HA + ZeroTier + Nginx Proxy Manager

Hello everyone.

I have successfully installed Home Asisstant on a location (farm) that is behind CGNAT. At my apartment, I have a machine running a Wireguard server, Nginx Proxy Manager and other apps. In order to get around CGNAT at the farm, the machine running HA is a Wireguard client that successfully connects to the Wireguard server at my apartment. In order to get access to the Home Asisstant app, I’ve set up a proxy host HA.mydomain.com in Nginx that points to the virtual IP (10.6.0.2) assigned by Wireguard to the client. Whenever I try to reach the Home Assistant app from my phone outside my networks with HA.mydomain.com, I get a 400 bad request error. What could I be doing wrong? Please find config data below:

Static public IP - Apartment: 1.2.3.4
LAN IP - Apartment server: 192.168.100.198
Home Assistant domain: HA.mydomain.com Points to 1.2.3.4

Home Assistant Client virtual IP: 10.6.0.2

Wireguard client conf:

[Interface]
PrivateKey = xyz
Address = 10.6.0.2/24
#DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = xyz
PresharedKey = xyz
Endpoint = 186.31.4.106:51821
AllowedIPs = 0.0.0.0/0, ::0/0


PersistentKeepalive = 25

Wireguard server conf:

PrivateKey = xyz
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51821

[Peer]
PublicKey = xyz
PresharedKey = xyz
AllowedIPs = 10.6.0.2/32

Nginx proxy host:

nginx577×634 15.7 KB

Facts:

• Server 192.168.100.198 can ping Wireguard client 10.6.0.2
• Wireguard client 10.6.0.2 can ping server 192.168.100.198
• Wireguard client 10.6.0.2 can ping other machines in apartment LAN (i.e 192.168.100.197)
• Other machines in apartment LAN (i.e 192.168.100.197) can’t ping Wireguard client 10.6.0.2

Thanks!

Would individually adding peers to your configuration help here?

For example, the documentation in the add-on uses two peers:

peers:
  - name: frenck
    addresses:
      - 10.10.10.2
    allowed_ips: []
    client_allowed_ips: []
  - name: ninja
    public_key: QNLXV8lrsPnKOd011DO8g5DWyad6iHJDSVOD6yOqjiE=
    addresses:
      - 10.10.10.3
    allowed_ips: []
    client_allowed_ips:
      - 10.10.10.0/24
      - 192.168.1.0/24

Did you whitelist your nginx proxy machine in HA?
If that’s the issue, you should have errors in the HA log…

@h-parks, @koying

I dropped the Wireguard approach and opted for Zerotier:

Apartment server:

• LAN IP: 192.168.100.198
• Zerotier IP: 10.147.17.5
  Can ping remote Homeassistant machine behind CGNAT at 10.147.17.175

Homeassistant remote machine behind CGNAT:

• Zerotier IP: 10.147.17.175
  Can ping apartment server running Nginx proxy manager at 10.147.17.5

I’ve whitelisted the nginx proxy machine in configuration.yaml as follows:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.147.17.5      # Add the IP address of the proxy server

Nginx proxy host:

ha2573×633 15.7 KB

But I get a 502 bad gateway error whenever I try to reach HA at ha.mydomain.com

Do you see anything wrong in my configs?

Right so - is Nginx Proxy Manager installed baremetal or in a docker container?
If it is a docker container, can you drop in to the container and verify if you can actually ping Home Assistant from INSIDE the docker container?

Nginx proxy manager is in a docker container and I confirm that the container can ping Home Assistant at 10.147.17.175:

HAPing732×441 38.6 KB

OK so the next thing to look at is what the logs for Nginx Proxy Manager are saying, and then the logs of Home Assistant. One of them will be indicating an error. 502 usually indicates that the proxy server was able to send the request to the remote server, but the remote server returned an error. So I’d expect to find a log in BOTH places.

@mobile.andrew.jones
I rebooted the Home Assistant machine and the Nginx docker container and tried to reach HA.mydomain.com afterwards and captured logs

Nginx error logs (no access logs present):

2021/12/25 01:21:23 [notice] 339#339: signal process started
2021/12/25 01:23:37 [notice] 348#348: signal process started
2021/12/25 01:23:48 [notice] 357#357: signal process started

Nginx container logs:

s6-svscanctl: fatal: unable to control /var/run/s6/services: supervisor not listening
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_perms.sh: executing... 
Changing ownership of /data/logs to 0:0
[cont-init.d] 01_perms.sh: exited 0.
[cont-init.d] 01_s6-secret-init.sh: executing... 
[cont-init.d] 01_s6-secret-init.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/default.conf
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/resolvers.conf
  ❯ /etc/nginx/conf.d/production.conf
❯ Enabling IPV6 in hosts: /data/nginx
  ❯ /data/nginx/proxy_host/4.conf
  ❯ /data/nginx/proxy_host/1.conf
  ❯ /data/nginx/proxy_host/2.conf
[12/25/2021] [1:12:52 AM] [Global   ] › ℹ  info      No valid environment variables for database provided, using default SQLite file '/data/database.sqlite'
[12/25/2021] [1:12:58 AM] [Migrate  ] › ℹ  info      Current database version: none
[12/25/2021] [1:12:58 AM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[12/25/2021] [1:12:58 AM] [Setup    ] › ℹ  info      Logrotate completed.
[12/25/2021] [1:12:58 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[12/25/2021] [1:12:58 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[12/25/2021] [1:12:59 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[12/25/2021] [1:12:59 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[12/25/2021] [1:12:59 AM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[12/25/2021] [1:12:59 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/25/2021] [1:12:59 AM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[12/25/2021] [1:12:59 AM] [Global   ] › ℹ  info      Backend PID 249 listening on port 3000 ...
[12/25/2021] [1:13:03 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[12/25/2021] [1:13:04 AM] [SSL      ] › ℹ  info      Renew Complete

Home Assistant logs:

2021-12-24 20:05:31 WARNING (Recorder) [homeassistant.components.recorder.util] The system could not validate that the sqlite3 database at //mnt/dietpi_userdata/homeassistant/home-assistant_v2.db was shutdown cleanly
2021-12-24 20:05:34 WARNING (Recorder) [homeassistant.components.recorder.util] Ended unfinished session (id=8 from 2021-12-25 01:02:24.765180)
2021-12-24 20:06:02 WARNING (MainThread) [homeassistant.setup] Setup of person is taking over 10 seconds.
2021-12-24 20:06:15 WARNING (MainThread) [homeassistant.setup] Setup of timer is taking over 10 seconds.
2021-12-24 20:06:15 WARNING (MainThread) [homeassistant.setup] Setup of input_text is taking over 10 seconds.
2021-12-24 20:06:17 WARNING (MainThread) [homeassistant.setup] Setup of media_source is taking over 10 seconds.
2021-12-24 20:06:17 WARNING (MainThread) [homeassistant.setup] Setup of system_health is taking over 10 seconds.
2021-12-24 20:06:17 WARNING (MainThread) [homeassistant.components.scene] Setup of scene platform homeassistant is taking over 10 seconds.
2021-12-24 20:06:17 WARNING (MainThread) [homeassistant.setup] Setup of input_datetime is taking over 10 seconds.
2021-12-24 20:06:18 WARNING (MainThread) [homeassistant.setup] Setup of input_boolean is taking over 10 seconds.
2021-12-24 20:06:18 WARNING (MainThread) [homeassistant.setup] Setup of input_number is taking over 10 seconds.
2021-12-24 20:06:29 WARNING (MainThread) [homeassistant.setup] Setup of zone is taking over 10 seconds.
2021-12-24 20:07:02 WARNING (MainThread) [homeassistant.components.cover] Updating rpi_gpio cover took longer than the scheduled update interval 0:00:15

To discard network problems in the remote machine location, I brought up a simple HTTPD container in the same machine running Home Assistant. I was able to access the HTTPD server at 10.147.17.175 using a proxy host test.mydomain.com. This leads me to believe that the 502 bad gateway error is entirely related to Home Assistant. Where do you suggest me to start? Below is my HA config file:

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

cover:
  - platform: rpi_gpio
    relay_time: 1.0
    invert_state: true
    covers:
      - relay_pin: 17
        state_pin: 10
        name: "Main Gate"
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.147.17.5      # Add the IP address of the proxy server
    #- 172.30.33.0/24  # You may also provide the subnet mask

homeassistant:
  external_url: "https://ha.mydomain.com"

I’d try a “nc -zv 10.147.17.175 8123” on the nginx container to check if there is no port issues.

Output for nc -zv 10.147.17.175 8123 is:

[root@docker-dfa3e2113f48:/app]# nc -zv 10.147.17.175 8123
10.147.17.175: inverse host lookup failed: Unknown host
(UNKNOWN) [10.147.17.175] 8123 (?) open

However, I’m seeing that the issue has something to do with the connection (WiFi dongle) of the Raspberry that hosts Home Assistant. I’m looking that sometimes the machine doesn’t respond to ping requests (unreachable) but when it does I can reach Home Assistant at ha.mydomain.com. This isn’t the behavior when I link the Home Assistant machine to Nabu Casa. Also, I see a Starscream.HTTPUpgradeError 0 when I try to connect my iOS app to the Home Assistant machine at ha.mydomain.com. What comes to mind?

502 gateway error was solved by replacing Wi-Fi dongle but whenever I authenticate in Home Assistant at https://ha.mydomain.com i get stuck in the Loading Data screen and I get the Starscream.HTTPUpgradeError 0 when I try to authenticate in both the iOS and android apps.

• Remote access at ha.mydomain.com - Stuck at loading data screen
• Remote access at ha.mydomain.com via iOS and android apps - Starscream.HTTPUpgradeError 0
• Local access at LAN IP 192.168.0.199:8123 - OK
• Access at ZeroTier managed IP 10.147.17.175:8123 - OK

What would you suggest?

Did you enable websocket support on nginx side?

Ok. After enabling websocket support on Nginx I was able to finally access my Home Assistant machine behind CGNAT using ZeroTier and Nginx Proxy Manager. Since I had multiple issues, I will summarize the solutions below:

502 Bad Gatway Error:

• My particular issue was that the WiFi dongle I was using to connect the Home Assistant machine to the internet was dropping the connection with the router. I replaced the dongle and the connection between the Home Assistant machine and the router stabilized.

Nginx Proxy Manager:

• Enable Websockets support

Home Assistant’s configuration.yaml:

• Whitelist the ZeroTier IP of Nginx Proxy Manager using the http integration

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.147.17.5 # ZeroTier IP of the Nginx Proxy Manager Machine

Additionally, I found the following suggestions searching for additional support:

• Enable the mobile_app integration

mobile_app:

• Specify the external URL in the Home Assistant setup basic information

homeassistant:
 external_url: https://ha.mydomain.com

Special thanks to @h-parks, @koying, @mobile.andrew.jones