External access to HA via IPv6

rryk · February 13, 2024, 11:03pm

Hi,

I am trying to setup integration with Google Home without paying for the cloud and for that I firstly need to make my Home Assistant externally available with a certificate. I use Fritz!Box 1490 router and do not have an external IPv4 address (using DS Lite tunnel), hence my only option is to use IPv6. HA runs in a VirtualBox VM on a Windows device with bridged adapter.

I have installed DuckDNS add-on and configured it like so:

domains:
  - <redacted>.duckdns.org
token: <redacted>
aliases:
  - domain: <redacted-private-domain>
    alias: <redacted>.duckdns.org
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300
ipv6:<redacted-ipv6-address>
ipv4: none

I have also added the following lines to configuration.yaml:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  server_host: ::0

Finally, I have enabled port sharing for Home Assistant in FritzBox settings:

Unfortunately, I can’t access HA interfaсу externally. I have tried to debug the issue:

for some reason DuckDNS add-on detectes my IPv6 incorrectly (it doesn’t match with what FritzBox shows, but matches what “network info” reports), so I hard-coded correct IP into the config
nslookup on my private domain returns the configured IP address, so DNS setup is correct (including CNAME for private domain and cert challenges)
curl -v http://:8123 fails with “Couldn’t connect to the server”
traceroute returns !H (unreachable)
locally https://homeassistant.local:8123/ works, although I have to convince Chrome to ignore invalid certificate, which is issued for Duck DNS and my private domain

So, it seems like HA has correctly fetched certificates and is working as expected. The issue is connection from outside of my network. I have tried debugging this a bit more with Wireshark and concluded that using the IPv6 address from FritzBox is better because I get at least the “Neighbor Solicitation” packets captured by Wireshark on Windows machine. If I use IPv6 address from HA VM, I don’t see anything. However, due to the mismatch HA VM ignores those solicitation requests and never replies.

I suspect the reason for different IP address is because I have a bridged adapter. Is there any way to convince HA that it should use a different IP address? I have tried using “network update enp0s3 --ipv6-address ”, but it seems to have no effect.

rryk · February 13, 2024, 11:14pm

Found a solution: I needed to force-set the IP via UI in Settings → System → Network → IPv6. Choose Static here and enter correct IPv6 address from FritzBox. After this I was able to access my HA from a device outside of my home network.

Now I only wonder why did HA pick up wrong address. Eventually, my IPv6 prefix will change and I will need to modify Duck DNS and Network config. If only there was some automation system that could do that for me…

rryk · February 13, 2024, 11:26pm

Funny, now I could remove IPv6 address from the DuckDNS config. Once I coded correct IP address into network config, DuckDNS also detected it and correctly configured Duck DNS AAAA entry. So the only manual part remaining is to update network settings whenever IPv6 prefix changes.

WallyR · February 14, 2024, 1:35am

IPv6 is not just IPv4 with a bigger address space.
It is completely different than IPv4.
You can have and probably have multiple IP addresses per adapter. You can even have multiple IP addresses in the same subnet.
On top of that subnets can (and you will have them) have the same prefix, but be different networks, like each interface will have a fe80 address, even though they are connected to different networks.

koying · February 14, 2024, 8:57am

Set an ipv6 detect url rather than a static address to have your external ipv6 detected.