VIGIL MESH

Documentation

Home Assistant remote access, with no open ports

Home Assistant listens on port 8123 by default, and the whole remote-access dilemma comes down to this: how do you reach that port from outside without exposing it to the Internet? VIGIL-MESH answers with a private network: the client installs on the machine serving Home Assistant and on your devices, every machine only makes outbound connections, and you get http://name:8123 back from anywhere — just like at home, with no port forwarding, no reverse proxy, nothing exposed.

The classic Home Assistant remote access dilemma

The Home Assistant project documents several remote-access routes, and the community debates them at length: each one is a trade-off between simplicity, cost and exposure. The three families you see everywhere:

The official cloud, by subscription

The project offers an official cloud service: simple, well integrated, nothing to open — and paid, by subscription. It is a legitimate option that funds the project; its principle, though, remains routing your access through a third-party service.

Direct exposure or a reverse proxy

Forward port 8123 on the router, or run your own reverse proxy with a TLS certificate. It works, but your home-automation interface becomes a service exposed to the Internet: scanned around the clock, only as safe as your configuration and your updates.

A VPN back home

A classic VPN avoids exposure, but you have to host the VPN server, open its inbound port on the router, deal with a changing public IP address — and it is impossible behind the CGNAT of a 4G/5G connection or of many recent fiber plans.

The private network approach: your home follows you

VIGIL-MESH links your machines into a private encrypted network, with nothing exposed. The client installs on the machine serving Home Assistant — the Linux host running it, or the LAN machine that carries port 8123 when Home Assistant runs in a container — and on the devices that need to reach it (laptop, Android phone). Every machine only makes outbound connections, over 443 UDP: nothing to open on the router, nothing to forward, and it works behind 4G/5G CGNAT too.

  • Zero inbound ports — no machine listens from the Internet; port 8123 stays reachable only from the members of your network.
  • Immediate connection, direct as soon as possible — traffic first flows through a structurally blind relay (it holds no keys), then migrates without interruption to the direct path between your machines.
  • End-to-end encryption — QUIC/TLS 1.3 sessions between your machines, with a hybrid post-quantum key exchange.
  • Stable address and MagicDNS name — the Home Assistant machine keeps the same address and the same short name wherever you are: your bookmarks never break.

Concretely, you open http://machine-name:8123 from your laptop at the office or your phone on the road, exactly as you would from your couch. Name resolution happens locally, from the signed network map issued by the controller: no DNS query leaves the machine, and nobody learns that you are reaching your home automation.

The home-automation bonus: mDNS and SSDP cross the mesh

Home Assistant discovers a good share of its integrations on its own, through the local network’s announcement protocols — mDNS/Bonjour and SSDP/UPnP. That is exactly what purely L3 VPNs drop: discovery stops at the tunnel’s edge. VIGIL-MESH instead treats each network as a broadcast domain: broadcast, multicast and link-local IP reach every member as if on a switch, and that replication is encrypted end to end.

  • mDNS/Bonjour — announcements from member machines reach Home Assistant, and vice versa, as on a single segment.
  • SSDP/UPnP and WS-Discovery — media boxes, TVs and ONVIF cameras announced by one member are discovered by the others.
  • TTL intact — the mesh behaves as a single logical link: an mDNS packet sent with TTL 255 arrives with TTL 255, so strict stacks accept it.

The Home Assistant mobile app: one URL, everywhere

The official Home Assistant mobile app connects to your instance through the server’s URL. With the VIGIL-MESH client installed on the phone (Android), the internal URL http://name:8123 answers from anywhere: the phone is a permanent member of the private network, so the same address works at home and on the road, with no juggling between an internal URL and an exposed external one.

Setting up access, step by step

  1. 1
    Create an account and a workspaceFree for personal use: direct traffic between your machines is unlimited, only relayed traffic is subject to a quota.
  2. 2
    Install the client on the machines involvedThe machine serving Home Assistant on one side; your laptop and your Android phone on the other.
  3. 3
    Enroll each machineConsole → Networks → Machines → “Add a machine”: one single-use key per machine, as a command to copy or a QR code on Android.
  4. 4
    Verify connectivityThe machine receives its stable address and its MagicDNS name; pinging the name confirms everything is in place.
  5. 5
    Open http://name:8123From the browser or the mobile app, reach Home Assistant by its machine name, just as on the LAN. Nothing was opened on the router.

Frequently asked questions

How do I access Home Assistant remotely without opening a port on my router?
By reaching it through a private network instead of exposing it: install the VIGIL-MESH client on the machine serving Home Assistant and on your devices. Every machine only makes outbound connections over 443 UDP; no inbound port, no forwarding rule, no reverse proxy. You then open http://name:8123 just like at home.
Does it work behind a 4G/5G connection or CGNAT?
Yes. CGNAT prevents hosting a server or opening a port, but it lets connections out — and VIGIL-MESH only dials out. The connection is established immediately through a blind relay, then migrates without interruption to the direct path once NAT traversal succeeds.
Is it safer than a reverse proxy or port forwarding?
Port 8123 is no longer exposed to the Internet at all: it is reachable only from the enrolled, verified machines of your network, over end-to-end encrypted QUIC/TLS 1.3 sessions. There is no home-automation service left to discover or scan from outside, and no exposure configuration to maintain flawlessly.
Does the Home Assistant mobile app work across the mesh?
Yes, on Android: with the VIGIL-MESH client on the phone, the internal URL http://name:8123 answers from anywhere, the same at home and on the road. There is no VIGIL-MESH client for iOS yet.
Does automatic device discovery (mDNS, SSDP) survive remote access?
Yes, between network members: each VIGIL network is a broadcast domain where mDNS, SSDP and WS-Discovery flow as on a single segment, encrypted end to end. Devices that cannot run the client are still discovered by the Home Assistant on their own LAN, which is what you reach remotely.
Read nextSmart-home VPN for the whole connected home