stays thin — it’s just routing encrypted packets. Option B works if you can’t run a VPN on your home router and are okay with your home IP being known to the VPS. Pure VPS hosting only makes sense for cloud-centric setups.
A 1 vCPU / 1 GB RAM instance from Hetzner or Vultr handles this gateway role without breaking a sweat — check current pricing on their sites, but entry-level plans are inexpensive.
Once the gateway is up, your Home Assistant dashboard loads over HTTPS from anywhere in the world, your home devices stay on the local network where they belong, and you haven’t exposed anything unnecessary to the internet.
