NGINX with DuckDNS behind Double Nat

j3tang · October 10, 2021, 2:11am

I’ve been having this problem for a few months and have not been able to address the issue with accessing my HA from outside my home network.

I run HA on my RPi which is on a VLan and because of limitations on my network setup, my router sits behind my service provider’s modem/router.

Internet → 192.168.2.1 (ISP device) → 10.0.3.x (my router) → 10.0.63.x (my RPi)

The only way I am able to connect to my HA instance externally is if I allow 0.0.0.0 in my list of trusted proxies in the config.yaml
I’m assuming the port forwarding that I’ve done is correct since at the minimum 0.0.0.0 works.

http:
  use_x_forwarded_for: true
  trusted_proxies:
#    - 127.0.0.1
#    - 10.0.63.0/24
#    - 192.168.2.0/24
#    - 10.0.3.0/24
    - 0.0.0.0/0

Aside from not being able to access my HA instance, I am also wondering if this has anything to do with my problem with the Home Assistant Cast functionality
here. I am able to cast the demo, but unable to cast my own specific instance of HA. If this is a separate issue, I’ll be glad to post another thread about this.

One step at a time:

Can someone explain what is happening if I leave 0.0.0.0 on the list?
Can anyone advise what is the correct way to allow access?

Next step, if it is related, what is going on with Cast?

If there’s any missing info you’d like to know to help diagnose, let me know. Thanks in advance!

koying · October 10, 2021, 10:38am

The first question is: Why would you need it?
I understand you do simple port forwarding, without a reverse proxy like nginx, right ? If so, that shouldn’t even be needed.

What error / IP is logged if you remove it?

j3tang · October 10, 2021, 2:00pm

Yes, i have port forwarding setup, and I do have NGINX configured.
When i try to connect, i get this error (with the external IP blocked):

error

Is the external IP the one that I should be including into the list of trusted proxies?
I thought the whole point of DuckDNS was to eliminate the need to know your IP address (and yes my external IP is picked up properly by DuckDNS).

koying · October 10, 2021, 4:57pm

Not sure why you hide the IP.
Is it public or private? Does it ring a bell?

j3tang · October 10, 2021, 5:06pm

It’s my external IP

Edit: sorry I take that back, it’s a private IP.
It was a 172 number, which I didn’t recognize and so I thought it was external. I’ll have to check when I get home what the actual number was, but that’s odd because nothing in my network uses that range.

koying · October 10, 2021, 5:41pm

172 range is typically used by docker, thus your nginx.
You have to put that 172.x.x.0/24 range (the nginx, it’s IP might change) as trusted proxy.

j3tang · October 10, 2021, 5:58pm

Ok so I just added the 172.30.0.0/24 to the list of trusted proxies and still receive the same error in the log.

Was going to paste the log from NGINX, but aside from my DuckDNS address, anything else I should be blocking out?

Also, would this mean that my ports are not correctly forwarded? Currently ports 80 and 443 are being forwarded from the ISP device WAN to my router (10.0.3.1) and then on my router the same ports are being forwarded from the router WAN to my RPi ip address (10.63.x.x)

j3tang · October 11, 2021, 12:09am

OkOk so definitely user error on my part!
Because I’m not familiar with the cidr notations, what I messed up is that it needed to be 172.30.0.0/16 and not /24.

Everything works as intended it seems! Thanks @koying for pointing out that the IP is related to NGINX!

I quickly went and gave Cast a try and still not working so it seems maybe that is unrelated. Bummer