External access for Hassio behind CG-NAT?

Possibly. Perhaps look at Home Assistant cloud for USD$5/month

I think you need to talk to BT though… I’m amazed there is no IPv6 if there is CG-NAT or if there is not a way to get a real routable IPv4 address - here I can do that for $10/month… I mean all sorts of gaming stuff breaks behing CG-NAT - they must have some kind of gamer solution. It’s also not unusual for a home user to want to setup a VPN server to access files etc at home. I just don’t believe your ISP does not cater for those kinds of users… I guess it’s possible but I really doubt it.

ISP has got back to my landlord and has confirmed that there is no possibility of portforwarding or an externally addressable IP address of any type for at least another 12 months due to the current infrastructure in place.

Which means other options. Back to the drawing board I guess.

Okay, so my vpn provider (windscribe) now offers port forwarding and a static IP for $2 per month. If I understand it correctly, this means if I tell my hassio instance to connect to my VPN account, then I it should make a tunnel through the CG-NAT to the outside world and be externally accessible. I’m trying to found out how to do this but all guides to do with vpn and portforwarding talk about vpning into hassio and not the other way around. Any ideas on how I can achieve this?

Hi, I built webhookrelay add-on for this use case - remote access to Home Assistant when you can’t configure routers or have a public IP. It works by creating a secure tunnel to the public cloud servers. TLS is terminated at the add-on or your HA itself (depends on config) so the servers only see encrypted traffic.
Service costs $4.5/m for 3 tunnels (HA, Node-RED, anything else) but I am giving out free trials if you are interested, just send me a pm or [email protected].

Here’s a video by someone: https://www.youtube.com/watch?v=WSVX-LRP1ZI :slight_smile:

As Hassio cloud is $5 pm I’d probably just go for that option if I was okay with using a cloud service. But as I’m not I’ll pass on both, but thanks anyway.

Oh and after hours and hours of searching I can’t find a single example of Hassio using a VPN client to talk to the outside world. If anyone can provide any help it’ll be much appreciated.

1 Like

In interested in vpn too, can’t find example, but I think one port must be opened to use VPN, hope someone help(I’m using hassio)

I do this using a VPS running NGINX and ZeroTier.

I’m not even remotely an expert, but I believe if you could set your hassio instance to only connect to the outside world through a VPN (hassio is a client), then if your vpn provider allows port forwarding (windscribe does), then it will work. I just can’t find any example of hassio being able to use a VPN client.

Can you point me in the direction of some information about how to set it up? Been searching but can’t find anything.


  1. Create a VPS in DigitalOcean (or anywhere else you want).

  2. Create an account at ZeroTier and create a new network. https://www.zerotier.com/

  3. Install their software in your VPS (there are instructions in the download page) https://www.zerotier.com/download.shtml

  4. Join your VPS to the newly created network at zerotier.

  5. Install this Hassio addon: https://github.com/TomCzHen/hassio-addons-repository

  6. Configure it with your network info.

At this point your VPS should be able to ping your Rpi. (You can see the assigned IP in the zerotier admin page).

If that’s the case:

  1. Install NGINX
  2. Configure it as reverse proxy.

The config looks more or less like this:

server {

    server_name yourdomain.com;
    listen 80;
    listen 443 ssl;

    location / {
            proxy_pass         http://YOURZEROTIERIPADDRESS:8123;
            proxy_buffers           32 4m;
            proxy_busy_buffers_size     25m;
            proxy_buffer_size 512k;
            proxy_ignore_headers "Cache-Control" "Expires";
            proxy_max_temp_file_size 0;
            client_max_body_size        1024m;
            client_body_buffer_size     4m;
            proxy_connect_timeout 300;
            proxy_read_timeout 300;
            proxy_send_timeout 300;
            proxy_intercept_errors off;

            # WebSocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

Now accessing the IP address of your VPS (not the IP granted by zerotier) you should reach your hassio installation.


What is the “auth_token” that you have to enter?
The addon description says “auth_token IS NOT Zerotier Central API Access Tokens”.
Trying to save the config with just the “network_id” gives the error:

not a valid value for dictionary value @ data[‘options’]. Got {‘network_id’: ‘idhere’, ‘port’: ‘9993’, ‘auth_token’: ‘’, ‘log_level’: ‘info’}

What’s the difference between the NabuCasa and using Digital Ocean?
The price is the same, no?


i have the option to use a mikrotik router with real ip v4. Can i use it somehow?

It’s been a while since I logged in. Yes, the price is the same, but the flexibility isn’t. I can do quite a bit more with a single $5 droplet. In any case NabuCasa is a great solution, I just happen to already rent a VPS.

Oh my god, I found myself behind CGnat and had no idea how to make it work.
Thanks to you, I’ve done it faster then my tries with port forwarding and all duckdns stuff.

Sorry for necro post!

1 Like

No problem! Thanks for letting me know. Glad I could help.