When your ISP uses CG‑NAT or shared‑addressing, you cannot get a classic public IP and port‑forwarding stops working. Yet you still want to access your Home Assistant dashboard from the internet. This post walks through three solid options—Home Assistant Cloud, Tailscale, and Cloudflare Tunnel—with concrete examples you can drop into your config.
Why port‑forwarding fails
Most consumer ISPs now give you a private IP (e.g., 100… via Tailscale) instead of a public one, so router‑level port‑forwarding to :8123 exposes nothing to the wider internet. Security‑wise this is actually good; the risk is then how you reach Home Assistant without punching big holes in your firewall.
Option 1: Home Assistant Cloud (Nabu Casa)
Home Assistant’s own remote‑access service encrypts traffic and gives you a per‑instance URL without touching your router.
What you get
- Auto‑generated remote URL (e.g., https://xxxx.nabu.casa).
- End‑to‑end TLS, no need to open ports.
- Optional voice‑assistant and backup integrations.
High‑level steps
- In Home Assistant, go to Settings → System → Network.
- Under Home Assistant URL, enter a meaningful internal URL (e.g., https://ha.internal.lan:8123).
- In Settings → Home Assistant Cloud, sign up / log in.
- Confirm the remote URL and certificate in the Cloud dashboard.
This is the simplest “no‑public‑IP” path if you are okay with a managed service.
Option 2: Tailscale (VPN‑style access)
Home Assistant recommends VPNs such as Tailscale or ZeroTier for secure external access. With Tailscale Funnel you can even expose only Home Assistant without opening ports.
Install Tailscale on Home Assistant
From the Home Assistant Supervisor:
- Go to Supervisor → Add‑on Store.
- Install the Tailscale add‑on (community add‑on).
In the add‑on config, set at least:
ipv4_ip: true
ipv6_ip: false
Then start the add‑on and sign in from the Tailscale web UI.
Use Tailscale Funnel (optional)
If you want a public HTTPS URL without port‑forwarding:
- In the Tailscale app on Home Assistant, enable Funnel.
- In your configuration.yaml add:
http:
cors_allowed_origins:
– “https://xxxxha.tailscale.com”
- In the Tailscale dashboard, enable Funnel for port 8123 on your Home Assistant node.
Now you can reach Home Assistant at https://xxxxha.tailscale.com from anywhere, with traffic routed over the VPN and only port 8123 exposed.
Option 3: Cloudflare Tunnel (no ports, no public IP)
Cloudflare Tunnel lets you expose services through a secure overlay without opening any inbound ports, which is ideal when you lack a public IP.
Step‑by‑step: Cloudflare Tunnel on Home Assistant
- Set up a Cloudflare account and domain
- Add a domain (e.g., mydomain.com) to Cloudflare.
- Create a DNS record such as ha.mydomain.com pointing to a dummy IP (e.g., 192.0.2.1).
- Install the Cloudflare Tunnel add‑on
In Home Assistant → Supervisor:
- Go to Add‑on Store and add the repository URL for the “Cloudflare Tunnel Client” (or Cloudflared).[
- Install the Cloudflared add‑on.
- Create the tunnel in Cloudflare
See this page if you are stuck : https://github.com/homeassistant-apps/app-cloudflared
In the Cloudflare Zero Trust dashboard:
- Go to Access → Tunnels → Create a tunnel.
- Pick a name (e.g., home-assistant).
- Download the token and copy the command line snippet.
- Configure the add‑on
In the Cloudflared add‑on config, paste the token and set the hostname:
token: “your-cloudflare-tunnel-token”
hostname: “ha.mydomain.com”
url: “http://homeassistant:8123”
Then start the add‑on. The tunnel should show as Healthy in the Cloudflare dashboard.
- Update Home Assistant URLs
In Settings → System → Network, set:
- Home Assistant URL: https://ha.mydomain.com.
Your Home Assistant instance will now be reachable from the internet at https://ha.mydomain.com without any port‑forwarding or public‑IP requirement.
| Method | Need public IP? | Opens ports? | Cost (rough) | Notes |
| Home Assistant Cloud | No | No | Subscription | Easiest, managed, extra features |
| Tailscale (VPN) | No | No | Mostly free | Full‑network access if you want it |
| Cloudflare Tunnel | No | No | Domain + Tunnel free | You control the DNS and TLS |
Security reminders
- Prefer encapsulated or VPN‑based access (Tailscale, Cloudflare, Nabu Casa) over raw public port‑forwarding of 8123.
- Always use HTTPS and strong account passwords or 2FA, especially when exposing any public URL.
- If you later do get a public IP, you can use the same Cloudflare Tunnel or Tailscale Funnel patterns instead of exposing your router directly.