Keith,
Not sure I like or want that, as there is no way to access your HA instance if your internet (or duckdns) is down
i.e. you always need to come in from duckdns.org
OR just keep changing your config : - \\\
There are some incorrect assumptions here. I’ll try to clarify.
-
DuckDns simply provides a DNS alias (or “A”) record that can be dynamically updated via a small script that you run on some machine behind your non-static IP. This DNS alias will be reasonably up-to-date with your current IP. There is a DNS lookup involved, but there is no traffic that DuckDns relays to your local HA instance.
-
Let’s Encrypt provides a certificate so that you can use HTTPS. If you configure HomeAssistant to use a certificate you created with your DuckDns domain name, then that is now the only way you can connect to that HomeAssistant instance – no longer by IP address, since there is no longer an HTTP way to get to it.
-
The public/private key stuff is all handled by negotiation between the web server and your browser. We don’t really need to get into this level of detail.
-
Port 443 is the default HTTPS port, like 80 is the default HTTP port. You don’t need to use the default port, it’s just the simplest thing to do. You mentioned exactly this.
-
Regarding point 2. The reason some people (myself included) have configured the NGINX reverse proxy to use their let’s encrypt certificate rather than HA itself is so we can have the best of both worlds – From the internet side of things, I get an HTTPS-exposed service (NGINX) that does the decryption of the HTTPS data, and forwards it onto my internal HA instance on (unencrypted) port 8123. There’s lots of documentation on how to set up NGINX to do this. Everything inside my house is HTTP, but everything exposed to the internet is HTTPS. DuckDNS and Let’sEncrypt are completely de-coupled from Home Assistant.
Renier, Thanks but I watched Juan’s video and it just showed the DuckDNS part, nothing about nginx
As I said earlier, I don’t want to switch off local access and I don’t want to have to keep changing my config.
Sorry but it didn’t help
Thanks anyway
Mutt
Did you try the guide I posted the link too?
Crhass,
Thanks I did, I’m just about to reply to SteveDinn as he gave me the hint I needed.
But I have to say that your link gave me the meat and two veg of the required solution.
I owe you (and the others above, who mentioned nginx (SteveM, Tom, Brian) a huge debt
Thanks All
Mutt
SteveDinn,
You gave me the clue I needed.
Admittedly, the nginx crew did most of the heavy lifting but your clue tipped me over the edge.
I have DuckDNS set up and running, logs look clean
I have NGINX up and running, logs look clean and parms/key generation thang went okay (a couple of times it didn’t, so I had no option but to step back a level and start again) it finally completed and I breathed a sigh of relief (must have been the way I was holding my tongue !)
I have NOTHING in my configuration file regarding http: or alike ; - )))))
Anyway I STILL was not getting any joy.
I was reading your post and the bit " there is no traffic that DuckDns relays to your local HA instance " hit me.
I have a DrayTek Vigor 2762ac Modem Router (my old router 1. needed rebooting every 3 to 6 weeks 2. could only keep fixed IP addresses for 32 items. 3. wasn’t ac)
All routers port forwarding options are a little different but I read up and went through the options, anyway one of the options was to configure the portforwarding from where it originated, so I did a DNS lookup on duckdns.org and filled their IP address (and later even all AWS server range) into the origin for the forward.
This is what stopped me as the data was not comming from there but from whatever NAT I was connecting through outside my LAN
Ta Da !!!
MANY, MANY, MANY, MANY, MANY, Thanks
Mutt
I’ll write up what I did for others as I DEFFINATELY think nginx is the way to go and maintain your standard 8123 clear for local
Okay,
As you can see from the above, there is a lot of confusion over which ports you can/should use.
Some saying it HAS to be 8123 on the local side and that you HAVE to specify an http: entry in your configuration. No, you don’t !
Edit (20200512) : ‘sometime’ since this post was written the configuration no longer likes some of the “quotes” so I have included what the ‘modern’ versions of the config are, Note: I did not set it up with these (they were changed by updates to the packages) so can not testify to their equivalency, if you have problems, get back to me and I’ll update this post again.
list : -
- Install DuckDNS
- Install NGINX (from the core add-ons)
- Portforward 443 external to YourHAInstanceIPAddr:443 internal (careful of your routers intracacies bearing in mind the above post, this was my stumbling block)
(Not sure this is necessary but … ) Portforward 80 external to YourHAInstanceIPAddr:80 internal- Find out what your router’s WAN IP address is (make sure this is not via CGNAT (basically NAT layering) as it won’t mean anything on the www.
- Goto duckdns.org and enter your WAN IP Address and generate your token (make a note of this and your sub-domain of duckdns.org e.g. myfortressofsolitude.duckdns.org)
- Go back to your DuckDNS Add On and change to config to : -
{
"lets_encrypt": {
"accept_terms": true,
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
},
"token": "123456wouldntyouliketoknow123456",
"domains": [
"myfortressofsolitude.duckdns.org"
],
"seconds": 300
}
The quotes shown are necessary (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) - (edit2 (Mar 2021): It appears that syntax checking has become slightly more onerous, requiring that the empty key “aliases: []” be present, as shown below).The following is what mine looks like now : -
lets_encrypt:
accept_terms: true
certfile: fullchain.pem
keyfile: privkey.pem
token: 123456wouldntyouliketoknow123456
domains:
- myfortressofsolitude.duckdns.org
aliases: []
seconds: 300
- Save and start your DuckDNS
- Goto your NGINX Add On and change the config to
{
“domain”: “myfortressofsolitude.duckdns.org”,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”,
“hsts”: “max-age=31536000; includeSubDomains”,
“customize”: {
“active”: false,
“default”: “nginx_proxy_default*.conf”,
“servers”: “nginx_proxy/*.conf”
}
}
Again the quotes are necessary and ports are not, nor is an https:// prefix (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) again; this is what mine looks like now : -
domain: myfortressofsolitude.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
active: false
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf
- Save and start your NGINX (keep refreshing the log until it generates the parms/keys and says “starting nginx …” Then wait 60 secs more.
- Goto your configuration.yaml and comment out ANYTHING under http: including the “http:” itself
- Reboot your router (to be sure, to be sure)
- Reboot your HASS instance (to be sure, to be sure, to be sure)
- Goto https://myfortressofsolitude.duckdns.org and login to your HA instance (you did set passwords etc. didn’t you )
- you can now go back and delete the portforward for port 80 and remove same from nginx (that’s if you did it. Some say that port 80 was necessary to generate the keys and do the negotiations for duckdns set up - I dunno
- you ‘should’ now be able to access your HA locally (LAN and xxx.xxx.xxx.xxx:8123 or hassio.local:8123 (whatever, I never use that)) and Remote (https://xxxx.duckdns.org (note: no port numbers on external)
- Go and have a drink to celebrate, you’ve earned it !
Note: I have observed that my certificates have ‘self renewed’ twice since the above install, this is with ONLY port 443 exposed (but encrypted) and no intervention from myself.
Edit: I’ve noticed that as of 20191114 - 7 people have clicked on https://myfortressofsolitude.duckdns.org - just letting you know, I’m not THAT stupid !
20200202 it’s upto 29 people clicking - Really, what do you think you’ll find ?
I REALLY recommend enabling Multi-factor Authentication Modules
This is under your profile settings (bottom right)
it will lead you through what you have to do from there
Np he still has some Excelent and well documemted videos enjoy. Will keep you posted if I find anything relevant to your issues
Number 12 surprised me. I thought it was necessary to leave just the http: in to enable the http interface but it would appear it is only needed if you don’t want to use default settings.
I have been trying to accomplish this for years and just got it figure out today! Thank you so much!
Is there any guide to setup something similar for HA running docker container in ubuntu server?
Nope, I think if you are running on a ‘fully featured’ OS then you have more options by default.
You could look github for similar packages or look at tor, zero tier one, etc. With or without something like nginx proxy manager.
It may take some experimentation but you could then write it up for the next guy.
Has anyone got DuckDNS running with a Fios G3100 Gigabit Router? I believe this is their newest router and for some reason I can’t get the Port Forwarding to work. I setup it up just like the previous router forwarding 443 to the Hasio 443 but it still seems to get blocked. Any thoughts?
Your issue is not duckdns related, it is more specifically hardware.
You should start a new thread relating to that device and the issue you are having.
Hi,
I’m very new to home assistant and been struggling to get my DuckDNS / NGINX config working until following this post quoted here. The issue I have now is the NGINX config advises that you don’t need the DuckDNS config for ssl_certificate and ssl_key.
If I comment these out, I can successfully access from remote location, but I can’t access locally. If I comment them in, I can successfully access locally, but not remotely.
Can anyone please give me some advice on what I am doing wrong? I’ve followed so many tutorials and youtube vids and it seems none of them are accurate for the latest Hass.io build 3.8
I’ve moved on from hass.io (home assistant) to running home assistant core in docker so I can’t add anything to the above, sorry.
Thanks Steve, I’m still researching and trying to resolve. If anyone else can offer some assistance, it would be much appreciated.
I am unsure what config to share (and I am still a little unsure about what is safe to share without giving away detail that should be redacted) in a public forum.
Security :
Your duckdns address merely shows where you live on the Internet, they’d still have to break in. Still it’s best not to give them directions
The ip address is similar so substitute
Your DuckDNS token is your personal token for your instance, don’t share that
Looking at your post may I ask why you put nearly everything in a quote block ?
You want duckdns and nginx for local and remote access ?
May I ask what did not work when you followed my solution post (no 23) in this thread ?
Hi Muttley,
Thanks for your explanation around the security. I will make sure to keep these things private.
Regarding the block quotes, I’m not sure quite what your question is. I was quoting another post to outline what has worked for me and what my issue is since following this configuration.
I have enabled two factor authentication but apart from accepting my token from the authentication application, there was no further instructions to follow - the only change is that it now has an option to disable. I’m validating the rest of your other post against my config now and will report back once complete. Previous attempt following it did not work. It wouldn’t allow me to save the config you’ve shared in my NGINX setup.
:EDIT:
If I use your NGINX config (with my address) I get this error:
not a valid value for dictionary value @ data['options']. Got
{'domain': 'xxxxxx.duckdns.org',
'certfile': 'fullchain.pem',
'keyfile': 'privkey.pem',
'hsts': 'max-age=31536000; includeSubDomains',
'customize': {
'active': False,
'default': 'nginx_proxy_default*.conf',
'servers': 'nginx_proxy/*.conf'}}
The only difference I can identify is the default config has a line “cloudflare”: false,
This is not in your config