DuckDNS and port forwarding. Sanity check please

I’m not (necessarily) looking for any technical guidance here but I would appreciate a sanity check on my understanding.

I’ve watched the videos, read the blogs and checked the forum (especially this post) but before I take off my tin foil hat and open a port on my router I would really like a sanity check.

Is it true to say the following…

  • In principle, opening a port to my 2FA protected HA server which has the DuckDNS add-on configured is as secure as you can reasonably expect? By which I mean that so long as there are no flaws in HA or it’s own security it is within reason ‘safe’ and even considered to be a standard configuration?
  • NGINX is only necessary as a ‘convenience’ to allow routing from within the home network to a home network address. By which I mean when on the home network there is no need to go out to the WAN in order to get back in to HA. It is neither providing a further level of security and neither is it potentially reducing it?

I’ve been dithering for ages on this and am currently using a VPN1 but the Android app has become so good and full of useful sensors that I’d really like to have it always connected.

Thanks for any answers or indeed any further info, help or advice .


1Built in to my UniFi USG and I’ve also played with ZeroTier.

Within reason, yes. You need to remember that anything under /local/ is accessible without authentication.

Obviously too if you have other accounts, and any of those have weak passwords and no 2FA then those are a potential issue.

If configured appropriately it can increase your security. For example I only allow remote access to webhooks (http://myha.example.com/api/webhook/...). That significantly reduces any potential attack surface even if I had horribly weak passwords.

1 Like

Not that I have anything there to be worried about but I’m glad I asked just for this.