Duck DNS works on internal network, but not an external one

Configuration
1

I’m looking for some help regarding external access to HA.

I’ve setup duckdns https://***duckdns.org and configured this in HA:

homeassistant:
  external_url: https://***.duckdns.org
  internal_url: http://192.168.68.107:8123/

http:
 ssl_certificate: /ssl/fullchain.pem
 ssl_key: /ssl/privkey.pem
 ip_ban_enabled: true
 login_attempts_threshold: 5

The internal URL doesn’t work on HTTP, and using HTTPS returns a certificate error, which would be expected.

When I visit https://***duckdns.org from my local network, everything works fine. As does the companion app.
For some reason, I can’t access HA from outside my network.

In the app, I get SSL handshake error.
In a browser, I get an ERR_SSL_PROTOCOL_ERROR.

Pinging duck dns returns the correct IP.

I’ve opened the ports on my router (8123 → 8123 and 443 → 8123)

My router is in modem mode and I use a deco P9 for my router.

the duckdns addon logs, so how issues, everything green with “no change”.

I’ve had a pretty extensive Google, and searched here, but I’m at a loss for what’s going wrong. Does anyone have any ideas?

2

Yesterday there was some problems with duckdns… I also wasn’t able to access my HA from otuside whole it was working for over one year
This morning everything came back working normally (without doing anything) that’s why I suspect there was some problem at duckdns level

3

That will route both ports to the internal port of your actual HA installation.
Unless you have set up SSL directly on HA, but the internal link of http://… suggest otherwise, so it will fail with a protocol error, when trying to access it with a https://…
You need to set up SSL directly on HA and then run with domain names internally or set up NGinx, which makes it possible to accept HTTPS connection and convert them to HTTP that can be retransmitted to the HA installation running without SSL.

4

SSL should be set up directly on HA, using the duckDNS addon.

HTTPS does seem to work when on my internal network, but not when externally.

5

Unfortunally, this hasn’t resolved my issues

6

What happen if you use the IP address with HTTP and/or https from outside your network?

7

when using my IP on my internal network:
https goes to home assistant, but has a cert error and says “invalid client id”

http seems to redirect to https

when using my IP external network:
https gives a page saying 403 forbidden - I think this was because I IP banned my self - I’ll restart and check

http seems to redirect to https

8

something strange on my network, but not sure what

on my external network i cant access www.duckdns.org I get an ERR_SSL_PROTOCOL_ERROR

on my internal network, it works as normal

9

As @WallyR said,

should not work.

If there is internal port redirection it gets worse, as it could be possible that you try to reach 8123 from outside, but you get redirect to 443, then your router redirects the new target back to 8123 again (443 > 8123)

If duckduck addon is managing it, only port 443 to 443 or 8123 > 8123 should be natted.

But not sure how you configured it and how duckdns addon ist working exactly, as i am not using duckdns, but a service of my router and using the ngnix proxy addon with letsencrypt for the https part.

Honestly i would always use a vpn like wirguard to access things from outside, if there is a security issue, you are still save.

10

I can’t remember what DuckDNS addon provide of services, but my guess is that it is only the Dynamic DNS management.
Certificates should be managed by the Let’s Encrypt Addon and if you are using NGinX, then that addon is in control of the HTTPS connection in which case HTTP access will still be available. If HA controls the SSL connection, then no HTTP access will be available, only HTTPS.

11

DuckDNS provides the certs, via lets encrypt.

I’m not using the NGinX addon - but if I can’t get this to work I’ll consider it.

12

Ok, no NGinX means no HTTP, so you will have to use HTTPS both internally and externally and because certificates only work on domain names, then IP addresses will invalidate the certificates and probably refuse connection.
The HTTPS port on HA is then 8123.

Now ping your DuckDNS address and then check that it is the same as on www.myip.com
If it is not the same, then you DuckDNS needs to be updated.

If it is the same, then check your public IP address in your router to see if that is the same as the one on www.myip.com
If it is not, then your ISP is using NAT and you need to have them assign you a public IP or portforward on their router to your router.

If your router’s public IP is the same as www.myip.com, then check your port forward in the router.
It should have an external port and a internal IP and port.
The external port can be whatever you like, but if you use 443, then you can just write https://example.duckdns.org, when you enter your server address.
If it is not 443, then you will have to write https://example.duckdns.org:external_port when you enter the server address.
Check also that the internal IP is the same as the one on your HA installation.
The internal port should be 8123.

Then check your HA installations configuration.yaml.
It should have entries for trusted network or your connections will be rejected.
And for now disable IP banning, until it works with login.

13

check your configuration:

homeassistant:
  external_url: https://***.duckdns.org

shuld be

homeassistant:
  external_url: https://***.duckdns.org:8123

Let’s encrypt configuration:

domains:
  - xxx.duckdns.org
email: [email protected]
keyfile: privkey.pem
certfile: fullchain.pem
challenge: http
dns: {}

check also your duckdns config:

domains:
  - xxx.duckdns.org
token: aaaaaaaaaawsedrfr
aliases: []
lets_encrypt:
  accept_terms: false
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

hope this helps…

14

That is not needed for a HTTP challenge.

15

I’m not using the let’s encrypt addon, as DuckDNS creates the certs for me, so those settings aren’t needed

on my mobile and my partner’s mobile
I can’t access www.duckdns.org or example.duckdns.org off the wifi network (ERR_SSL_PROTOCOL_ERROR)
on the wifi network, I can access both fine

on my laptop
on my wifi network I can access both fine, haven’t tried another yet

The IP on my router, example.duckDNS.org and whatsmyip.com are all the same and correct

16

That was some of the answers from my list.
What about the rest?

17

The internal IP is correct, set with a static IP and the port forwarding rules are all ok. Changing any port forwarding rules does break HA on my wifi network.

I haven’t setup any trusted networks, but previously when this all worked, I didn’t have them either.

I’m still confused as to why www.duckdns.org gives SSL errors when using the mobile network, but not on wifi

18

Set one of your mobile up as a hotspot and then connect your laptop to it and see what comes up when trying to access the website through a browser.
I could be that your ISP have you proxied with DPI.

19

Unable to connect to www.duckdns.org when using a hotspot, using my laptop.

Anyway if I can tell if my ISP is doing that? and how to stop it/fix it? strange that it suddenly started, when this used to work a while ago.

20

If they use DPI, then it is hard to avoid, but using the laptop should give your more options to seek the error, because it is usually more descriptive in its errors than the mobile phones and different browsers can be used too.