DuckDNS - It's not just me - it's you!

Blockquote

  • Router set to forward port 443, 80, and 81 to HA. I use comcast xFi and am unable to put different external vs internal port forwards. (I also tried forwarding every port from 1-9999 in a range but that didn’t fix the issue).
  • Configuration file updated as follows:
    http:
    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem
    ip_ban_enabled: true
    login_attempts_threshold: 5

For me I only needed to portforward 443 → 433 to HA. I think you dont need to include the ssl keys in the config.yaml when nginx if handling all the HTTPS traffic.
On my setup the port 80 is used for HTTP challenge when renewing the certificates once a year.

I was having the same problem and managed to fix it.

My setup:

  • HA runs in docker on Synology NAS (port 8123)
  • NAS has a Let’s Encrypt certifcate and port 443 is open
  • Router port 443 is forwarded to Synology NAS 443
  • Reverse Proxy NAS: https://xxx.synology.me (443) -> http://192.168.0.200 (8123)

My problem was that externally I would get to the login screen, but after logging in it would give me an error saying “Unable to connect to Home Assistant. RETRY”.

This happens because the reverse proxy of Synology by default doesn’t have websockets enabled. To enable in Synology DSM:

  • Open Control Panel > Application Portal
  • Change to the Reverse Proxy tab
  • Select the proxy rule for which you want to enable Websockets and click Edit
  • Change to the Custom Headers tab
  • Create > WebSocket

Now you should be able to access HA externally.

1 Like

Hi Mutt, I’m currently using DuckDNS for remote access with port forward 8123 internal to 8123 external and I access my HA remotely by using https://myduckdns.domain.org:8123. I need to use NGINX for HA local access.

Here are my questions

  1. Which NGINX addon are you using? NGINX home assistant SSL proxy or NGINX proxy manager?
  2. Just to confirm, I need to remove every single line for the following in my configuration.yaml, right? Here is my current setup.
http:
   base_url: https://myduckdns.domain.org:8123
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem
  1. In router, what other ports should I port forward? Should they be TCP or UDP? Currently I have 8123 to 8123 port forwarded.

Thanks in advance.

KCYeoh,
8123 as an external port is NOT recommended
SSL works by default on 443

  1. NGINX proxy manager is not in the Core Addons it’s in the Community Addons - Which bit of this was not clear ?
  2. Yes, I believe so
  3. Again if you forward an SSL certificated address it will default to 443 if you don’t do this and match the address to the certificate, you will either get warnings, errors, have to specify an extended address e.g. https://myfortressofsolitude.duckdns.org:8123. AND this will NOT be encrypted. You only need TCP

I don’t think you read the instructions very well

Thanks @Mutt. I must have been reading too fast and missing some points. I will try to setup as per your guide and repost here for the results. Also, regarding the port forwarding, I will just drop the 8123 ports and do it with 443 as per your advise.

Hi, just want to post an updates. I followed @Mutt’s guide and everything is working fine. In the configuration yaml, I removed every single line in the http section including the SSL certificate paths.

For the port forwarding, I only did for 443 to 443 and didn’t forward 80. Also, I did drop my existing 8123 port forwarding.

I now can access my HA through local ip, homeasisstant local host name and DuckDNS. However, I noticed in my phone/tablet, I can’t access my HA using homeassistant local host name. But, no big deal.

Thanks @Mutt.

It is amazing what kind of psychological things are going on in ones mind while reading this entire post. At a certain moment you come across a post from @mutt which clearly states that is THE working solution and it has been edited a number of times to be accurate to date. But still…talking for myself…i want to read on to see if i can find an even better solution…knowing there isn’t. That is probably the reason why so many of us keep on playing with their config settings eventhough we know we shouldn’t :slight_smile: …And yes i am also one of those who have been ‘playing’ with this for a long time!. The funniest part is that i once had it working (prior to my sd card crash without proper backups). I could just acces my HA fine internally and externally but i managed to break my config and never got it working proplerly again. After reading tons of incomplete posts or inconsistent advices i have now made up my mind as for what i am gonna do:

1- I will remove ALL portforwards from my Router(Experiabox 12 (KPN the Netherlands))
2- I will start a clean install of Homeassistant on my RPI3b+
3- I will maken sure i have all core and os updates installed

and then…

4- …i will switch off the thinking part of my brain, and just follow the guidelines of highly respected mr Mutt STEP BY STEP…without the “hmmm maybe i should also try to add this setting…”…

and yes, i will get back here to let you know how that worked out for me :wink:

Absolutely

Follow the guidance, (though some people have (mandatory ?) supplied modems from their ISP (that don’t allow hairpin NAT for example) or have weird installations (synology NAS for example) and I don’t have experience of that (just all supported supervised installations) so you’d be on your own with that).

If it doesn’t work, then lable me a liar (or that I’ve missed something or something is changed (and I’ll correct the solution, but it’s current working on both a pi4 and a NUC)

Then take a full snapshot of the working solution (if you are as paranoid as ‘burning’ you’ll store the snapshot in 27 different locations :rofl: )
Then : -
You can mess around with ‘other bits’ as much as you like, if you then ‘break it’ you know what you have done and can step back or just reinstall the snapshot

For a short while a had a "Eureka!: moment…

Followed the Mutt guide step by step.
and Yes, i could log in on my laptop through duckdns and locally…whoopwhoop

Then i grabbed my phone, opened HomeAssistant app, set up my duckdns url and YES that also worked…while i was on my wifi…because my final and most important test was to disable wifi on my mobile and acces HA via my Mobile ISP…because that is what i want to be able to do when i am not at home…Too bad, no such luck. Cannot connect Try again…

any suggestions??

So, to be clear …
you can access your instance from home using a browser (which browser ?) and both local (name or ip ?) and https://myfortressofsolitude.duckdns.org work as browser addresses ?
And your duckdns address works from your phone, connected via your wifi out to duckdns (well the dns bit) back to your instance. (i.e. this is just the same as the last test you did, so no real surprises).
But using the app, not via wifi (but via mobile data on the app) does not work ?
Try using the browser (and what browser is that ? have you tried chrome ?) on your phone instead of the app … any change ? (some phone mobile data providers block certain ports, very rare these days but … )

Edit: I would say, go to a cafe or something - but in these covid times …
Can you get someone you trust (family member maybe ? ) to go to your version of : - https://myfortressofsolitude.duckdns.org (on a pc) and see if they get a login option (don’t let them login - well just don’t give them any login details)

OK just to be sure, I started all over again and documented all Steps followed:

Wipe SD and install latest HassOS image for RPI3B+ (hassos_rpi3-4.16.img)
Remove all port forwards in Router (KPN Experiabox V12 The Netherlands (Sagemcom F5359)
Boot RPi and wait until HA is installed:

  • Installation finished: login via local IP 192.168.2.49:8123 on all browsers for both laptop and mobile phone through local WI-FI network successful.
  • Local account created in onboarding process successful
  • Multifactor authentication activated successful
  • OS updated to version 5.8 successful
  • Add-ons installed:
    o File-editor 5.2.0 successful
    o Samba Share 9.3.0 successful
    o Mosquito Broker 5.1 successful
    o Reboot HomeAssistant successful

From this point following the steps as stated by Muttley

  • Install DuckDNS 1.12.4 successful (not started yet)
  • Install NGINX 3.0.1 successful (not started yet)

What surprised me was to see the following description: “Home Assistant Add-on: NGINX Home Assistant SSL proxy; Sets up an SSL proxy with NGINX and redirects traffic from port 80 to 443.” While the Muttley steps strictly stick to forwarding 443 to 443. For now I will just follow Muttley steps

  • Portforward 443 from Public IP to HA local IP:443 internally in router succesfull ( My Router mentions External Host and Internal Host. I assume External Host=WAN IP and Internal Host = Local IP 192.168.2.49)
  • DuckDNS subdomain and token created successful
  • DuckDNS Add On config changed to :
    lets_encrypt:
    accept_terms: true
    certfile: fullchain.pem
    keyfile: privkey.pem
    token: 123456Ihaventgotaclue123456
    domains:
  • myname.duckdns.org
    seconds: 300

In my initial DuckDNS config there is also the line: aliases: [] (I left that one as it is)

  • DuckDNS started successful
    o + Requesting certificate…
    o + Checking certificate…
    o + Done!
    o + Creating fullchain.pem…
    o + Done!

  • NGINX Add On config changed to:
    domain: myname.duckdns.org
    certfile: fullchain.pem
    keyfile: privkey.pem
    hsts: max-age=31536000; includeSubDomains
    cloudflare: false
    customize:
    active: false
    default: nginx_proxy_default*.conf
    servers: nginx_proxy/*.conf

  • Saved config and started NGINX (kept refreshing the log until it generated the parms/keys and waited for it to say “starting nginx …”

It never showed the message “starting Nginx”. It did say:
o services.d] starting services
o [services.d] done.
o [22:15:26] INFO: Generating dhparams (this will take some time)…
o Generating DSA parameters, 4096 bit long prime
o …+…+…etc etc
- I Just assume this is the same/correct

  • Doublechecked my configuration.yaml to comment out ANYTHING under http: including the “http:” itself. There was no http: mentioned in my (virgin) configuration.yaml

  • Rebooted my router (to be sure, to be sure)

  • Rebooted my HASS instance (to be sure, to be sure, to be sure)

  • Now Trying to log into my HA instance:

  • PC (WI-FI):
    http://192.168.2.49:8123
    Chrome: Successful
    Edge: Successful
    Firefox: Successful

  • https://192.168.2.49:8123
    Chrome: Unsuccessful
    Edge: Unsuccessful
    Firefox: Unsuccessful

  • https://myname.duckdns.org
    Chrome: Successful
    Edge: Successful
    Firefox: Successful

  • Mobile Phone:
    WI-FI:
    http://192.168.2.49:8123
    Chrome: Successful
    Home Assistant App: Successful

https://192.168.2.49(:8123)
Chrome: Unsuccessful
Home Assistant App: Unsuccessful

https://myname.duckdns.org
Chrome: Successful
Home Assistant App: Successful

Mobile Data (WI-FI disabled):
https://myname.duckdns.org
Chrome: Unsuccessful
Home Assistant App: Unsuccessful (It does show frontend and hangs at initializing)

Conclusions:

  1. On PC (WI-FI): internal address http://192.168.2.49:8123 and external address https://myname.duckdns.org work properly
  2. On Mobile Phone (Wi-Fi enabled) http://192.168.2.49:8123 and https://myname.duckdns.org work properly in browser and Home Assistant App
  3. On Mobile Phone (Mobile Data; Wi-Fi disabled) https://myname.duckdns.org Unsuccessful in Chromebrowser and HomeAssistant App. When adding :8123 It loads the frontend but hangs at initializing

@Mutt thank you very much for your hard work. It is good to see your method did work out great for many people. I had good hopes too but I am out of options now. At least with current port forwarding settings. Any suggestions are welcome.

I am still intrigued by the message I found in the description of DuckDNS in regards to redirecting traffic from port 80 to 443. And when I started the HomeAssistant App it showed an example address: https://example.duckdns.org:8123 while in our situation 8123 is not at all being forwarded………….

Suggestions to improve my configuration are welcome……

EDIT: just saw your suggestion to visit a cafe. I would really very much like to go there but they are all closed down at the moment unformtunately. I will check from my neigbours network tomorrow. Keep you posted

When I was researching this, a lot of people told me that port 80 was necessary for certificate renewal, so I enabled it, but others told me it wasn’t. I disabled the port forward and the cert renewed anyway (why leave a port open if you don’t need to.?)

Hmmm, you didn’t read the full thread, I also was tormented over external host. This is a security feature to allow only a specific external host to be forwarded to your instance on this port. In reality everyone deals with both nat and dynamic ip addresses so this is moot, it will never work if you specify an external address.

I would expect this to be unsuccessful, 8123 is not an encrypted port (a la nginx) and you specified encrypted with your https.

Ditto last comment

This is the only one that matters, and yours fails
Confirm you have not specified any port numbers either at duckdns or in the the local duckdns setup ?
You may need to talk to someone at your data carrier end to see if they know anything about your allowed ports etc (explain what you are trying to do) this will take ages as the first 30 people you speak to won’t have a clue what you are talking about.

There’s something else but I’ll pm you on that

Edit:

Well that’s just plain wrong unless they forward 8123 to a port on the instance and ALWAYS connect with encryption (ie how do they ever connect locally if their Internet goes down ?)

I would agree

I think i did read all 166 posts but i might have missed something important. Then what should i do? My router shows me the following options to create a portforwarding rule:

Where i have the following options for protocol and service:
protocol
service

Haha so you been speaking to them too? :wink:
I can confirm i have no portnumbers at duckdns nor local duckdns setup
I have tried on 3 different mobile phones with different carriers. samen result so i rule out the carriers and need to find the glitch in my (port forwarding?) configuration

Well…You tell Frenck? …This is what is hardcoded in the App:

EDIT: I would like to point out that I did advise Evert (twice) that specifying an external address fot the port forwarding would never work eg : -

Hmmm, wanna bet he uses Nabu casa.???

How did you get on with using your neighbours WiFi to access ?

You are at the limits of my knowledge / experience on this subject now, all I can say is my port forwarding is TCP only and leaves the external address blank. From here on in I think you are breaking new ground. Here is a map of the area you will be travelling through, its blank so just fill it in as you go along :rofl:
Seriously, if you find out anything more on this report back and I’ll update the thread.

Side Note: Your English is damned good ! :smiley:

Well thanks Muttley.
Neighbourswi-Fi was a nogo too. I do get to see the frontend but that’s it. So i am knocking at my own door for sure but noone is opening it.

I will adjust my portforwarding by leaving the external IP blank. Just to give it another try.

If that doesn’t work either i will just continue my quest, and i will keep you posted on my progress.

This is something so many people are struggling with. I just cant understand why there is no clear guideline from the DuckDNS or HA devs…Yes i know it is impossible to cover all routers but at least it should be clear which port(s) need to be forwarded to which port(s).

Anyway i won’t give up. It;s way too much of a learningcurve for me although it does consume a hell of a lot of time…

There’s always Nabu Casa …
:wink:

Adding one more “thank you” for @Mutt

One important note:
I have 2 routers at home: first (router1) is from provider and it does nothing more than passing internet to my another router (router2). To that router2 all my devices are connected including hassio.
So to make DuchDNS work I needed to add port forwarding rule on the router1. It is for 443 to router2 IP.
As a result the connection chain is the following: request comes to the router1 -> router1 forwards it to the router2 -> router2 passing it to hassio.

Hopefully it will save some time for people with multiple routers.

OK to help others out as well: I have fixed it for my configuration…its working!!!

And yes, be sure to read this entire topic! :wink:

After following the Mutt step by step guide i still couldn’t get it to work. Then i found out i had a setting wrong in m routers’ portforwaring. Instead of just filling in ext port 443 and forward it to my local IP port 443 i entered my external IP as well and that is where it all went wrong. Removed the External IP and since then it working like a champ!!!

To illustrate:

Thanks Muttley!

Added a little guide how it worked for me.

3 Likes

I go backwards and forwards on this external access malarkey…
I know just enough to make it dangerous to open a port but not enough to be sure I am doing it safely.
I am currently toying with Nabu Casa but that seems to have it’s own small can of worms (for me).

Has anyone (ahem, Mutt) ‘peer reviewed’ the above blog post*? It seems to have boiled this very long and now quite complicated and hard to follow thread down to a few simple steps.

*(No disrespect meant @santik, this is more an indication of my concern with opening my system to ‘The World’.)