since you said it worked before adding wireguard then the issue is related to your wireguard setup. Local IPs do indeed work.
the apps use a different communication method than a browser so you are probably blocking API calls
since you said it worked before adding wireguard then the issue is related to your wireguard setup. Local IPs do indeed work.
the apps use a different communication method than a browser so you are probably blocking API calls
No, adding LOCAL ip never worked for me…
Before wireguard, i was using portforward+duckdns, so i used the https://mydomain.duckdns.org:8123
Now, with wireguard i dont use the port forwarding of 8123, so i have to put my local ip… http://192.168.1.X:8123 that doesnt work.
can you post a screenshot of the error?
looks like its having an issue loading authenticated webview, sounds like your VPN may be blocking additional HA APIs try to make sure everything at HA is open and its not locked down to base URL. APIs need to be functional for the app to work, in addition to the HA frontend.
Does this have to do with this 80/tcp?
i have no idea I dont use wireguard
I had similar problem. I set up duckdns to get my cert and domain name. But I found out that my isp is blocking connections to public ip so I cant access my duckdns domain from outside.
The thing is that you can have multiple domains on homeassistant ip. This gives you ability to setup up and run duckdns and vpn simultaneously.
In adguard dns rewrites I setup duckdns domain to point to the ip of the homeassistant.
In configuration.yaml I have
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.30.33.0/24
I installed nginx ssl addon and just add my duckdns domain under doman: configuration. I run also nginx proxy manager.
To test it, try to open from your local network “http://youlocaldomain” and “https//your.duckdns.org”
You should be able to log from both domains to your homeassistant.
If you can log on you can easily set up tailscale to point on you local domain and access hassio from mobile app.
This is the reason you have two homeassistant addresses in mobile app. One is for your local network and other is your ip accessible from net.
I know that you asked for wireguard. I dont use it, but maybe this post will help someone trying to set up things in home assistant.
Combinations duckdns + vpn gives you maybe the best from both worlds. You can have a duckdns domain and get your ssl cert but you dont have to forward any ports on your router or expose your homeassistant to the net. You can use vpn ie. tailscale to connect to your homeassitant.
I tried reverse proxy ssl but it didn’t work…
Now I get this error
I’ve read for hours but nothing can worked…
UPDATE: i managed to make reverse proxy work (i forgot to comment http: ssl_certificate and ssl_key) and the app is working fine with my X.duckdns.org url
Although, im confused about all this, but ill open a new topic. Thanks
The problem is simple:
yourhost.duckdns.org
yourhost.duckdns.org
192.168.0.42
If you’re doing SSL in Home Assistant then you can only connect using the hostname the certificate is for.
Thank you!!
Now everything is clear…
The funny thing is that i “fixed” my “app doesnt accept https”, by luck. Because in order for NGINX proxy SSL to work, i had to comment:
http:
#ssl_certificate: ...
#ssl_key: ..
Which, actually fixed my initial problem, which as you mentioned was that i left my certificate for myhost.duckdns.org, even i stopped using it and start using local ip with VPN.
How i connected to my local ip so long? i used https://192.168.1.X:8123
instead of http://192.168.1.X:8123
(i guess hiding local ip doesnt matter, but anyway)
Here is a screenshot:
Now, i deactivated NGINX and port forward for 443, AND comment ssl_certificate and ssl_key as mentioned before, and everything works fine with local ip:
I guess, having ssl certificate with VPN doesnt happen to many people, thats why i couldnt debug my problem…
Again @Tinkerer thank you for your time…i’ve spend 2-3 afternoons on this issue!
I’m having similar problems but I started with wireguard VPN and accessing ha only through local address http://192.168.1.x:8123, both locally from home, as well as, when connecting remotely outside home, including with the companion android app. So everywhere I was using only local nat address. No fwd ports on the router except for the wireguard one.
Then, I decided recently to move from http to https for the purpose to improve security of communications btw the HA server and clients (web and app) mainly on the local network. I installed duckdns addon and made it working.
Surprises:
http disappeared completely, so now only https protocol is working (this should be good in general, so no more unsecure communications)
the companion apps seems not to support anymore local urls since the warning of the certificate when used with a local url is not handled - this is at least what I’ve understood reading several posts and articles … - so, also if I had before using a safer local address through VPN, non I must use always the remote fqdn (with an additional 8123 port fwd for HA)
I checked also how reverse proxies work (but not yet tested) and it is quite simple. They encripts only the external connection with https from external client up to the proxy) but to access HA it uses only http (see # comments in configuration.yaml as per your previous posts)
So at the end HA can work (accept incoming connections) only totalmente unencripted (http) or encrypted (https), but not both at the sarebbe time. This is for me a limitation.
Yes, if you want both then you have to use a reverse proxy for SSL.
Thank you but what do you mean exactly?
I understand that if you use the reverse proxy, then you have to remove the ssl (comment them as below shown) that means that HA itself will support only http and it will accept only uncripted connections.
http:
#ssl_certificate: …
#ssl_key: …
So, in other words it will not have encryption btw the HA server and clients connection within LAN (behind the reverse proxy), while it will work in front of it.
This what I’ve understood …
My goal whas to run everything in https but to use only local addresses sonce I’ve the VPN, but unfortunately the app does not support https with a local address.
Tnx
The problem is that locally if you’re using the LAN IP or homeassistant.local
then any sensible client will refuse the connection since the SSL certificate is for example.duckdns.org
.
So, you have three options:
example.duckdns.org
to the LAN IP of the Home Assistant host.My router should support NAT loopback (I’m using the full fqdn with the App also when connected with WiFi at home behind the router, so I think this should mean that NAT loopback is supported).
I’d prefer to use with the App the local address (but with https), as I do with my laptop, but it is fine, since it is working and I’m assuming that all connections are encrypted inside and outside the LAN.
A question about accessing with https://localaddress from the LAN to the HA server. I assume that also if I get a warning from the browser that the certificate is not recognized (since it has been issued for the example.duckdns.org), but the connection is still working with full encryption. Am I right?
I’m interested to keep as much as possible also HA connections encrypted within the LAN, also if I know that in case in the future I’ll have basic devices like ESPHome, not having HA server supporting http it will be a problem.
Thank you very much for your support.
Just a further clarification for the avoidance of doubts.
In my current configuration I’m using only duckdns (no reverse proxy yet) and Wireguard VPN.
In this way, I’m assuming that everything is always ssl encrypted (also if I get a warning when I use local IPs) inside and outside my LAN. That’s my first doubt / concern.
My second concern is that not having anymore simple http, then in case in the future I would need to connect certain new devices/platforms not supporting https (e.g. ESPHome, konnected.io), I’ll not be able to do it.
My third doubt / concern is that, based on what I’ve understood (but I did not experiment this), in case I’ll decide to deploy also a reverse proxy (caddy or nginx), I’ll completely loose https inside the LAN (since the only encryption will be only up to the reverse proxy). Am I right?
Thank you.
Yes
Of course, this is a terrible practice and if the hostname works from inside the network use it. Your connection remains local, connecting to the router and back to HA.
If you connect directly to HA, correct. If you connect using the DuckDNS/whatever hostname then no.
Of course, this is a terrible practice and if the hostname works from inside the network use it. Your connection remains local, connecting to the router and back to HA.
But in this scenario I can’t distinguish internal and external connection. Is there any way to do that?
I mean I don’t want my kids to access home assistant from outside, only when they are at home.
Before https it was easy with two address (internal and external) but I had to leave port open and unencrypted.
Now with https I can only use one address for both internal and external address and therefore unable to restrict control from internal and external IP.
Any news on this very interesting topic?