VIGIL MESH

Documentation

Remote access to Jeedom without opening a port

Jeedom runs your home from a box installed at your place — a Raspberry Pi, an Atlas box, a small local server. That is its strength: your scenarios run on site, your data stays home. It is also its eternal question: how do you reach Jeedom from outside? The usual answers — the vendor's DNS service, port forwarding with a reverse proxy, a homemade VPN — each come with trade-offs. This page reviews them honestly, then details a fourth way: the private mesh network, where your phone and your box become members of the same encrypted network, without opening a single port and without exposing anything to the Internet.

Why remote access is THE Jeedom question

Jeedom is a French self-hosted home automation solution: the core of the system runs at your place, on your hardware, and the web interface is used from a browser on the local network. Unlike cloud home automation platforms, nothing is reachable from the Internet by default. That is a deliberate design choice — and excellent news: your home keeps working if your Internet connection drops, and your presence, heating or alarm data never transits through a third-party server.

But that same choice creates the question every user ends up asking: what happens when I am no longer on my local network? The box stays home. The moment you walk out the door, the interface, the scenarios and the mobile app are out of reach — unless you set up external access. That is why remote access is, by far, one of the most discussed topics in the Jeedom community.

  • Checking from the office that the heating is really off, or that the garage door is closed.
  • Using the mobile app over 4G/5G, on the train or on holiday, as if you were in the living room.
  • Keeping an eye on a second home — and on the Jeedom box that lives there.
  • Troubleshooting, from a distance, the installation of a relative you equipped, without driving over.

An honest tour of the classic options

Three families of answers dominate the discussions. None of them is absurd: each one solves the problem, with different trade-offs. Knowing them lets you choose with open eyes — and understand what the mesh approach actually changes.

The vendor's DNS service (Jeedom DNS)

Jeedom offers its users a remote access service: the box establishes an outbound tunnel to the vendor's infrastructure, which then relays your connections to the interface over HTTPS, through a URL assigned to you. No port to open on your router — that is its great merit. In return, the service is offered as part of the vendor's service plans, the interface remains reachable from the Internet through a public URL (protected by your login), and the access path depends on third-party infrastructure.

Port forwarding and a reverse proxy

The historic self-hosting route: forward a port on your router to the Jeedom machine, often behind a reverse proxy with a TLS certificate, and track your public IP address with dynamic DNS. You keep end-to-end control — but your interface becomes a service exposed to the Internet: scanned around the clock, only as strong as the software listening behind it, with a certificate and a forwarding rule to maintain. And on a CGNAT connection (4G/5G, some fiber plans), there is simply no port to open.

The homemade VPN (OpenVPN, WireGuard)

Running your own VPN server at home shrinks the exposure to a single service: the VPN itself. That is real progress — but the VPN server must listen on an inbound port, which brings back router configuration, public IP tracking, and the CGNAT dead end. You also have to maintain the server, distribute the profiles, and remember to bring the tunnel up before each access.

Vendor's DNS serviceOpen port + proxyHomemade VPNPrivate mesh network
Inbound port on the routerNoYesYes (the VPN port)No
Interface reachable from the InternetYes, through a public URLYesNoNo — network members only
Works behind CGNAT (4G/5G)YesNoNoYes
Public certificate / dynamic DNS to manageNoYesOftenNo
Access pathThe vendor's infrastructureDirectDirectDirect as soon as possible, blind relay otherwise

The private mesh network approach, applied to Jeedom

The principle turns the question around: instead of making Jeedom reachable from the Internet, you make your phone and your computers members of the same private network as the box. VIGIL-MESH is a mesh VPN over QUIC: every machine only establishes outbound connections — a single flow on 443 UDP, the same port as the modern web. A relay puts the machines in touch immediately, then the session migrates seamlessly to the direct path as soon as NAT traversal finds one. Nothing to open on the router, nothing to forward, and it works behind a 4G/5G connection on CGNAT.

There are two ways to hook Jeedom up. The simplest and safest: install the client directly on the Jeedom machine. The Linux client ships as a .deb package (amd64 and arm64), runs as a systemd service with no screen or graphical session, and recovers on its own after a reboot — a headless server can even enroll without any interaction, using a pre-authorized key. Failing that, any other machine on the local network can serve as the entry point: a single node joining the mesh is enough to make the site reachable through it.

  • A stable address — the Jeedom machine gets an address in the 100.64.0.0/10 space that never changes, whatever physical network it sits on.
  • A name instead of an address — with MagicDNS, every machine carries a short name: you open the interface by the box’s name, just like at home. Resolution happens entirely locally, from the signed network map — no DNS query ever leaves your machines.
  • The mobile app through the internal URL — once your phone is enrolled (Android client), the Jeedom interface is reachable at its mesh name or address exactly as from the local network. If your app accepts an internal access URL, that URL therefore keeps working on the move: from the network’s point of view, the phone never left home.
  • Troubleshooting thrown in — the Jeedom machine also becomes reachable over SSH by its name, including from a terminal opened in a browser tab through the console (WASM client). Handy for fixing a relative’s box without installing anything on site.

Bonus: device discovery and multi-site setups

Home automation leans heavily on local discovery protocols: devices announce themselves on the network, and software finds them on its own. Those protocols rely on IP broadcast and multicast — precisely what classic VPNs and purely L3 mesh VPNs drop. VIGIL-MESH treats each network as a broadcast domain: broadcast, multicast and link-local IP reach every member as on a switch, and that diffusion is encrypted end to end.

  • mDNS/Bonjour — devices announcing themselves over mDNS are discovered across the mesh as on a single local segment.
  • SSDP/UPnP — home automation gateways, media boxes and TVs announced over SSDP stay visible from one site to the other.
  • WS-Discovery — ONVIF cameras and devices are discovered remotely just as they are locally.
  • Business UDP multicast — sensors and proprietary services announcing themselves over multicast cross the network the same way.

Multi-site follows naturally. Main home and second home join the same private network: one Jeedom box per site, each reachable by name from anywhere — or a single box, and a node installed at the second site that makes that site reachable through it. The two houses behave as one private network, with no site-to-site VPN to build and no router to configure on either end.

Security: zero exposure, and access you can govern

The fundamental security gain fits in one sentence: your Jeedom interface is only reachable by the members of your network. No inbound port is open, no service listens from the Internet — a scan of your public IP address reveals nothing. Where a port forward turns the home automation box into a permanent target, the mesh approach simply makes it invisible from the outside.

  • End-to-end encryption — sessions are QUIC/TLS 1.3 connections between the nodes, with per-machine Ed25519 identities and a hybrid post-quantum key establishment, X25519 + ML-KEM.
  • A structurally blind relay — when the direct path is not available, traffic transits through a relay that holds no keys and never sees the content. You can even host your own private relay.
  • ACLs, deny by default — access policies decide who reaches whom: your phone can reach the Jeedom box without the box gaining access to your workstation or the family NAS.
  • Immediate revocation — a lost or stolen phone is revoked from the console: it instantly loses all access to the network, hence to the box.

Setting up remote access, step by step

The setup follows the same sequence as for any machines on the mesh: one account, one client per machine, one enrollment with a single-use key, one check — then access, by name, as if local.

  1. 1
    Create an account and a workspaceThe workspace gathers your machines and your access rules. It is free for personal use.
  2. 2
    Install the client on the machines involvedOn the Jeedom machine (Linux .deb package, amd64 or arm64, systemd service) and on the devices that need to reach it: your Android phone, your Windows or Linux laptop.
  3. 3
    Enroll each machineIn the console, Networks page → Machines panel → "Add a machine": the wizard hands you a single-use enrollment key, to pass to the client on the command line — or to scan as a QR code from the Android app.
  4. 4
    Check connectivityThe Jeedom machine shows up with its stable address (100.64.x.x) and its MagicDNS name. A ping from the phone or the laptop confirms the path is open.
  5. 5
    Access the interface as if localOpen the Jeedom interface by the box's mesh name or address, from anywhere. Configure the mobile app with that same internal URL: it is now valid everywhere.

Troubleshooting and trick questions

First steps almost always raise the same questions. Here they are, with the answers that keep you from looking in the wrong place.

"http://jeedom does not answer"

The MagicDNS name is the machine's name in your workspace — not a name derived from the software it hosts. Check the exact name in the console inventory, and rename the machine if you prefer a telling name: the rename propagates on its own and the address does not change.

"My browser shows a certificate warning"

Over the mesh, the interface is served just as it is locally — often plain HTTP or a self-signed certificate. That is expected: strong encryption is provided by the QUIC/TLS 1.3 tunnel, and a public certificate has no reason to exist since nothing is published on the Internet.

"It works at home, not on 4G"

First check that the VIGIL-MESH client is actually active on the phone: it is what makes the box reachable outside the LAN. Behind two symmetric NATs (two mobile connections, say), the direct path is impossible and traffic stays relayed — access works, over a longer path.

"Which URL goes into the mobile app?"

The internal one — the box's mesh name or address. Once the phone is a member of the network, that URL is valid everywhere, and external access URLs become superfluous.

"I already use Jeedom DNS or a port forward"

Both can coexist: VIGIL-MESH intercepts neither your regular DNS nor your existing access paths. Many keep the old access while validating the new one — then close the now-useless port forward, shrinking the exposed surface accordingly.

"Ping works, the interface does not"

Resolvable does not mean authorized: access policies (ACLs) decide service by service. Check in the console that the accessing machine is indeed allowed to reach the Jeedom box.

Frequently asked questions

Do I need to open a port on my router to reach Jeedom remotely with VIGIL-MESH?
No. No inbound port, no forwarding rule: every machine only establishes outbound connections, a single flow on 443 UDP — the same port as the modern web. Your router keeps its original configuration, and a scan of your public address reveals nothing.
Do I have to install the client on the Jeedom machine itself?
It is the simplest route and the one that carries end-to-end encryption all the way to the box: the Linux client installs as a .deb package (amd64 and arm64) and runs as a service, with no screen. Failing that, another machine on the local network can serve as the entry point: a single node on the site is enough to make the site reachable through it.
Does the Jeedom mobile app work across the mesh?
Once the phone is enrolled with the Android client, the Jeedom interface is reachable at its mesh name or address exactly as from the local network. If your app accepts an internal access URL, that URL keeps working on the move: from the network's point of view, the phone never left home.
Does it work behind a 4G/5G connection or CGNAT?
Yes. CGNAT makes it impossible to open a port, but it lets connections out — and VIGIL-MESH only dials out. The connection is established immediately through the relay, then migrates seamlessly to the direct path when NAT traversal succeeds. If both ends sit behind symmetric NATs, traffic stays relayed — encrypted end to end, the relay never sees its content.
My Jeedom uses plain local HTTP: is that a problem for remote access?
No: traffic travels inside QUIC/TLS 1.3 sessions encrypted end to end between the nodes, and the interface is never published on the Internet — so no public certificate is needed. One nuance: if the client runs on a machine other than the box, the last segment on your LAN remains ordinary local traffic.
Can I link my main home and my second home?
Yes. The machines of both sites join the same private network and reach each other by name, wherever they are. You can run one Jeedom box per site, both reachable from anywhere — or a single box, plus a node at the second site that makes that site reachable through it. Discovery protocols (mDNS, SSDP, WS-Discovery) cross the mesh as on a single local network.
Is it compatible with Jeedom DNS or an existing port forward?
Yes. VIGIL-MESH intercepts neither your regular DNS nor the traffic of your existing access paths: it adds a private path that conflicts with nothing. You can keep your current access while validating the mesh one, then close the now-useless port forward.
How much does it cost for personal home automation use?
VIGIL-MESH is free for personal use: direct traffic between your machines is unlimited, and only relayed traffic is subject to a quota. A home automation usage — checking the interface, triggering scenarios, serving the mobile app — fits very naturally within that frame.
Read nextHome Assistant remote access, with no open ports