android VS dohot

> Can you expand on this further? Wouldn’t this just be exposing myself to the same vulnerabilities as OP?

Yeah I wouldn't do this personally, I just mentioned it as the simplest option.

> If I use nginx as a reverse proxy, would I be mitigating the risk?

If the reverse proxy performs additional authentication before allowing traffic to pass onto the service it's protecting, then yes, it would.

One of my more elegant solutions has been to forward a port to nginx and configure it to require TLS client certificate verification. I generated and installed a certificate on each of my devices. It's seamless for me in day to day usage, but any uninvited visitors would be denied entry with a message saying that they didn't provide a valid certificate.

However support for client certificates is spotty outside of browsers, across platforms, which is unfortunate. For example HomeAssistant on Android supports it [1] (after years of pleading), but the iOS version doesn't. [2] NextCloud for iOS however supports it [3].

In summary, I think any kind of authentication added at the proxy would be great for both usability and security, but it has very spotty support.

> Based on other advice, it seems like the self hosted VPN (wireguard) is the safest option, but slower.

I think so. It shouldn't be slow per se, but it's probably going to affect battery life somewhat and it's annoying to find it disconnected when you try to access Immich or other services.

[1] https://github.com/home-assistant/android/pull/2526

[2] https://community.home-assistant.io/t/secure-communication-c...

[3] https://github.com/nextcloud/ios/pull/2908

> What I'm missing out on is an (Android) app, and I think that this would be a good reason to think about moving over to HA.

There is! The Home assistant companion - it brings you a lot of functionality in terms of location, notifications, sensors and what not into the HA world.

https://companion.home-assistant.io/

Otherwise, I am thinking of just polling the release page (for example https://github.com/home-assistant/android/releases/latest) with some API and checking for changes in the new URL that it redirects to. But this seems quite "dirty" really.

If You have Home Assistant's companion app installed on the phone You can broadcast intent from HA to other apps.

I found this Link on Github which states the same thing for android 12

I recently bough a Wear OS smartwatch. Installed Home Assistant app on it and connected to my HA server using my domain name. Now the problem is the smartwatch cannot reach HA server when it is connected to my phone over bluetooth and my phone is connected to my LAN. If my phone is not connected to my LAN it works. Also If I disconnect bluetooth and force the watch to use wifi then it works. This issue is well explained in a bug on github.

here where most of that code lives: https://github.com/home-assistant/android/tree/master/wear/src/main/java/io/homeassistant/companion/android/complications

Home Assistant https://github.com/home-assistant/android

I opened up the Home Assistant app on my phone and pulled up the sensor. It had, indeed, worked as designed and clearly showed that the leak started at about 11:30pm the night before… it was currently about 7:30am.

most ISPs override dns requests done over http, even if they're going directly to root servers. to be sure your ISP isn't logging, you need a DoH server. to be sure the DoH server isn't logging, you need to connect to it through Tor. this known as DoHoT, or DNS over HTTPS over Tor. if you're interested in setting it up, take a look at this: https://github.com/alecmuffett/dohot. bone thing to be aware of when setting this up with pihole is that dnscrypt-proxy listens on the same port 53 as pihole by default, so be sure to change that in the dnscrypt config.

dnns over https over tor is the answer https://github.com/alecmuffett/dohot www.anonymousplanet.org

DoHoT: making practical use of DNS over HTTPS over Tor https://github.com/alecmuffett/dohot

DNSCrypt-proxy (to achieve DoHoT)

Added reference to the DoHoT project in the DNS section https://github.com/alecmuffett/dohot and updated the DNS illustration with this possibility