Documentation
Remote access to Jeedom without opening a port
Jeedom runs your home from a box installed at your place — a Raspberry Pi, an Atlas box, a small local server. That is its strength: your scenarios run on site, your data stays home. It is also its eternal question: how do you reach Jeedom from outside? The usual answers — the vendor's DNS service, port forwarding with a reverse proxy, a homemade VPN — each come with trade-offs. This page reviews them honestly, then details a fourth way: the private mesh network, where your phone and your box become members of the same encrypted network, without opening a single port and without exposing anything to the Internet.
Why remote access is THE Jeedom question
Jeedom is a French self-hosted home automation solution: the core of the system runs at your place, on your hardware, and the web interface is used from a browser on the local network. Unlike cloud home automation platforms, nothing is reachable from the Internet by default. That is a deliberate design choice — and excellent news: your home keeps working if your Internet connection drops, and your presence, heating or alarm data never transits through a third-party server.
But that same choice creates the question every user ends up asking: what happens when I am no longer on my local network? The box stays home. The moment you walk out the door, the interface, the scenarios and the mobile app are out of reach — unless you set up external access. That is why remote access is, by far, one of the most discussed topics in the Jeedom community.
- Checking from the office that the heating is really off, or that the garage door is closed.
- Using the mobile app over 4G/5G, on the train or on holiday, as if you were in the living room.
- Keeping an eye on a second home — and on the Jeedom box that lives there.
- Troubleshooting, from a distance, the installation of a relative you equipped, without driving over.
An honest tour of the classic options
Three families of answers dominate the discussions. None of them is absurd: each one solves the problem, with different trade-offs. Knowing them lets you choose with open eyes — and understand what the mesh approach actually changes.
The vendor's DNS service (Jeedom DNS)
Jeedom offers its users a remote access service: the box establishes an outbound tunnel to the vendor's infrastructure, which then relays your connections to the interface over HTTPS, through a URL assigned to you. No port to open on your router — that is its great merit. In return, the service is offered as part of the vendor's service plans, the interface remains reachable from the Internet through a public URL (protected by your login), and the access path depends on third-party infrastructure.
Port forwarding and a reverse proxy
The historic self-hosting route: forward a port on your router to the Jeedom machine, often behind a reverse proxy with a TLS certificate, and track your public IP address with dynamic DNS. You keep end-to-end control — but your interface becomes a service exposed to the Internet: scanned around the clock, only as strong as the software listening behind it, with a certificate and a forwarding rule to maintain. And on a CGNAT connection (4G/5G, some fiber plans), there is simply no port to open.
The homemade VPN (OpenVPN, WireGuard)
Running your own VPN server at home shrinks the exposure to a single service: the VPN itself. That is real progress — but the VPN server must listen on an inbound port, which brings back router configuration, public IP tracking, and the CGNAT dead end. You also have to maintain the server, distribute the profiles, and remember to bring the tunnel up before each access.
| Vendor's DNS service | Open port + proxy | Homemade VPN | Private mesh network | |
|---|---|---|---|---|
| Inbound port on the router | No | Yes | Yes (the VPN port) | No |
| Interface reachable from the Internet | Yes, through a public URL | Yes | No | No — network members only |
| Works behind CGNAT (4G/5G) | Yes | No | No | Yes |
| Public certificate / dynamic DNS to manage | No | Yes | Often | No |
| Access path | The vendor's infrastructure | Direct | Direct | Direct as soon as possible, blind relay otherwise |
The private mesh network approach, applied to Jeedom
The principle turns the question around: instead of making Jeedom reachable from the Internet, you make your phone and your computers members of the same private network as the box. VIGIL-MESH is a mesh VPN over QUIC: every machine only establishes outbound connections — a single flow on 443 UDP, the same port as the modern web. A relay puts the machines in touch immediately, then the session migrates seamlessly to the direct path as soon as NAT traversal finds one. Nothing to open on the router, nothing to forward, and it works behind a 4G/5G connection on CGNAT.
There are two ways to hook Jeedom up. The simplest and safest: install the client directly on the Jeedom machine. The Linux client ships as a .deb package (amd64 and arm64), runs as a systemd service with no screen or graphical session, and recovers on its own after a reboot — a headless server can even enroll without any interaction, using a pre-authorized key. Failing that, any other machine on the local network can serve as the entry point: a single node joining the mesh is enough to make the site reachable through it.
- A stable address — the Jeedom machine gets an address in the 100.64.0.0/10 space that never changes, whatever physical network it sits on.
- A name instead of an address — with MagicDNS, every machine carries a short name: you open the interface by the box’s name, just like at home. Resolution happens entirely locally, from the signed network map — no DNS query ever leaves your machines.
- The mobile app through the internal URL — once your phone is enrolled (Android client), the Jeedom interface is reachable at its mesh name or address exactly as from the local network. If your app accepts an internal access URL, that URL therefore keeps working on the move: from the network’s point of view, the phone never left home.
- Troubleshooting thrown in — the Jeedom machine also becomes reachable over SSH by its name, including from a terminal opened in a browser tab through the console (WASM client). Handy for fixing a relative’s box without installing anything on site.
Bonus: device discovery and multi-site setups
Home automation leans heavily on local discovery protocols: devices announce themselves on the network, and software finds them on its own. Those protocols rely on IP broadcast and multicast — precisely what classic VPNs and purely L3 mesh VPNs drop. VIGIL-MESH treats each network as a broadcast domain: broadcast, multicast and link-local IP reach every member as on a switch, and that diffusion is encrypted end to end.
- mDNS/Bonjour — devices announcing themselves over mDNS are discovered across the mesh as on a single local segment.
- SSDP/UPnP — home automation gateways, media boxes and TVs announced over SSDP stay visible from one site to the other.
- WS-Discovery — ONVIF cameras and devices are discovered remotely just as they are locally.
- Business UDP multicast — sensors and proprietary services announcing themselves over multicast cross the network the same way.
Multi-site follows naturally. Main home and second home join the same private network: one Jeedom box per site, each reachable by name from anywhere — or a single box, and a node installed at the second site that makes that site reachable through it. The two houses behave as one private network, with no site-to-site VPN to build and no router to configure on either end.
Security: zero exposure, and access you can govern
The fundamental security gain fits in one sentence: your Jeedom interface is only reachable by the members of your network. No inbound port is open, no service listens from the Internet — a scan of your public IP address reveals nothing. Where a port forward turns the home automation box into a permanent target, the mesh approach simply makes it invisible from the outside.
- End-to-end encryption — sessions are QUIC/TLS 1.3 connections between the nodes, with per-machine Ed25519 identities and a hybrid post-quantum key establishment, X25519 + ML-KEM.
- A structurally blind relay — when the direct path is not available, traffic transits through a relay that holds no keys and never sees the content. You can even host your own private relay.
- ACLs, deny by default — access policies decide who reaches whom: your phone can reach the Jeedom box without the box gaining access to your workstation or the family NAS.
- Immediate revocation — a lost or stolen phone is revoked from the console: it instantly loses all access to the network, hence to the box.
Setting up remote access, step by step
The setup follows the same sequence as for any machines on the mesh: one account, one client per machine, one enrollment with a single-use key, one check — then access, by name, as if local.
- 1Create an account and a workspaceThe workspace gathers your machines and your access rules. It is free for personal use.
- 2Install the client on the machines involvedOn the Jeedom machine (Linux .deb package, amd64 or arm64, systemd service) and on the devices that need to reach it: your Android phone, your Windows or Linux laptop.
- 3Enroll each machineIn the console, Networks page → Machines panel → "Add a machine": the wizard hands you a single-use enrollment key, to pass to the client on the command line — or to scan as a QR code from the Android app.
- 4Check connectivityThe Jeedom machine shows up with its stable address (100.64.x.x) and its MagicDNS name. A ping from the phone or the laptop confirms the path is open.
- 5Access the interface as if localOpen the Jeedom interface by the box's mesh name or address, from anywhere. Configure the mobile app with that same internal URL: it is now valid everywhere.
Troubleshooting and trick questions
First steps almost always raise the same questions. Here they are, with the answers that keep you from looking in the wrong place.
"http://jeedom does not answer"
The MagicDNS name is the machine's name in your workspace — not a name derived from the software it hosts. Check the exact name in the console inventory, and rename the machine if you prefer a telling name: the rename propagates on its own and the address does not change.
"My browser shows a certificate warning"
Over the mesh, the interface is served just as it is locally — often plain HTTP or a self-signed certificate. That is expected: strong encryption is provided by the QUIC/TLS 1.3 tunnel, and a public certificate has no reason to exist since nothing is published on the Internet.
"It works at home, not on 4G"
First check that the VIGIL-MESH client is actually active on the phone: it is what makes the box reachable outside the LAN. Behind two symmetric NATs (two mobile connections, say), the direct path is impossible and traffic stays relayed — access works, over a longer path.
"Which URL goes into the mobile app?"
The internal one — the box's mesh name or address. Once the phone is a member of the network, that URL is valid everywhere, and external access URLs become superfluous.
"I already use Jeedom DNS or a port forward"
Both can coexist: VIGIL-MESH intercepts neither your regular DNS nor your existing access paths. Many keep the old access while validating the new one — then close the now-useless port forward, shrinking the exposed surface accordingly.
"Ping works, the interface does not"
Resolvable does not mean authorized: access policies (ACLs) decide service by service. Check in the console that the accessing machine is indeed allowed to reach the Jeedom box.