External access to HA via DS LIte Tunnel via IPv6 with Fritz!Box and SSH dynv6.net Let's Encrypt

If you have a DSL internet connection such as Vodafone DSL in Germany with Fritz!box and a DS Lite Tunnel then according to the manual you cannot use Let’s Encrypt because your IPv4 address is shared with others. You might not even get to connect the HA via IPV6.

It took me several hours to figure this out.

First you need to find out your real HA interface ID (aka MAC address) as Fritz!Box used a fake MAC address in my case leaving me unable to connect from the outside.

In HA go to Settings | System | Network |

In the section " Configure network interfaces" click the 3 dots …
to see the IP information

Under IPv6 you will see the following:

IPv6

IP Address: 2a00:1e:bd81:f201:xxxx:xxxx:xxxx:xxxx/64, xxxx
Gateway: fe80:xxx
Method: auto
Name Servers: xxx

so you need to keep in mind everything after f201, the four xxxx segements. This is your MAC address of HA in 64 bit writing, not 48 bit as you may be used to.

Now go to your Fritzbox or other router, Internet, Forwarding (Freigaben), Port Forwarding (Port Freigaben) and click to add another device, or edit your existing HA.

Now first check if your interface ID that Fritz!Box is showing is the same that HA is showing. In my case it was not so I changed it to the correct HA MAC address.

I used 3 forwardings on the ports 80 for Let’s Encrypt Addon, 443 for the addon NGINX Home Assistant SSL proxy and 8123 for testing http without SSH. Note that port 80 might not be the best idea, you migh want to use a different port like 8001.

Create the forwarding with “other application” and TCP protocol and name them.

Now for dyndns you need to create a free account with [dynv6.net/].
Create a new domain. They will tell you what information you have to put in your Fritz!box. Now go to your Fritzbox or other router, Internet, DynDNS and enter the information, type “none” as your password. After saving in your dynv6 account you should now see the update of your IPv6 prefix such as

IPv6 Prefix 2a00:1e:bd81:f201::
Last updatejust now

Now go to records and create a new subdomain for HA, choose type AAAA, for name use something like homeAssistant and for Data just enter your HA MAC address, the website will take care of the rest. Save.

Now in HA, go to your addons and find Let’s encrypt. Go to configuration, and enter your new ipv6 dyndns like homeAssstant.yourdomain.dynv6.net, create your let’s encrypt email account and enter it here, set the challenge to http, and if you left your port at 80 then don’t change the network settings. Your outside port must always be 80, inside it can be something else like 8001.

Run the addon and check in the log for:
Successfully received certificate.

Now run your NGINX Home Assistant SSL proxy addon, in the config also set the domain to homeAssstant.yourdomain.dynv6.net. If you did not touch the cerificate file names, just save and run the certificate.

Add the following to your configuration.yaml

http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
ip_ban_enabled: true
login_attempts_threshold: 5

Restart and you are good to go.

For SSH renewal set a automation in HA to restart the let’s enrypt addon for example every night to check if the certificate needs to be renewed.

You will now reach HA at https://homeassstant.yourdomain.dynv6.net/