I have benn using Openhab for severall years now and never had take care of the security of my externall access.
For externall access I use a dyndns service that is also used by another applications like Owntracks. For the OpenHAB2 I have a forward rule in the router for the 8080 port and that´s it… everithing works but no security.
I see in the configurations of my openhab2 android app that I can use a user and password for external access, but how to configure it in my case that Im not using the Cloud service.
Unless you really know what you are doing I strongly recommend against doing this. Your machine will be constantly under attack and you need to have the skills and the time necessary to monitor and mitigate these attacks. Very few have both.
For those who are not technically adept, myopenhab.org is the general recommended approach.
For those who are and do not want to use on myopenhab.org, the general recommendation is to host your own instance of openHAB Cloud Server on AWS.
For those who are technically adept and do not what to rely on any off premises services, my recommendation is to set up a VPN like OpenVPN or the like to connect your remote devices to your LAN. NOTE: the requirement to spend the time and skills necessary to monitor and mitigate attacks applies to OpenVPN as well.
You want to limit your exposure to the internet as much as possible.
