Fail to enable remote Access with DuckDNS

I am trying to establish remote access to my I have been following the instruction from JuanMTech,
specifically this video and manual.

I am able to get the DuckDNS plugin running, the log shows no errors. I also have the port forwadings set in my router (Fritz Box).
My problem appears when I change my config from

  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.

to this

  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

After I change my config, I am not able to access the web interface any more, neither via the IP, http://hassio.local:8123 nor the external I get the message from my telegram bot that has started, but cannot access the web interface.
I have not installed the Let’s encrypt plugin in, but since this is not part of the manual, I doubt that this is necessary.
Also I noticed that the port forwarding as described by JuanMTech differs from the video to the manual. I tried both without success.

Does anyone have an idea what I need to do?


Good. It’s part of the duckdns addon.

Which fritz box do you have?

Some of them don’t support NAT loopback.

Try turning off wifi on your phone and accessing the duckdns address on the cellular network. Does that work?

Also try https://<HA ip address>:8123 You should get a security warning about an invalid certificate from your web browser (the certificate is for your duckdns address not the local IP address), add an exception / ignore the warning.


When you are inside the network you need to be able to resolve your duckdns name to your local ip address. The configuration will no longer allow you to access HA via http you must use https. See if your router supports local DNS or dnsmasq. Then you can match your local ip to the duckdns name . Otherwise you will get the SSL error @tom_l describes. If you have setup the port forwarding correctly. It should work Ok outside your network

Thanks for the quick Feedback! I have the Fritz!Box 7490.
I cell network I also can not reach

I actually can access https://<HA ip address>:8123 !!! as you said, I got a warning, but it worked!

So, now I guess, the only open thing is getting it work from externally. Maybe I did something wrong with the port forwarding. It looks a little bit odd (sorry for the German).

In this post it is said that the FritzBox uses Port 443 internaly, could this create a problem?

Why are you involving 443 at all? Forward 8123 from external to your hass device. That’s all.

1 Like

Because it simplifies things. If you forward external 443 to internal 8123 you don’t need to specify a port in the URL. 443 is implied by https.

1 Like

Yeah I get that, but if 443 is in use for something else on the router, it ain’t gonna work.

Anyway, that pic in @hackmett’s post does not look like a port forwarding page. There is no destination port.

On some routers you need to both open the port AND forward it on separate pages. Are we sure that isn’t just the port open page?

What happens when you run nmap against the router from the internet?

1 Like

I was thinking the same thing.

1 Like

So I changed the default port of the router that was occupying 443 to 4443. But it did not help.

I agree that the table looks odd. Here is a picture of the editing page, that looks more familiar.

I am not familiara with ? How do I use it?

Really hard to translate the German but looking at my own 7490 (and not wanting to change anything on it while I am at home and it is at the office!) I think you need to put 8123 in all those port numbers. Try that. Then, from outside your network, try to connect using https on port 8123

1 Like

Thanks. I am sorry about the German. Unfortunately the Fritzbox is from my internetprovider and I can not change the language settings.

I changed the settings

And tried to connect to

Sadly it still doesn’t work.

Ok two more things to check.

  1. What is your router’s public (WAN) ip address? Does this match the IP address you see when you visit the duckdns setup page? If not your ISP is using CGNAT and that’s a problem.

  2. If the duckdns reported address does match your router’s public address, ask your ISP’s technical support if they block any incoming ports.

1 Like

So far as I know the fritz doesn’t use 443 for anything internally. It does use 40443 for remote access. You also have some ipv6 ports open.

You should be able to forward port 443 to port 8123. Unless you need them and understand what they are for I would as a first step remove all ipv6 forwards.

Also maybe checkout my blog post

1 Like
  1. I know how to check the IP from duckdns, but I actually do not know how to get my Firtzbox WAN IP.
    I can say that it matches the IP shown to me on .

  2. ISP would be my internet provider? I will check with them.

How likely is it that my problem originates from the settings of my internet provider?

If I read the settings of my Fritz correctly, than it uses Port 443.

I would roughly translate that with:
Menu: “FRITZ!box services”

TCP port for HTTPS
The FRITZ! Box uses the following TCP port for HTTPS. If you want to use a different port, you can change it here.

TCP port for HTTPS 443 (in the range of 1 to 65535)

Should I change this to a different port?

I would. The default as I said is 40443 so you must have changed that at some point in the past.

Internet>Online Monitor from the Overview page will give you your IPv4 and IPv6 address right at the top.

Are you using the Fritzbox dnyamic dns to update your DuckDNS? (you should be - the Duckdns site provides the exact link and instructions to do this).

You should then be forwarding Port 443 external to 8123 internal although before I started using Caddy I had a devil of a time with this and I had port 8123 external to 8123 internal and that worked fine as well.

You will also need 80-80 so your Letsencrypt certificate would renew.

1 Like

Thanks for your answer. I changed it to 40443
I guess normally the Fritz would show the WAN IP their, not for me.

It says that the Fritz “is using an DS-Lite-Tunnel, M-Net automatic”. M-Net is my internet provider.

I now configured the Fritzs DynDNS as described on the duckDNS page. Also I set the three forwardings as you said.
443 -> 8123
8123 -> 8123
80 -> 80

Still it does not work. I am not sure if i set the forwading correctly. I find the menu of the Fritz confusing:

What Fritz firmware are you running? 7.01 should be the latest.

IPv4-Adresse im internet -… that is a local LAN IP address, not an internet address…

How are you updating your duckdns address? Have you checked it by logging into duckdns?

Sorry for the late answer, I was on a business trip. I am running 7.01.
Yes, that is the IP of my RP. According to this manual, I thought that the forwarding has to be done for the RP.
If I would put in a WAN IP adress I would have to change it manually everytime my router gets a new one, correct?

Apparently my provider only gives out IPv6 IPs. In order to get an IPv4 IP you need to pay extra. So this could also be a reason why it is not working.

Ah huh!!!

So now that’s making sense.

As it happens I switched over to using IPv6 last week for home assistant and my duckdns does not even update the IPv4 address anymore (which means I need to use a VPN when I am on a mobile network as our mobile providers here don’t seem to support IPv6)

The easiest way in this case is to use a reverse proxy like Caddy. I also had a big thread last week when I was trying to get this working which you can lookup for reference (search my username for my posts) Does your ISP give you a different IP address every time you connect or is it static? It doesn’t matter - just curious.

To setup Caddy, check out my blog post here. Caddy is super easy to setup and use. Otherwise you will need to make HA listen on IPv6

With IPv6, you need to make some changes… add the HA device to port sharing and you enable ports 80 and 443 - they aren’t forwarded anymore. My blog post was for when I was using IPv4 but the only difference is I removed all port forwards and then just added 80 and 443 for IPv6.