I run my mobile companion app in Persistent connection mode to Home Assistant using a setting of ‘Always’. It’s worked well whether i’m on my LAN or roaming connected to my VPN server. I like that it avoids notifications being forwarded out to Google and back - or so I thought. If my phone is on the LAN Wi-Fi, should there be any disruptions to notifictions if my WAN goes offline? If so, why would that be?
Recently I integrated my firewall with HA. HA sends notifications on the status of its interfaces. In testing these, if the Internet route is unavailable the notifications don’t reach my phone. They’re held up and come through in a bundle when the WAN route is restored.
I run HA on private internal DNS only. I don’t use Nabu Casa. Phone is set to use only my DNS and I have internal records for everything. When the WAN is offline things function perfectly with HA both in a browser on my laptop or using the companion app. Why would notifications be held up though, can anyone suggest what’s happening? Is there some dependency? Thanks!
If HA connects through a VPN tunnel and that tunnel runs over WAN, then that is what breaks the connection. Without the tunnel I would not expect problems, unless your firewall is set in a way that blocks the required connections on local lan. Maybe you now somehow configured the firewall to only work through the VPN?
No the problem i’m describing is when i’m on the LAN, no VPN tunnel established. No VPN client active. My companion app is connected directly to HA via my home Wi-Fi. The traffic stays on the LAN, doesn’t even touch the router, goes direct, same subnet.
Ok I think i’ve just found out what the problem is - and to be honest, it’s something that frustrates me about the HA companion app. It refuses to allow connections over SSL unless it’s on a public trusted certificate. For that reason, I had switched both my internal and externl connection URLs to the identical public domain and SSL I use. It’s public purely for the SSL but there is no public DNS, I don’t need it with a VPN, I keep everything internal.
As I’ve just discovered, this setup is fine until you loose your WAN for some reason. If that happens the companion app fails to verify/trust the certificate. This would not happen if we were allowed to use self-signed SSL certificates. The companion app needs an option allowing us to permit them. I fail to see how being forced to connect internally on port 80 without encryption is better security than being allowed to use a self-signed certificate?
@dshokouhi Is it that the HA developers don’t care about the needs of its VPN users because they want people on Nabu Casa? Am I being too cynical? I wish they would address this simple issue. It’s a feature that has been requested. Please give us the option to allow self-signed SSL in the companion app. Daniel, I would really appreciate your thoughts on this?
From this Self-signed SSL is not supported GitHub issue, it seems quite a few people want for the simplicity of this option. Why can’t this be added?
You just need to import it. We do indeed trust user imported CAs
the main issue there is that its not a valid imported certificate, we previously had a user mention there were steps required to generate teh certificate properly however that is out of scope for the HA project. The app itself just requires a valid certificate which means we will not bypass any SSL errors.
My comment ‘This would not happen if we were allowed to use self-signed SSL certificates’ was actually a reference to the need for a simple certificate validation bypass check-box option in the app. Some time ago I tried for quite a while to get my self-signed (OpenSSL generated) CA and cert installed on my Android device but it kept failing. These certs have worked perfectly in several other server/clients I run that require a trusted CA. I came across many of the links you’ve provided, it’s quite the rabbit hole of information. In the end I gave up and used a work around.
I’m not even getting to the problems people reported with the app rejecting a CA/cert that’s been installed on Android, I can’t get the phone to accept my CA for some reason. I’ll read everything through again and come back with my results. I really appreciate your help with this.
It looks as though my root CA is missing the ‘CA:True’ flag which apparently is required since Android 11. I’m going to get my CA and certs recreated soon and assuming i’m then able to import i’ll see what the next issue is…
@dshokouhi Got all my certs recreated and the Android overlords have now chosen to bless my CA. Home Assistant companion app is now working on a single, private domain and cert both externally and internally with no more WAN dependences affecting my local notifications. Thank you for your time and input Daniel. (Yes is was the missing ‘CA:True’ flag)
