It’s generally fine to open it up, if your somewhat know what you’re doing. I wouldn’t do it without some protection measures like fail2ban and making sure HA is always up to date.

Nabu Casa, the manufacturer of HA, has a paid option where they take care of publicly accessing your local HA instance. I think that’s a good solution as well. It includes backups on their servers.

Tailscale is possibly a solution for you.

Mine is open to the internet, via a nginx reverse proxy. I made it ban people who try to brute-force my password. It’s been fine like that for years now:

http:  
  trusted_proxies:  
    - w.x.y.z  
  use_x_forwarded_for: true  
  ip_ban_enabled: true  
  login_attempts_threshold: 10  

I have mine available as a tor hidden service.

I just use a Cloudflare tunnel using the Cloudflared plugin and a custom domain name. So no need to open ports. I use long passwords for the users. Not sure how unsafe it is but in HA you get a notification when a failed login happened.

What I personally do is have it accessible over WireGuard. Open TCP ports to the Internet is a bad idea. This does mean you have to launch WireGuard every time, but it’s way more secure

If you don’t want to use a VPN like Tailscale (or ZeroTier) then this is exactly what the Home Assistant Cloud is for. And it even has an 1-month trial.

I’m using cloudflared to give it a bit more protection over a plain reverse proxy

I work in IT at a major university, and watch the logs. My Home Assistant instance is open to the Internet behind an nginx reverse proxy with SSL. (The official add-on makes it easy.) Brute-forcing passwords on HTTPS is not really a thing anymore. I get a connection attempt or two per month at home. At work, they go for known vulnerabilities in web apps; WordPress, mostly.

Mine is on the internet behind nginx. I block connections not originating in countries that are reasonable for my family. I don’t like geoip blocking but it straight up eliminated almost all the IDS alerts. I needed to migrate to DNS based validation for certbot.

If I or my family leave the geo region, I’m “away” anyways until I return to the area and my device gets a new IP. Or I can allow the country temporarily.

With the price of oil and therefore plane tickets what it is, I won’t be leaving my geo region.

If you are hosting other things with it, then a reverse proxy like Caddy or Traefik + crowdsec is pretty much as good as you are going to get and you can add region blocking on your router (if that feature is available) or if you use cloudflare as a proxy.

If you want to go really crazy, you can put authelia/Authentik in front of it, depending on what else you host.

My HA instance is publicly accessible (with 2FA) through Nabu Casa’s cloud service. Happily paying the subscription price of a whole $7/mo for that feature and to support them.

I can quickly switch it to my own reverse proxy if necessary.

A good, simple solution is Cloudflare.

Why? Because you can lock it down to specific people, for example only to those who have these 4 email addresses.

They need to enter the code received via email ever month or so. Everyone else, no code no access.

I use nginx proxy manager and then a cloudflare to protect my actual IP

I solved Problem 1 by adding ICMP to HA. It’s constantly checking if my phone is present on the WiFi*.

I’m using Tailscale instead of ZeroTier, but that should not matter.

*I could also use my routers integrstion, but this logic worked with my shitty old router that had no integration