External access for Hassio behind CG-NAT?

Hi all,

I’ve got Hassio running on a Rpi3 that sits behind an air band router which means I don’t have an externally available IP address on my router (have confirmed that the wan address on my router is 10.1.x.x and whatsmyip shows 212.3.x.x which I’m fairly sure means I’m behind a CG-NAT).

So if I am genuinely behind a CG-NAT and can’t do port forwarding, is there a way I can get external access to my Hassio and also allow Google assistant integration?

I’ve spent most of the day searching the internet and as far as I can tell there isn’t a way to get external access and Google assistant integration without spending money perpetually on Hassio cloud (I don’t mind donating and supporting this platform, but I don’t agree with the subscription model). I’ve found very piecemeal answers online that seem to lead to deadends but nothing concrete.

I have my own website hosted and a pro windscribe VPN account in case that helps in the solution.

Looking forward to someone helping me solve this problem that seems to be getting more common for users given IPv4 running out of addresses.

Tor is the answer I believe.

I’ve read a few times that Tor won’t work for integrations like Google assistant. Do you have a source that it’ll work?

a reverse proxy with something like nginx?

You have to be able to forward the port to get to nginx

Most RSP/ISP’s doing CG-NAT support IPv6 - if yours does that is the solution. My duckdns domain is setup to only support an IPv6 address and it works perfectly for HA (I also use a reverse proxy - Caddy but that isn’t necessary)

My RSP gives me a /128 WAN address and allocates an /56 prefix for my own use with IPv6. Pretty standard I believe… (Mobile providers probably don’t do this)

I’ll be back home later today and I’ll have a play and an investigate. Can you provide any more information and or clues that will help my investigating?

You’re the first instance I’ve found that says Hassio will work with IPv6 (have found multiple posts saying it won’t). Can you provide some info that might help me set it up? I know a little bit about networks but I’ve never touched IPv6 before.

1 Like

There’s a thread here somewhere I posted about using it.

I am using Caddy as a reverse proxy. I did a writeup here about how to setup Caddy.

I have port 80 (only for LetsEncrypt certificate generation) and port 443 opened up for my NUC running home Assistant. Remember IPv6 does not use port forwarding. I also run a script on the NUC to set the IPv6 address of the NUC on my duckdns. It has no IPv4 address configured at all and is not accessible over IPv4. (although it could be if I updated the v4 address and forwarded the port). It’s a minor inconvenience as my mobile provider does not support IPv6 but my iPad 4G does use IPv6.

Anyway, everything works perfectly over IPv6 - I was shocked I didn’t have to really DO anything to make it work.

My ISP doesn’t seem to do any IPv6 according to https://test-ipv6.com

It comes back as negative on all tests. What do I do now?

How do they handle it if someone wants to run a server then? Do you have an option to pay for a real routable IP for either v4 or v6? Can you look at using a different ISP?

It’s a residential address so I guess they don’t care about someone running a server, and I’m renting and have no choice over the ISP.

I’ll get the landlord to ask about an external IP address, but I don’t think it’s going to happen.

Surely there’s a way to have home assistant the externally accessible without port forwarding or an external IP address. Every piece of consumer smart tech on sale now doesn’t require that.

which isp is it?

BT initially and then subbed out to an air band provider.

ok so which provider? is it 4G or something like that? (I want to look at their plans on their website)

I don’t know and neither does the landlord, they just pay their money to BT.

Check this out… ngrok - never heard of it but seems like it works. networking - Set up a web server behind a Carrier Grade NAT - Super User

No but they ALL establish a connection to a ‘cloud’ server somewhere, usually in China to enable that external access and they can spy on you etc.

Yeah I’m aware of the potential spying or remote shut down potential and also the need for a remote server link that is kept open from inside your network and out. I’m just amazed that it seems like if if you don’t have port forwarding or ipV6 then you can’t have external access for Home Assistant, especially given how hackable it is.

I’ve got my own website and flexible hosting (currently running a private Nextcloud cloud server as well as my website for example). Surely there’s something I can host there?


You could always setup a VPN server on your hosting and have your HA login to that and then you could also VPN in as well…

None of this is down to an issue with Home Assistant.

By hackable I meant easy to modify, should have used a better term.

If I set up my own VPN on my hosting, would Google assistant still be able to communicate down that tunnel to my homeassistant?