DuckDNS - It's not just me - it's you!

SteveDinn · August 14, 2019, 1:30pm

Mutt:

That if you type the address https://mydomain.duckdns.org it will set up an encrypted link between your external input device (phone/tablet/computer from a given external location) and duckdns.org (this should default to port 443)

DuckDNS then forwards a similarly encrypted link (through your modem/router) to your private network Home Assistant installation using your public key and does it, also on port 443

Your HA has your private key and decrypts the link, presumably because it also arrives on port 443 (I know you ‘could’ use other ports but the above is the cleanest most sensible way to approach this, though some may make the argument that screwing with this would make it harder for an attacker to guess)

From this, it seems that if your HA recieves a request on port 8123 (from the same class C network), it responds in clear. if on port 443 it checks the encryption and responds using the public/private keys (Though as my browser doen’t know the keys then it may not work on my local LAN).

This allows simple connection from your LAN and a more secure connection via duckdns

There are some incorrect assumptions here. I’ll try to clarify.

DuckDns simply provides a DNS alias (or “A”) record that can be dynamically updated via a small script that you run on some machine behind your non-static IP. This DNS alias will be reasonably up-to-date with your current IP. There is a DNS lookup involved, but there is no traffic that DuckDns relays to your local HA instance.
Let’s Encrypt provides a certificate so that you can use HTTPS. If you configure HomeAssistant to use a certificate you created with your DuckDns domain name, then that is now the only way you can connect to that HomeAssistant instance – no longer by IP address, since there is no longer an HTTP way to get to it.
The public/private key stuff is all handled by negotiation between the web server and your browser. We don’t really need to get into this level of detail.
Port 443 is the default HTTPS port, like 80 is the default HTTP port. You don’t need to use the default port, it’s just the simplest thing to do. You mentioned exactly this.
Regarding point 2. The reason some people (myself included) have configured the NGINX reverse proxy to use their let’s encrypt certificate rather than HA itself is so we can have the best of both worlds – From the internet side of things, I get an HTTPS-exposed service (NGINX) that does the decryption of the HTTPS data, and forwards it onto my internal HA instance on (unencrypted) port 8123. There’s lots of documentation on how to set up NGINX to do this. Everything inside my house is HTTP, but everything exposed to the internet is HTTPS. DuckDNS and Let’sEncrypt are completely de-coupled from Home Assistant.

Mutt · August 14, 2019, 3:12pm

Renier, Thanks but I watched Juan’s video and it just showed the DuckDNS part, nothing about nginx
As I said earlier, I don’t want to switch off local access and I don’t want to have to keep changing my config.
Sorry but it didn’t help
Thanks anyway
Mutt

Crhass · August 14, 2019, 3:44pm

Did you try the guide I posted the link too?

Mutt · August 14, 2019, 4:15pm

Crhass,
Thanks I did, I’m just about to reply to SteveDinn as he gave me the hint I needed.
But I have to say that your link gave me the meat and two veg of the required solution.
I owe you (and the others above, who mentioned nginx (SteveM, Tom, Brian) a huge debt
Thanks All
Mutt

Mutt · August 14, 2019, 4:32pm

SteveDinn,
You gave me the clue I needed.
Admittedly, the nginx crew did most of the heavy lifting but your clue tipped me over the edge.
I have DuckDNS set up and running, logs look clean
I have NGINX up and running, logs look clean and parms/key generation thang went okay (a couple of times it didn’t, so I had no option but to step back a level and start again) it finally completed and I breathed a sigh of relief (must have been the way I was holding my tongue !)
I have NOTHING in my configuration file regarding http: or alike ; - )))))
Anyway I STILL was not getting any joy.
I was reading your post and the bit " there is no traffic that DuckDns relays to your local HA instance " hit me.
I have a DrayTek Vigor 2762ac Modem Router (my old router 1. needed rebooting every 3 to 6 weeks 2. could only keep fixed IP addresses for 32 items. 3. wasn’t ac)
All routers port forwarding options are a little different but I read up and went through the options, anyway one of the options was to configure the portforwarding from where it originated, so I did a DNS lookup on duckdns.org and filled their IP address (and later even all AWS server range) into the origin for the forward.
This is what stopped me as the data was not comming from there but from whatever NAT I was connecting through outside my LAN
Ta Da !!!
MANY, MANY, MANY, MANY, MANY, Thanks
Mutt

I’ll write up what I did for others as I DEFFINATELY think nginx is the way to go and maintain your standard 8123 clear for local

Mutt · August 14, 2019, 5:06pm

Okay,
As you can see from the above, there is a lot of confusion over which ports you can/should use.
Some saying it HAS to be 8123 on the local side and that you HAVE to specify an http: entry in your configuration. No, you don’t !

Edit (20200512) : ‘sometime’ since this post was written the configuration no longer likes some of the “quotes” so I have included what the ‘modern’ versions of the config are, Note: I did not set it up with these (they were changed by updates to the packages) so can not testify to their equivalency, if you have problems, get back to me and I’ll update this post again.

list : -

Install DuckDNS
Install NGINX (from the core add-ons)
Portforward 443 external to YourHAInstanceIPAddr:443 internal (careful of your routers intracacies bearing in mind the above post, this was my stumbling block)
~~(Not sure this is necessary but … ) Portforward 80 external to YourHAInstanceIPAddr:80 internal~~
Find out what your router’s WAN IP address is (make sure this is not via CGNAT (basically NAT layering) as it won’t mean anything on the www.
Goto duckdns.org and enter your WAN IP Address and generate your token (make a note of this and your sub-domain of duckdns.org e.g. myfortressofsolitude.duckdns.org)
Go back to your DuckDNS Add On and change to config to : -

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "123456wouldntyouliketoknow123456",
  "domains": [
    "myfortressofsolitude.duckdns.org"
  ],
  "seconds": 300
}

The quotes shown are necessary (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) - (edit2 (Mar 2021): It appears that syntax checking has become slightly more onerous, requiring that the empty key “aliases: []” be present, as shown below).The following is what mine looks like now : -

lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: 123456wouldntyouliketoknow123456
domains:
  - myfortressofsolitude.duckdns.org
aliases: []
seconds: 300

Save and start your DuckDNS
Goto your NGINX Add On and change the config to

{
“domain”: “myfortressofsolitude.duckdns.org”,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”,
“hsts”: “max-age=31536000; includeSubDomains”,
“customize”: {
“active”: false,
“default”: “nginx_proxy_default*.conf”,
“servers”: “nginx_proxy/*.conf”
}
}
Again the quotes are necessary and ports are not, nor is an https:// prefix (edit: recent implementaions remove the quotes, if yours does the same ‘it must be alright’ ) again; this is what mine looks like now : -

domain: myfortressofsolitude.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

Save and start your NGINX (keep refreshing the log until it generates the parms/keys and says “starting nginx …” Then wait 60 secs more.
Goto your configuration.yaml and comment out ANYTHING under http: including the “http:” itself
Reboot your router (to be sure, to be sure)
Reboot your HASS instance (to be sure, to be sure, to be sure)
Goto https://myfortressofsolitude.duckdns.org and login to your HA instance (you did set passwords etc. didn’t you )
you can now go back and delete the portforward for port 80 and remove same from nginx (that’s if you did it. Some say that port 80 was necessary to generate the keys and do the negotiations for duckdns set up - I dunno
you ‘should’ now be able to access your HA locally (LAN and xxx.xxx.xxx.xxx:8123 or hassio.local:8123 (whatever, I never use that)) and Remote (https://xxxx.duckdns.org (note: no port numbers on external)
Go and have a drink to celebrate, you’ve earned it !

Note: I have observed that my certificates have ‘self renewed’ twice since the above install, this is with ONLY port 443 exposed (but encrypted) and no intervention from myself.

Edit: I’ve noticed that as of 20191114 - 7 people have clicked on https://myfortressofsolitude.duckdns.org - just letting you know, I’m not THAT stupid !
20200202 it’s upto 29 people clicking - Really, what do you think you’ll find ?

Mutt · August 14, 2019, 5:28pm

I REALLY recommend enabling Multi-factor Authentication Modules
This is under your profile settings (bottom right)
it will lead you through what you have to do from there

Renier_Van_Rensburg · August 14, 2019, 8:27pm

Np he still has some Excelent and well documemted videos enjoy. Will keep you posted if I find anything relevant to your issues

Crhass · August 15, 2019, 3:51am

Number 12 surprised me. I thought it was necessary to leave just the http: in to enable the http interface but it would appear it is only needed if you don’t want to use default settings.

drumstick93 · January 10, 2020, 1:56am

I have been trying to accomplish this for years and just got it figure out today! Thank you so much!

henry8866 · January 10, 2020, 4:27pm

Is there any guide to setup something similar for HA running docker container in ubuntu server?

Mutt · January 10, 2020, 4:36pm

Nope, I think if you are running on a ‘fully featured’ OS then you have more options by default.
You could look github for similar packages or look at tor, zero tier one, etc. With or without something like nginx proxy manager.
It may take some experimentation but you could then write it up for the next guy.

bkahn · January 20, 2020, 3:55pm

Has anyone got DuckDNS running with a Fios G3100 Gigabit Router? I believe this is their newest router and for some reason I can’t get the Port Forwarding to work. I setup it up just like the previous router forwarding 443 to the Hasio 443 but it still seems to get blocked. Any thoughts?

Mutt · January 20, 2020, 4:48pm

Your issue is not duckdns related, it is more specifically hardware.
You should start a new thread relating to that device and the issue you are having.

Pavle · February 2, 2020, 9:41am

SteveM363:

Its the ‘NGINX Home Assistant SSL Proxy’ in the official addons. This has a simple config page and no Web UI. My configuration is:
{
  "domain": "xxx.duckdns.org",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "hsts": "max-age=31536000; includeSubDomains",
  "customize": {
    "active": false,
    "default": "nginx_proxy_default*.conf",
    "servers": "nginx_proxy/*.conf"
  }
}
My DuckDNS config:
{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "private token",
  "domains": [
    "xxx.duckdns.org"
  ],
  "seconds": 300
}
Just those 2 addons handles the SSL just fine.

Edit to add: That was the video, the relevant parts are between 34 - 38 minutes.

Hi,

I’m very new to home assistant and been struggling to get my DuckDNS / NGINX config working until following this post quoted here. The issue I have now is the NGINX config advises that you don’t need the DuckDNS config for ssl_certificate and ssl_key.

If I comment these out, I can successfully access from remote location, but I can’t access locally. If I comment them in, I can successfully access locally, but not remotely.

Can anyone please give me some advice on what I am doing wrong? I’ve followed so many tutorials and youtube vids and it seems none of them are accurate for the latest Hass.io build 3.8

SteveM363 · February 4, 2020, 9:26am

I’ve moved on from hass.io (home assistant) to running home assistant core in docker so I can’t add anything to the above, sorry.

Pavle · February 4, 2020, 8:24pm

Thanks Steve, I’m still researching and trying to resolve. If anyone else can offer some assistance, it would be much appreciated.

I am unsure what config to share (and I am still a little unsure about what is safe to share without giving away detail that should be redacted) in a public forum.

Mutt · February 4, 2020, 9:07pm

Security :
Your duckdns address merely shows where you live on the Internet, they’d still have to break in. Still it’s best not to give them directions
The ip address is similar so substitute
Your DuckDNS token is your personal token for your instance, don’t share that

Looking at your post may I ask why you put nearly everything in a quote block ?

You want duckdns and nginx for local and remote access ?
May I ask what did not work when you followed my solution post (no 23) in this thread ?

Pavle · February 5, 2020, 8:37am

Hi Muttley,

Thanks for your explanation around the security. I will make sure to keep these things private.
Regarding the block quotes, I’m not sure quite what your question is. I was quoting another post to outline what has worked for me and what my issue is since following this configuration.

I have enabled two factor authentication but apart from accepting my token from the authentication application, there was no further instructions to follow - the only change is that it now has an option to disable. I’m validating the rest of your other post against my config now and will report back once complete. Previous attempt following it did not work. It wouldn’t allow me to save the config you’ve shared in my NGINX setup.

:EDIT:

If I use your NGINX config (with my address) I get this error:

not a valid value for dictionary value @ data['options']. Got 
{'domain': 'xxxxxx.duckdns.org', 
'certfile': 'fullchain.pem', 
'keyfile': 'privkey.pem', 
'hsts': 'max-age=31536000; includeSubDomains', 
'customize': {
'active': False, 
'default': 'nginx_proxy_default*.conf', 
'servers': 'nginx_proxy/*.conf'}}

The only difference I can identify is the default config has a line “cloudflare”: false,
This is not in your config

Mutt · February 5, 2020, 9:21am

The spacing, new lines, commas, bracket positions are all very sensitive in the config.
Copy mine exactly, then change the duckdns address to your own

So remove the cloud flare thing, get it going first then you know you are not contaminating, when up and running you can make small changes, to get it back in. If it stops working, you did something wrong.

When entering text there ia a Box to enter it, above that box (but below the blue bar) is a row of formatting options : quote, bold, italic … etc. The 10th one in is </>, this is the ‘preformatted text’ quote option you should be using to post configuration