I don’t really see why you shouldn’t… I have mine behind a reverse proxy, which puts SSL on the public endpoint. The biggest “issue” today, is the isp rotating my ipv4 address to often.

I’ve got it accessible from the internet through a reverse proxy… My default https drops all connections, so you need to access the right subdomain, which are not advertised on dns or certificates (I use a wildcard). Probably not perfect though but it helps a bit. I also have geo-blocking enabled on my pfSense router, so basically everything outside my country gets blocked by the firewall anyway.

It will always be a risk vs benefit consideration.

What I personally do is have it accessible over WireGuard. Open TCP ports to the Internet is a bad idea. This does mean you have to launch WireGuard every time, but it’s way more secure

Mine is on the internet. The real risk is a zero day auth bypass, password cracking won’t really work when the HA interface sends notifications on authentication failures.

I just use a Cloudflare tunnel using the Cloudflared plugin and a custom domain name. So no need to open ports. I use long passwords for the users. Not sure how unsafe it is but in HA you get a notification when a failed login happened.

I solved Problem 1 by adding ICMP to HA. It’s constantly checking if my phone is present on the WiFi*.

I’m using Tailscale instead of ZeroTier, but that should not matter.

*I could also use my routers integrstion, but this logic worked with my shitty old router that had no integration

If you don’t want to use a VPN like Tailscale (or ZeroTier) then this is exactly what the Home Assistant Cloud is for. And it even has an 1-month trial.

So - can I just open it up, and rely on long, complex passeords? Or is that a complete no-go?

Install Fail2Ban on a free cloud VM and watch it for a couple of days. Seeing the never-ending intrusion attempts from around the world was a real eye-opener. There is no way I’d expose HA (or anything else except Wireguard) to the Internet. (Open WG ports appear closed unless they receive the correct key.)

In your situation I’d just pay for Home Assistant Cloud. It’s not expensive and will do exactly what you want to do.

For a zero cost solution I use Tasker to automatically enable a Wireguard tunnel whenever we’re not on home wifi. It allows direct access to everything on our local lan, and as a bonus prevents our wireless carrier from monitoring our Internet activities. A combination of the OpenWRT Ubus integration and a BLE integration (using inexpensive Shelly switch modules) detect when we’re home with 100% accuracy.

I’m using cloudflared to give it a bit more protection over a plain reverse proxy

A good, simple solution is Cloudflare.

Why? Because you can lock it down to specific people, for example only to those who have these 4 email addresses.

They need to enter the code received via email ever month or so. Everyone else, no code no access.

I have mine available as a tor hidden service.

If you have to open it up, then you can at least allow-list IP addresses through your firewall so it’s not everyone who gets full access.

Why not a presence sensor of and kind? Check your router’s WiFi client list for your phone MAC or something

I use nginx proxy manager and then a cloudflare to protect my actual IP

I have it available via a reverse proxy with vouch proxy enabled for 2FA.