Short Answer: Use Cloud or a VPN Before You Expose a Public URL
If you want to control Home Assistant away from home in 2026, the lowest-friction answer is Home Assistant Cloud. If you want a more private DIY path and do not mind putting a VPN client on your own devices, Tailscale is the cleanest current option for most people. A public reverse proxy can still be right, but it is an advanced operating choice, not the default answer for a family home.
The path to avoid as a first instinct is raw port forwarding to 8123. You can make public exposure safer with proper HTTPS, proxying, MFA, and upkeep, but "I opened a port so the app works" is how hobby infrastructure turns into permanent risk.
Tara's practical rule: local does not need to mean trapped at home. It means the remote path should be narrow, deliberate, and easy to support when the person who set it up is not standing in front of the router.
Why This Question Keeps Coming Up
Remote access is one of the most repeated Home Assistant questions because the goals pull in different directions at once. People want phone control, notifications, geofencing, and guest or spouse access, but they also want privacy, no cloud dependence, and no public attack surface. Reddit threads keep asking for the "best" or "free" remote method, while Home Assistant Community posts circle through the same tradeoff: Cloud, VPN, reverse proxy, or some mix of them.
The confusion is not only about networking. Companion-app GitHub issues also show that internal URLs, external URLs, connection security levels, and location permissions can turn a theoretically good design into a frustrating mobile experience. That makes remote access a real homeowner question, not just a homelab question.
The 2026 Remote Access Decision Table
Use this table before spending a weekend rebuilding your network stack.
| Path | Best for | Watch-outs |
|---|---|---|
| Home Assistant Cloud | Most homeowners, shared family access, quick setup, fewer moving parts, no router changes. | Paid subscription and a remote path that depends on the cloud service. |
| Tailscale or another VPN | Privacy-first DIY users who want no public Home Assistant endpoint and can manage their own devices. | Each device needs the VPN path, and the companion app may need careful internal and external URL settings. |
| Public reverse proxy with your own domain | Advanced operators who already manage DNS, TLS, reverse proxies, and ongoing security maintenance. | More attack surface, more config, more breakage points, and a stricter need for MFA and trusted proxy settings. |
Direct port forward to 8123 |
Almost nobody. | Easy to misconfigure, easy to forget, and a poor default when better remote paths already exist. |
Home Assistant Cloud: Best Default for Most Homes
Home Assistant's own remote-access docs and companion-app docs push beginners toward Home Assistant Cloud for the simplest secure setup. The basic appeal is obvious: no port forwarding, no certificate wrangling, and no "why did the app stop switching URLs?" debugging. Nabu Casa's support docs describe the remote URL as encrypted and reachable from anywhere while pointing back to your own Home Assistant instance.
This is the best fit when the household wants remote control to feel boring. If a partner, guest, property manager, or relative needs the app, Cloud keeps the onboarding story cleaner than "install this VPN, sign in here, approve that device, and tell me when the route breaks."
The tradeoff is operational philosophy. You are paying for convenience, and the remote connection path relies on Nabu Casa. That does not mean your local automations suddenly run in the cloud. It means the remote doorway is managed for you.
Tailscale: Best DIY Private Path
Home Assistant's remote-access docs list VPNs such as Tailscale, WireGuard, and ZeroTier as secure options. For today's average DIY homeowner, Tailscale is usually the easiest one to recommend because it removes most of the classic VPN pain: static IP assumptions, manual tunnel files, and edge-router gymnastics.
The important nuance is that Home Assistant's official Tailscale integration does not make Home Assistant remotely reachable. It monitors your tailnet inside Home Assistant. The actual remote-access job is done by running Tailscale on the Home Assistant host, on another always-on device in the same network, or through a properly designed subnet-router path, plus Tailscale on the phone or laptop that will connect.
Tailscale is strongest when the remote users are a small set of trusted people and you want no public Home Assistant URL at all. It is also a good answer when you do not want to depend on a cloud relay for app access.
What Trips People Up with Tailscale
Tailscale solves the transport problem, but it does not remove every app-level decision. The companion docs still matter. Home Assistant's mobile docs explain internal URL, external URL, connection-security level, and location-based URL switching. That is why remote-access threads and GitHub issues keep surfacing even when the underlying VPN is sound.
- Set the URLs intentionally: a normal local URL for home Wi-Fi and a Tailscale URL for away-from-home access is often the cleanest split.
- Test on cellular and Wi-Fi: a design that works from your couch but fails on LTE is not a remote-access design yet.
- Check location permissions: automatic switching is better when the companion app has the permissions it expects.
- Remember the human factor: if three other household members need access, VPN client management may cost more time than a Cloud subscription.
If your goal is simply "my own phone and laptop should reach Home Assistant privately," Tailscale is excellent. If your goal is "remote access should be effortless for anyone in the household," Home Assistant Cloud often wins on support burden alone.
Public Reverse Proxy: Viable, but Advanced
A public URL can still be the right answer when you already operate internet-facing services and want full control over the stack. In that world, Home Assistant is just another application behind a domain, TLS certificates, access controls, and a reverse proxy.
But this route has real sharp edges. Home Assistant's HTTP integration docs make it clear that proxy-related settings such as use_x_forwarded_for and trusted_proxies exist for traditional reverse-proxy setups and must be configured correctly. Get them wrong and you can break request handling, logging, client IP visibility, or worse. If you take the public path, pair it with Home Assistant's multi-factor authentication support and treat the service like permanent public infrastructure.
This is why "public reverse proxy" and "raw port forwarding" are not the same category. A proper reverse proxy can be defensible. Directly opening Home Assistant to the internet because it seemed easy is usually just unfinished engineering.
What Not to Do
If you remember only one rule from this guide, make it this: do not start by forwarding 8123 from the router to Home Assistant and calling the job done.
That pattern keeps showing up because it works quickly, not because it is the best design. The safer sequence is:
- Try Home Assistant Cloud if you want the simplest and most supportable answer.
- Try Tailscale if you want a private DIY path and the remote users are manageable.
- Use a public reverse proxy only if you already know why you want one and are willing to maintain it.
Do You Need Tailscale Funnel?
Usually no. Tailscale's Funnel feature is about exposing a service to the broader internet. If your only goal is that your devices reach Home Assistant while away from home, a private tailnet path is narrower and safer. Bringing Funnel into the picture makes sense only when you have a reason to publish something publicly, and that is exactly the situation many Home Assistant users are trying to avoid.
Companion-App Settings That Prevent Most Headaches
Remote access is not complete when the browser works once. It is complete when the phone app behaves correctly under normal life: home Wi-Fi, away from home, geofencing, and notifications.
- Keep an internal URL: use the local address you actually want on your home network, not just whatever happened to work once.
- Keep an external URL: use your Cloud URL, reverse-proxy URL, or Tailscale URL deliberately instead of leaving the app in a half-detected state.
- Respect connection security: the companion docs explain why some URLs are treated differently based on HTTPS and network trust.
- Test the real workflows: can the app load on cellular, can geofencing update, and can a second person in the house use it without calling you?
Those are not abstract UX details. They decide whether remote access becomes infrastructure or a recurring support ticket.
Tara's Recommendation
For a Tara-style installed home, the ranking is simple. Home Assistant Cloud is the safest default when the house needs low-friction support and multiple people may use the app. Tailscale is the strongest private path when one technically confident owner wants direct access without a public endpoint. A public reverse proxy is for people who already run public services and accept the extra maintenance as a conscious trade.
The decision is not only about security. It is about supportability. A local smart home is better when remote access works after a phone upgrade, a router replacement, or a weekend away, not only when the original installer is available to remember which port and certificate combination they picked months ago.
If your larger goal is a local, private smart home rather than a networking project, these Tara guides help connect remote access to hardware, local control, and long-term support.
Related Tara Reading
- How to Run Your Smart Home Without the Cloud
- Smart Home Security: Protect Your Connected Home
- Best Home Assistant Hardware in 2026
- How to Set Up a Fully Local Voice Assistant in Home Assistant
- Home Assistant vs a Preconfigured Smart Home Kit
- What a Local Smart Home Hub Does
- No-Subscription Smart Home Camera Setup
- Matter vs Thread vs Zigbee vs Z-Wave for Homeowners
FAQ
What is the safest default way to access Home Assistant remotely?
For most homeowners, Home Assistant Cloud is the lowest-risk default because it avoids router changes and keeps the app setup simple. Tailscale is the strongest DIY alternative when you want a private VPN path instead of a public URL.
Can I use Tailscale and keep Home Assistant local?
Yes. Tailscale creates a private tailnet path to your Home Assistant machine or network, so you can reach the instance without opening a public inbound port. Home Assistant's Tailscale integration is for monitoring your tailnet, not for publishing Home Assistant itself.
Is port forwarding Home Assistant safe?
Direct port forwarding is not the best default. If you expose Home Assistant publicly, use HTTPS, a properly configured reverse proxy, trusted proxy settings, multi-factor authentication, and ongoing maintenance. Most people should use Cloud or VPN instead.
Do I need Tailscale Funnel to access Home Assistant away from home?
Usually no. Funnel is for exposing a service to the public internet. If only your own devices need access, a normal tailnet connection is the narrower and safer design.
Will Home Assistant Cloud make my automations run in the cloud?
No. Home Assistant Cloud gives you a remote path back to your Home Assistant instance. Your automations and local device control still run on the box in your home.