But now, i set up the Wireguard VPN, so the only way to enter is: enter my VPN, go to 192.168.1.X:8123 (the ip of my rpi). But, HA app doesnt allow local ips…
Do i miss something?
looks like its having an issue loading authenticated webview, sounds like your VPN may be blocking additional HA APIs try to make sure everything at HA is open and its not locked down to base URL. APIs need to be functional for the app to work, in addition to the HA frontend.
I had similar problem. I set up duckdns to get my cert and domain name. But I found out that my isp is blocking connections to public ip so I cant access my duckdns domain from outside.
The thing is that you can have multiple domains on homeassistant ip. This gives you ability to setup up and run duckdns and vpn simultaneously.
In adguard dns rewrites I setup duckdns domain to point to the ip of the homeassistant.
In configuration.yaml I have
I installed nginx ssl addon and just add my duckdns domain under doman: configuration. I run also nginx proxy manager.
To test it, try to open from your local network “http://youlocaldomain” and “https//your.duckdns.org”
You should be able to log from both domains to your homeassistant.
If you can log on you can easily set up tailscale to point on you local domain and access hassio from mobile app.
This is the reason you have two homeassistant addresses in mobile app. One is for your local network and other is your ip accessible from net.
I know that you asked for wireguard. I dont use it, but maybe this post will help someone trying to set up things in home assistant.
Combinations duckdns + vpn gives you maybe the best from both worlds. You can have a duckdns domain and get your ssl cert but you dont have to forward any ports on your router or expose your homeassistant to the net. You can use vpn ie. tailscale to connect to your homeassitant.
UPDATE: i managed to make reverse proxy work (i forgot to comment http: ssl_certificate and ssl_key) and the app is working fine with my X.duckdns.org url
Although, im confused about all this, but ill open a new topic. Thanks
Now everything is clear…
The funny thing is that i “fixed” my “app doesnt accept https”, by luck. Because in order for NGINX proxy SSL to work, i had to comment:
http:
#ssl_certificate: ...
#ssl_key: ..
Which, actually fixed my initial problem, which as you mentioned was that i left my certificate for myhost.duckdns.org, even i stopped using it and start using local ip with VPN.
How i connected to my local ip so long? i used https://192.168.1.X:8123 instead of http://192.168.1.X:8123
(i guess hiding local ip doesnt matter, but anyway)
Here is a screenshot:
Now, i deactivated NGINX and port forward for 443, AND comment ssl_certificate and ssl_key as mentioned before, and everything works fine with local ip:
I’m having similar problems but I started with wireguard VPN and accessing ha only through local address http://192.168.1.x:8123, both locally from home, as well as, when connecting remotely outside home, including with the companion android app. So everywhere I was using only local nat address. No fwd ports on the router except for the wireguard one.
Then, I decided recently to move from http to https for the purpose to improve security of communications btw the HA server and clients (web and app) mainly on the local network. I installed duckdns addon and made it working.
Surprises:
http disappeared completely, so now only https protocol is working (this should be good in general, so no more unsecure communications)
the companion apps seems not to support anymore local urls since the warning of the certificate when used with a local url is not handled - this is at least what I’ve understood reading several posts and articles … - so, also if I had before using a safer local address through VPN, non I must use always the remote fqdn (with an additional 8123 port fwd for HA)
I checked also how reverse proxies work (but not yet tested) and it is quite simple. They encripts only the external connection with https from external client up to the proxy) but to access HA it uses only http (see # comments in configuration.yaml as per your previous posts)
So at the end HA can work (accept incoming connections) only totalmente unencripted (http) or encrypted (https), but not both at the sarebbe time. This is for me a limitation.
I understand that if you use the reverse proxy, then you have to remove the ssl (comment them as below shown) that means that HA itself will support only http and it will accept only uncripted connections.
http: #ssl_certificate: … #ssl_key: …
So, in other words it will not have encryption btw the HA server and clients connection within LAN (behind the reverse proxy), while it will work in front of it.
This what I’ve understood …
My goal whas to run everything in https but to use only local addresses sonce I’ve the VPN, but unfortunately the app does not support https with a local address.
The problem is that locally if you’re using the LAN IP or homeassistant.local then any sensible client will refuse the connection since the SSL certificate is for example.duckdns.org.
So, you have three options:
If supported by your router enable NAT Reflection or Loopback NAT so you can use the hostname and port from inside the network.
Configure your local DNS server to resolve example.duckdns.org to the LAN IP of the Home Assistant host.
Accept that you don’t get SSL inside your home network
My router should support NAT loopback (I’m using the full fqdn with the App also when connected with WiFi at home behind the router, so I think this should mean that NAT loopback is supported).
I’d prefer to use with the App the local address (but with https), as I do with my laptop, but it is fine, since it is working and I’m assuming that all connections are encrypted inside and outside the LAN.
A question about accessing with https://localaddress from the LAN to the HA server. I assume that also if I get a warning from the browser that the certificate is not recognized (since it has been issued for the example.duckdns.org), but the connection is still working with full encryption. Am I right?
I’m interested to keep as much as possible also HA connections encrypted within the LAN, also if I know that in case in the future I’ll have basic devices like ESPHome, not having HA server supporting http it will be a problem.
Just a further clarification for the avoidance of doubts.
In my current configuration I’m using only duckdns (no reverse proxy yet) and Wireguard VPN.
In this way, I’m assuming that everything is always ssl encrypted (also if I get a warning when I use local IPs) inside and outside my LAN. That’s my first doubt / concern.
My second concern is that not having anymore simple http, then in case in the future I would need to connect certain new devices/platforms not supporting https (e.g. ESPHome, konnected.io), I’ll not be able to do it.
My third doubt / concern is that, based on what I’ve understood (but I did not experiment this), in case I’ll decide to deploy also a reverse proxy (caddy or nginx), I’ll completely loose https inside the LAN (since the only encryption will be only up to the reverse proxy). Am I right?