Second attempt same outcome. I have installed Duckdns using the guidance here. Access Your Home Assistant Server Remotely With DuckDNS and Let’s Encrypt . I can access my HAOS instance on my PC internally np but when using my duckdns URL externally the url takes me to my router logon rather than the HA instance itself.
In addition I cannot get my android HA app to connect at all using either the internal (IP address) or external (duckdns url). I get a certificate error. What might I be doing wrong?
I have port forwarding set, port 8123 external to 8123 internal to the home assistant instance OK (I think)
When you’re trying to connect remotely are you using:
https://yourhost.duckdns.org:8123/
?
Internally won’t work as HA is handling SSL, and it’s providing a certificate for your DuckDNS hostname. If you want to be able to use the LAN IP you need to use a proxy server for SSL.
Thanks so much, the addition of the port 8123 fixed the first issue. Makes blinding sense now!
In respect of the app external to my network it is fine also using the duckdns url specifying port:8123 as well. However I cant get on to the instance whilst on my network as you say above. I am confused over the concept of a proxy server (possibly too complex at my age) but I don’t understand why I cant set up the app to use the duck dns url for internal and external as that seems a simple solution? I have tried every which way to do this with no success.
The URL working internally requires your router to support NAT Reflection aka Loopback NAT.
Proxy servers are easy to set up, honestly. There’s an add-on for NGINX Proxy Manager if you use HAOS, or you can use Traefik if you’re using Docker.
Basically the proxy server handles the remote connections and SSL. You connect remotely to it using SSL, and it then connects to HA on your behalf without SSL. Locally you just connect to the LAN IP and port of HA, with no SSL.
Thank you. Looking into NGINX it seems reasonably straightforward as you say except for the trusted proxies bit. I think this means the IP addresses the requests come from. Now maybe this is completely off beam but this is my question. Isnt the trusted proxy the IP address that my phone uses? Thus I have to set a static internal IP address for my phone and use this as the trusted proxy address. And do the same for any phone using HAOS internally?
Your routers login page should only be accessible on the internal LAN and can it be reached from outside, then the probability that other services can be reached too is extremely high.
If your router is running a SNMP service, then DHCP leases and ARP tables might be easily available, so all your connected devices can be listed easily.
If your router is running a uPNP service, then it would be easy to craft a packet and send it to the router and it would actually make a firewall and a port forward for whatever that packet tells it to do.
Both services are highly likely to be running on a standard non-hardend router and this is only one of a countless number of exploits possible when you have access to the internal side of a router.