iOS app won't connect *inside* home network


#1

On HA 0.89.0 and using the current beta (1.5.1) version of the iOS app with Letsencrypt and DuckDNS, I have a secure connection to my HA installation from the app with wifi on my iPhone turned off. However, if I’m connected to the home router, I get a connection error that indicates TokenError 1 and/or the blurb about the certificate not being trusted. Accessing from Safari using the internal IP gets me to the password screen but then says “unable to connect”, and doing the same using my duckdns address yields a page indicating that Safari cannot open the page with the warning that the cert is invalid (again only inside the network). There are plenty of posts about trouble accessing HA from outside the network, but I don’t see anything about this particular situation.
I’ve tried:

  • using the app internal URL setting pointed directly to the LAN address/port of HA, which yields the same result
  • installing a self-signed cert with an attempt at adding a second cert reference in the http: portion of configuration.yaml, but that didn’t work at all, so I removed it
  • deleting and reinstalling the app (several times); tried both current app store and the beta versions

The only possibly relevant entry I can find in home-assistant.log is:
INFO (MainThread) [homeassistant.components.http.view] Serving /api/error/all to 192.168.1.171 (auth: True)

Any help is appreciated… I’m aware that v2 of the app will drop soon and may fix the errors, but in the interim I’d love to have control inside my network!


#2

I use the outside URL when I am on my internal network. If you use the inside address, that address does not match the certificate name.

I have Use internal URL unchecked.


#3

I’ve tried that, but apparently my ISP (Spectrum) doesn’t allow “NAT loopback”, which is when you’re trying to go outside of your internal network and then back in again. For instance, if I put the duckdns URL into my laptop browser, it takes me to my router login page. I think this is probably exactly why the developers added the internal URL setting field in the app, but it isn’t working for me.


#4

One other note here though: I am able to access HA using the internal IP on my laptop. I can’t figure out why the phone is treated differently.


#5

On your laptop you likely told your browser to accept the certificate anyway. There is no good way to do that with the app/


#6

Yeah, you really just want to get NAT loopback working. If your current router doesn’t do that, I suggest replacing it.


#7

My understanding is that the NAT loopback issue is based on the ISP’s rules rather than a router capability, but someone please correct me if I’m wrong.

The most confusing part of this is having gone through the work to have a formally signed SSL certificate (per certbot and letsencrypt) and still be told by the browser that the certificate isn’t trusted… I used this guide more or less:

I even tried importing the cert.pem into the phone as a profile, but that did nothing.


#8

If your Router support custom DNS Settings you could override your DuckDNS with your internal IP. Or setup your own DNS Server on your HA Host and change your DHCP Server Settings to this DNS if possible.

Mapping: somebody.duckdns.org -> 192.168.0.5


#9

no it’s your router blocking this, not your ISP


#10

I think “NAT loopback” may refer to the same thing as “NAT Reflection”, but perhaps not. For me, to make this work I had to enable Nat Reflection on my router. NAT Reflection is definitely not an ISP issue, it’s handled entirely by the router, but how to enable it will vary by router model.


#11

My router calls it DNS Rebind Protection. I have to add my duckdns domain to the list of exceptions.


#12

Sounds like it’s time for me to go looking at what 802.11ax routers are out so far :grinning:

Thanks for the help everyone- this community is terrific!