Advanced threat protection breaking Home Assistant functionality with nothing in the logs

I run a "smart home" platform called Home Assistant which has a feature that allows for remote connectivity through their web service called Nabu Casa. Home Assistant runs on a Raspberry Pi 3. When remote control is enabled, this is what occurs during their authentication process:

SniTun server create a SHA256 from a random 40bit value. They will be encrypted and send to client. This decrypt the value and perform again a SHA256 with this value and send it encrypted back to SniTun. If they is valid, he going into Multiplexer modus.

With Advanced threat protection enabled, the remote control functionality is broken and the logs in Home Assistant shows there is a "challenge/response error with SniTun server". When I disable ATP, everything works fine. Unfortunately, with ATP enabled, there is nothing in the logs that shows ATP is actually blocking anything but I have tested this multiple times and positive it's ATP causing the remote control functionality to not work.

When remote control is enabled, I can see in the Home Assistant logs exactly what it's doing and the first step is:


2019-12-09 18:44:36 DEBUG (MainThread) [hass_nabucasa.cloud_api] Fetched remote-sni-api.nabucasa.com/snitun_token (200)

I've tried adding both nabucasa.com and remote-sni-api.nabucasa.com to the Network/Host Exceptions in ATP, but it still doesn't work. It only works when ATP is completely disabled.

Any suggestions? It's a bit frustrating the Sophos XG logs don't show anything.

Edit: I also tried changing ATP to "Log" only, and it doesn't work. ATP must be completely disabled.

Edit: It's not just ATP, it appears using any Web Policy causes the same issue. However, if I select "Use web proxy instead of DPI engine", it works fine  Nothing in the logs either. So it appears it's being caused by the DPI engine which I'm assuming ATP is using?

Parents
  • Hey all,

     

    My connection between hassio and nabucasa.com started working after installing latest firmware that just got released. Just restarted hassio after XG firmware update and errors were gone and remote control worked like it should. I hope it works for you too :)

    https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/b/blog/posts/sophos-xg-firewall-v18-eap-3-refresh_2d00_1-firmware-has-been-released

  • After updating to Refresh1, I tried disabling my firewall rule for Home Assistant that uses the web proxy instead of the DPI engine, and I started receiving the errors again and remote control doesn’t work. I’ve found that if I have Sophos XG configured in such a way that works with Home Assistant (i.e. using the web proxy instead of the DPI engine) and the connection between Home Assistant and Nabu Casa is established, it will continue to work even after changing back to a configuration that shouldn’t work. I’m assuming it’s because the issue is with Home Assistant establishing the initial connection which performs a challenge/response function (using SniTun) that doesn’t pass when running through the DPI engine. So when you restarted Sophos XG, I bet the connection was some how established before the DPI engine was fully initialized.

    Just to confirm, is Home Assistant running on a firewall rule that is using the DPI engine? If so, what happens when you go into the Home Assistant UI and disable remote UI then re-enable it? 

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • shred said:

    Just to confirm, is Home Assistant running on a firewall rule that is using the DPI engine?

    Oh yeah, silly me, forgot to mention my FW rule i tried last week and left it on.

    No, I'm using web proxy instead of DPI engine. This is the firewall rule i have:

     

    Source zones: LAN           Source networks and devices: Hassio (local IP of Home Assistant host)

    Destination zone: WAN     Destination networks: NabuCasa (this is a FQDN host for *.nabu.casa )

    Web policy: Allow All        Check to Use web proxy instead of DPI engine.

     

    Remember to put it above your default lan to wan-rule.

    shred said:

    If so, what happens when you go into the Home Assistant UI and disable remote UI then re-enable it? 

    Well, not using DPI engine but now it goes instantly from "Your instance will be available at" to "Your instance is available at". 

     

    I'm not really sure did understood your post correctly and does this even help you, but I hope this helps someone struggling with this anyway :)

Reply
  • shred said:

    Just to confirm, is Home Assistant running on a firewall rule that is using the DPI engine?

    Oh yeah, silly me, forgot to mention my FW rule i tried last week and left it on.

    No, I'm using web proxy instead of DPI engine. This is the firewall rule i have:

     

    Source zones: LAN           Source networks and devices: Hassio (local IP of Home Assistant host)

    Destination zone: WAN     Destination networks: NabuCasa (this is a FQDN host for *.nabu.casa )

    Web policy: Allow All        Check to Use web proxy instead of DPI engine.

     

    Remember to put it above your default lan to wan-rule.

    shred said:

    If so, what happens when you go into the Home Assistant UI and disable remote UI then re-enable it? 

    Well, not using DPI engine but now it goes instantly from "Your instance will be available at" to "Your instance is available at". 

     

    I'm not really sure did understood your post correctly and does this even help you, but I hope this helps someone struggling with this anyway :)

Children
  • Othou, Do you have ATP enabled?

    Edit: I just enabled ATP and Home Assistant remote control still seems to work. I do have my Home Assistant device setup on a separate firewall rule that uses the web proxy as well.

    Edit 2: One of the devs that were looking into the issue explained why it’s still working with ATP enabled:

    “As for the Home assistant traffic, when you select “Use web proxy instead of DPI engine” in the firewall rule and have ATP enabled, the web proxy will be used to enforce ATP for traffic that matches this particular firewall rule.”

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/