Smart home devices spy on you by default. Alexa records audio, Google Home listens for wake words, Ring cameras send footage to cloud servers. A privacy-friendly smart home keeps all data local, uses open protocols, and requires no cloud subscriptions.
This guide shows how to build a fully local smart home using Home Assistant, local wireless protocols, and network isolation.
Quick Overview
The Privacy Problem:
- Amazon Alexa: Records audio 24/7, stored in AWS
- Google Home: “Just listening” for wake word, but captures everything
- SmartThings: Samsung can see all your device status
- Philips Hue: Requires cloud connection, phoned home
- Ring doorbell: All video goes to Amazon’s servers
The Solution:
- Home Assistant (local automation hub)
- Zigbee/Z-Wave (wireless without Wi-Fi)
- Pi-hole (DNS blocking)
- VLAN isolation (network segregation)
- Local-only communication (no cloud required)
Hardware Shopping List
Total Cost: ~$400-700 for complete setup
Core System
Raspberry Pi Setup:
├── Raspberry Pi 5 (8GB RAM) - $65
├── 256GB SSD (A2 rated) - $35
├── USB 3.0 SSD adapter - $10
├── Gigabit Ethernet adapter - $10
└── 27W USB-C power supply - $15
SUBTOTAL: $135
Wireless Protocols:
├── Zigbee coordinator (Sonoff ZBDongle-P) - $35
├── Z-Wave+ stick (Aeotec Z-Stick) - $45
└── USB hub (7-port, powered) - $25
SUBTOTAL: $105
Network Infrastructure:
├── Managed switch (TP-Link SG108PE, PoE) - $45
├── Ethernet cables (CAT6, 3-pack) - $12
└── WiFi 6 router (Unifi 6E, optional) - $250
SUBTOTAL: $307 (or $57 without WiFi router)
Starter Devices:
├── Smart plugs (Sonoff, Zigbee x4) - $40
├── Motion sensor (Aqara, Zigbee) - $15
├── Temperature sensor (Aqara, Zigbee x2) - $20
├── Door sensor (Aqara, Zigbee x2) - $20
└── Smart bulbs (IKEA Tradfri, Zigbee x4) - $40
SUBTOTAL: $135
GRAND TOTAL: ~$580-700 (without UniFi router: ~$330-450)
Individual Device Recommendations
Zigbee Coordinator (Required):
| Device | Price | Advantage | Drawback |
|---|---|---|---|
| Sonoff ZBDongle-P | $35 | Cheap, reliable | Limited range |
| TuYa Zigbee hub | $20 | Cheapest | Proprietary firmware |
| Zig-a-zig-ah! (DIY) | $60 | Open source | Requires soldering |
| ConBee III | $50 | Well-supported | Expensive |
Best Choice: Sonoff ZBDongle-P ($35) + external antenna extension ($5).
Z-Wave Stick (Optional, if Z-Wave devices):
| Device | Price | Range | Notes |
|---|---|---|---|
| Aeotec Z-Stick Gen7 | $55 | Good | Stable, USB 3.0 |
| Zooz Z-Stick | $40 | Adequate | Budget option |
| Zig-a-zig-ah Z-Wave | $80 | Excellent | Open source, DIY |
Budget Approach: Skip Z-Wave, use Zigbee only (better device selection).
Smart Home Devices (Zigbee-compatible, no cloud required):
| Category | Recommended | Price | Privacy | Range |
|---|---|---|---|---|
| Bulbs | IKEA Tradfri | $12 | Perfect | 50m |
| Plugs | Sonoff ZBMINI | $10 | Perfect | 40m |
| Motion | Aqara RTCGQ11LM | $15 | Perfect | 30m |
| Temp/Humidity | Aqara WSDCGQ11LM | $10 | Perfect | 30m |
| Door/Window | Aqara MCCGQ11LM | $8 | Perfect | 30m |
| Lock | Nuki Smart Lock | $200 | Good | 100m |
| Camera | Reolink RLC-810A (local) | $80 | Good | WiFi only |
| Thermostat | Eve Thermo | $40 | Good | Zigbee |
Pro Tip: Avoid anything with “Works with Alexa” or “Google Home compatible.” Those are cloud-dependent.
Step 1: Home Assistant Installation
Home Assistant is the open-source hub that controls everything locally.
Option A: HAOS (Recommended)
HAOS = Home Assistant Operating System (purpose-built)
# Download HAOS image
# From: https://www.home-assistant.io/installation/
# For Raspberry Pi 5 with SSD:
# 1. Download haos_rpi5-64-arm64.wic.gz
# Write to SSD (on Mac)
unzip haos_rpi5-64.wic.xz
# Download Balena Etcher
# Select downloaded .wic file
# Select USB SSD adapter
# Click Flash (takes 5-10 minutes)
# Insert SSD into Pi
# Power on (wait 3-5 minutes for first boot)
# Access at: http://homeassistant.local:8123
# Initial setup: Create admin account
HAOS Features:
- Built-in backup & restore
- Add-ons (Pi-hole, Zigbee integration, etc)
- Automatic updates
- Web UI + mobile app
Option B: Docker (For existing Linux server)
# Install Docker
sudo apt install docker.io docker-compose
# Create Home Assistant container
cat > docker-compose.yml << 'EOF'
version: '3'
services:
homeassistant:
image: ghcr.io/home-assistant/home-assistant:latest
container_name: homeassistant
privileged: true
network_mode: host
environment:
- TZ=America/New_York
volumes:
- /home/ha/config:/config
- /run/dbus:/run/dbus:ro
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
EOF
docker-compose up -d
Access: http://localhost:8123
Step 2: Add Zigbee Coordinator
Connect Hardware
# Plug Sonoff ZBDongle-P into USB hub
# Verify it shows up:
ls -la /dev/ttyUSB*
# Should show: /dev/ttyUSB0
# If not found:
lsusb | grep -i zigbee
Configure in Home Assistant
Via UI:
Home Assistant Web UI
├── Settings (gear icon)
├── Devices & Services
├── Create Integration
├── Search for "Zigbee Home Automation"
├── Select "ZHA"
├── Device: /dev/ttyUSB0
├── Radio Type: "EZSP (Silicon Labs)"
├── Port Speed: 115200
├── Create
└── Wait for "Zigbee Home Automation hub initialized"
Via YAML (alternative):
# configuration.yaml
homeassistant:
name: Home
zha:
device_path: /dev/ttyUSB0
database_path: /config/zigbee.db
radio_type: ezsp
Verify Zigbee Working
ZHA Dashboard in Home Assistant:
├── Should show "Coordinator" device
├── Status: "Connected"
└── Network: Shows hex ID
When working:
- Coordinator light blinks (active)
- Dashboard shows: "1 device connected"
Step 3: Pair Zigbee Devices
Pairing Process
General Steps:
1. In Home Assistant
Settings → Devices & Services → Zigbee Home Automation
Click "ZHA" integration
Button: "Permit joining"
Duration: 240 seconds (4 minutes)
2. Reset the Zigbee device (varies by device)
- Most: Hold button 3 seconds
- Aqara: Hold button 5 seconds
- IKEA: Hold button 5 seconds
3. Device blinks/LED cycles through colors
4. Home Assistant announces: "Aqara RTCGQ11LM joined the network"
5. Device appears in ZHA Devices list
Example: Pair Aqara Motion Sensor
Device: Aqara RTCGQ11LM (Motion Sensor)
Price: $15
Steps:
1. In Home Assistant:
Settings → Devices & Services → ZHA
Click the ZHA integration card
Click "Permit joining"
Set timer to 240 seconds
2. Hold button on back of Aqara motion sensor
(Small button under battery compartment)
Hold for 5 seconds until LED blinks white
3. Watch Home Assistant dashboard
Should announce: "Aqara RTCGQ11LM joined the network"
4. Device now shows in ZHA Devices:
Name: "Aqara Motion Sensor"
Battery: 98%
Temperature: 72°F
Occupancy: Off
Done. No app, no cloud, no account.
Example: Pair IKEA Tradfri Bulb
Device: IKEA Tradfri E27 (Color bulb)
Price: $12
Steps:
1. Screw bulb into lamp
2. Power on lamp
3. In Home Assistant:
Settings → Devices & Services → ZHA
Permit joining for 60 seconds
4. Hold Tradfri dimmer or button 6+ inches from bulb
Press anywhere on button while bulb is on
Bulb should blink (indicating pairing mode)
5. Home Assistant announces: "TRADFRI bulb E27 joined"
6. Bulb appears as:
- "Light: Tradfri bulb"
- Brightness: 254 (full)
- Color temperature: Daylight
Done. Bulb now locally controllable.
Step 4: Network Isolation (VLAN)
Isolate smart home devices from your main network so they can’t access personal data.
Network Architecture
Your Network Structure:
Router (Main Gateway)
├── LAN (192.168.1.0/24)
│ ├── Main devices (PC, phone, NAS)
│ ├── Home Assistant (192.168.1.100)
│ └── Rule: Can see everything
│
└── IoT VLAN (192.168.50.0/24)
├── Zigbee devices via WiFi gateway
├── Smart plugs
├── Smart bulbs
└── Rule: Cannot see LAN (isolated)
Setup (Managed Switch Required)
Hardware Needed:
- Managed switch (TP-Link SG108PE, $45)
- Separate WiFi SSID for IoT devices (or WiFi 6 router with VLAN support)
Switch Configuration:
TP-Link SG108PE Configuration:
1. Access switch web UI: http://switch-ip:80
Default: 192.168.0.1
Default credentials: admin/admin
2. Create VLAN:
VLAN Management → Add VLAN
├── VLAN ID: 50
├── VLAN Name: "IoT"
└── Create
3. Assign ports:
VLAN Configuration
├── Port 1 (to router): Tagged (allows all VLANs)
├── Port 2-5: Untagged VLAN 1 (Main LAN)
├── Port 6-8: Untagged VLAN 50 (IoT VLAN)
└── Apply
4. Enable VLAN function:
VLAN Settings → VLAN Status: Enable
5. Save config:
System Tools → Save
Firewall Rules (on Router):
Assume router is UniFi Dream Machine or similar:
Settings → Firewall & Security → Firewall Rules
Outbound:
├── From: IoT VLAN (192.168.50.0/24)
├── To: Any
├── Action: Allow (to internet)
└── Create
Inbound (FROM LAN to IoT):
├── From: Main LAN (192.168.1.0/24)
├── To: IoT VLAN (192.168.50.0/24)
├── Action: Deny
└── Create
Result:
- IoT devices can access internet (for updates)
- IoT devices cannot see/access your PC, NAS, phones
- Home Assistant (on LAN) cannot access IoT devices
(But can control via Zigbee coordinator, which bridges)
WiFi for IoT Devices (Guest Network):
Create separate SSID for IoT:
Router Settings:
├── WiFi 1: "HomeNetwork" (Main LAN)
│ └── VLAN: LAN (1)
│
└── WiFi 2: "SmartHome" (IoT)
├── VLAN: IoT (50)
├── Password: Different from main
├── Hide SSID: Optional
└── Disable WPS: Yes (security)
When pairing Zigbee WiFi devices (some, like certain gateways):
- Connect to "SmartHome" SSID
- Device isolated on VLAN 50
- Cannot see main network
Step 5: Pi-hole (DNS Blocking)
Pi-hole blocks tracking domains at the DNS level, protecting all devices on your network.
Installation
Option A: HAOS Add-on (Easiest)
Home Assistant Interface:
├── Settings (gear)
├── Add-ons
├── Add-on Store
├── Search for "Pi-hole"
├── Install
├── Start
└── Open web UI
Option B: Standalone on Raspberry Pi
# Install on separate Pi (or same Pi, different port)
curl -sSL https://install.pi-hole.net | bash
# Follow prompts:
# - Choose upstream DNS (Cloudflare 1.1.1.1 recommended)
# - Enable blocking
# - Web interface password: Set strong password
# Access at: http://raspberrypi.local/admin
Configuration
Upstream DNS (Private):
Home Assistant Pi-hole Add-on Config:
Upstream DNS:
├── Primary: 1.1.1.1 (Cloudflare - privacy-focused)
├── Secondary: 1.0.0.1 (Cloudflare backup)
└── Disable: Google (8.8.8.8), Quad9, others unless needed
Blocklists:
Default blocklists included:
├── StevenBlack's hosts (malware, ads)
├── Firebog's aggressive list (extensive tracking)
└── Many more
Additional recommended blocklists:
├── https://blocklistproject.github.io/lists/ (ads & trackers)
├── https://www.youtube.com/watch?v=SmLjWGxv8QA (blocklist guide)
└── https://reddit.com/r/pihole (community recommendations)
Add via Settings → Adlists
(Paste URL of blocklist)
Router Integration
Tell all devices to use Pi-hole for DNS:
Router DHCP Settings:
Change DNS Servers:
├── Primary DNS: 192.168.1.100 (Home Assistant IP)
├── Secondary DNS: 1.1.1.1 (Cloudflare backup)
└── Save
Now all devices automatically:
- Use Pi-hole for DNS
- Block tracking domains
- No app installation needed
Verify Working:
On any device connected to WiFi:
nslookup doubleclick.net
# Should return: NXDOMAIN (blocked)
# Not blocked before = Pi-hole working
curl https://ipinfo.io/json
# Should see your home IP (not tracked by ISP)
Step 6: Automation Examples
Example 1: Motion-Activated Lights
# configuration.yaml
automation:
- alias: "Hallway lights on motion"
trigger:
platform: state
entity_id: binary_sensor.aqara_motion_sensor
to: 'on'
action:
service: light.turn_on
target:
entity_id: light.tradfri_bulb_hallway
data:
brightness: 200
- alias: "Hallway lights off after 5 minutes"
trigger:
platform: state
entity_id: binary_sensor.aqara_motion_sensor
to: 'off'
for:
minutes: 5
action:
service: light.turn_off
target:
entity_id: light.tradfri_bulb_hallway
Example 2: Temperature-Based Alerts
automation:
- alias: "Alert if temperature drops below 60°F"
trigger:
platform: numeric_state
entity_id: sensor.aqara_temperature_sensor_living_room
below: 60
action:
service: notify.persistent_notification
data:
title: "Temperature Alert"
message: "Living room temperature is {{ states('sensor.aqara_temperature_sensor_living_room') }}°F"
Example 3: Scene Control
scene:
- name: "Movie Time"
entities:
light.living_room:
state: on
brightness: 50
color_temp: 500K
light.bedroom:
state: off
switch.av_receiver:
state: on
automation:
- alias: "Start movie scene"
trigger:
platform: state
entity_id: switch.tradfri_remote_movie_button
to: 'on'
action:
service: scene.turn_on
target:
entity_id: scene.movie_time
Step 7: Mobile Access (Secure)
Home Assistant provides secure external access via their cloud, but that’s optional. For maximum privacy, use:
Option A: Tailscale (Recommended)
Tailscale = Private VPN to your home network
# Install on Home Assistant
# Settings → Add-ons → Install Tailscale
# Or standalone:
curl -fsSL https://tailscale.com/install.sh | sh
# Authenticate:
sudo tailscale up
# Open browser link to authenticate
# Click "Connect"
# Get IP:
tailscale ip
# Returns: 100.x.x.x (Tailscale IP)
# Access Home Assistant remotely:
# On phone: http://100.x.x.x:8123
# (Only works when connected to Tailscale VPN)
Cost: Free (personal use).
Option B: WireGuard (Manual)
# Install WireGuard on Home Assistant
# Settings → Add-ons → WireGuard
# Generate config:
# Click "Show interface" → Shows QR code
# On phone:
# Install WireGuard app
# Scan QR code
# Connect to VPN
# Access Home Assistant:
# Open browser: http://homeassistant.local:8123
# (While connected to WireGuard)
Cost: Free.
Privacy Comparison: Cloud vs Local
| Feature | Cloud (Alexa/Google) | Local (Home Assistant) |
|---|---|---|
| Audio Recording | Always | Never |
| Cloud Storage | All data | None |
| ISP Visibility | No | No |
| Subscription Cost | $0-15/month | $0 |
| Setup Time | 5 minutes | 2 hours |
| Mobile Access | Everywhere | VPN only |
| Reliability | Depends on internet | Works offline |
| Privacy | Weak (corporate) | Excellent |
Total Cost Breakdown
Complete Privacy-Friendly Smart Home:
Hardware (One-time):
├── Raspberry Pi 5 + SSD: $135
├── Zigbee coordinator: $40
├── Z-Wave stick (optional): $45
├── Managed switch: $45
├── Smart bulbs (4×IKEA): $40
├── Smart plugs (4×Sonoff): $40
├── Motion sensor: $15
├── Temperature sensors (2×): $20
├── Door sensors (2×): $20
└── SUBTOTAL: $400-450
Network (One-time):
├── WiFi 6 router (optional): $250
└── Ethernet cables: $20
Annual Costs:
├── Electricity: ~$15/year
├── Internet: Already have it
└── Subscriptions: $0
Total Year 1: ~$650-720
Total Year 2+: ~$15/year
vs Cloud:
Alexa/Google Setup:
├── Initial: $50-100
├── Annual: $120+ (Prime, subscriptions)
└── Hidden cost: Your privacy
Backup & Restore
Automated Backups (Critical):
automation:
- alias: "Backup daily at 2 AM"
trigger:
platform: time
at: "02:00:00"
action:
service: homeassistant.backup
Manual Backup:
Home Assistant:
Settings → System → Backups
Click "Create backup"
Saves to: /config/backups/
Includes: All automations, scenes, device configs
Size: ~500 MB - 1 GB
Restore (if Pi fails):
# Install Home Assistant on new Pi (same steps as before)
# Copy backup file:
scp homeassistant.tar ~/.../backups/
# Home Assistant Auto-detects:
# On first boot, shows: "Restore from backup?"
# Click "Yes"
# All configs restored within 5 minutes
# Devices reconnect automatically
Troubleshooting
Devices Not Pairing:
1. Check range
- Coordinator should be within 30m of devices
- Walls/floors reduce range to ~10m
- Solution: Move coordinator closer OR add repeater
2. Check batteries
- Battery devices < 20% can fail to pair
- Replace battery, try again
3. Check coordinator
- Verify USB port: ls /dev/ttyUSB*
- Try different USB port
- Try USB hub (some ports are USB 2.0)
4. Reset and retry
- Remove device from Home Assistant
- Reset device (hold button 10 seconds)
- Permit joining again
Home Assistant Slow:
Causes:
├── Too many entities (>500)
├── Database corrupted (zigbee.db)
├── Insufficient RAM (<2GB)
└── Slow disk (SD card instead of SSD)
Solutions:
├── Archive old automations
├── Switch to SSD (if using SD)
├── Restart Home Assistant
├── Check system resources:
Settings → System → About
Shows CPU, RAM, disk usage
Zigbee Devices Unresponsive:
Intermittent unresponsiveness:
1. Check WiFi interference
- Move devices away from WiFi router
- Use different 2.4GHz channel (if router is 5GHz)
2. Add repeater
- Plug Sonoff ZBMINI into outlet
- It repeats Zigbee signal to distant devices
3. Increase transmit power
- Some coordinators support this:
Settings → ZHA → Configure
└── TX Power: 19 dBm (max)
Expansion: What’s Next
After basic setup:
- Add more rooms
- Bulbs, motion sensors, temperature sensors in each room
- Cost: $15-30/room
- Advanced automation
- Sunrise/sunset lighting
- Occupancy-based climate control
- Voice commands (Rhasspy, wake word detection)
- Energy monitoring
- Add smart plugs to measure consumption
- Track which devices use most power
- Home security
- Local cameras (Reolink, not cloud-based)
- Door locks (Nuki, Aqara)
- Glass break sensors
- Media server
- Plex for local movies/TV
- Runs on same Raspberry Pi
Related Reading
- How to Check if Your Smart Home Devices Are Compromised
- Create Separate Network Segment for Smart Home Isolating
- Detect If Smart Home Devices Have Hidden Microphones or
- How To Run Zigbee2mqtt Locally For Smart Home Without Vendor
- Home Network Privacy Pihole Dns Filtering Guide 2026
Built by theluckystrike — More at zovo.one