Sounds solid. Keep it simple: run a minimal distro, lock down the Pi with a static IP, then set up an OpenVPN or WireGuard server right on it. Make every device in your network connect over that tunnel, so all traffic is encrypted end‑to‑end. Use TLS‑mutual authentication for any local services you expose—home‑assistant, MQTT, etc.—and keep the firmware patched. Disable unused ports, use a firewall like nftables, and put a basic IDS on it so you can spot scans early. The key is to separate the automation logic from the data plane and never let clear‑text leak into the LAN.

Same port is a nightmare—both services will fight for that port and the HA UI will keep popping up on your browser, confusing the tunnel. Keep them separate: WireGuard on UDP 51820 or whatever, and Home Assistant on 8123. That way the VPN layer stays pure, the UI stays accessible without a VPN split. A quick ping sweep every ten minutes is good; just be careful with the scan intensity so you don’t generate noise that could trigger an IDS. For the first automation, I’d route a simple temperature sensor over MQTT through the tunnel, then trigger a relay to open a window if it hits a threshold. Keeps the traffic minimal and lets you test the end‑to‑end encryption before adding more gadgets.

Sure thing. Home Assistant’s template sensors can smooth it out—just use a simple moving‑average or a delay filter so you ignore single‑tick spikes. Add a notify component that triggers an email or a push to your phone when the window switch flips. Keeps you in the loop without pulling the whole system into a rabbit hole. Let's get that tunnel up and the relay wired. Good luck.