Quick and easy way to setup external access to HA Core with hostname and ssl certificate

I’ve tried a few different methods to set up secure remote access to my HA Core installation and while they’ve all worked, the following method is now my preferred approach. It requires a DuckDNS account and the nginx proxy manager docker image. It also assumes you’re using docker-compose or are willing to learn how to use it.

Step 0: Log into your router and forward ports 80 & 443 to your HA local IP.

Step 1: Create a DuckDNS account and add a domain that points to your external IP address. You can find your external IP address @ http://www.icanhazip.com. You also need to copy your “token” that can be found on your DuckDNS dashboard.

Step 2: Add the following lines to your HA configuration.yaml file. The http config deals with our reverse proxy. The duckdns config updates your external ip address if it gets changed by your ISP (happens to me every few months).

  use_x_forwarded_for: true

  domain: <your duckdns domain here>
  access_token: <your duckdns token here>

Step 3: Create a Nginx Proxy Manager entry in your docker-compose.yaml file. The following uses a different database docker image than what’s in the Nginx Proxy Manager installation guide to provide compatibility with Raspberry Pi. If you’re not using a Raspberry Pi, the original docker image is: “jc21/mariadb-aria:10.4”.

    container_name: proxymanager
      DB_MYSQL_HOST: "proxymanagerdb"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: "npm"
      DB_MYSQL_NAME: "npm"
    image: 'jc21/nginx-proxy-manager:latest'
      - '80:80'
      - '81:81'
      - '443:443'
    restart: always
      - /dockerfiles/nginxproxymanager/data:/data
      - /dockerfiles/letsencrypt:/etc/letsencrypt

    container_name: proxymanagerdb
    image: 'yobasystems/alpine-mariadb:armhf'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: 'npm'
    restart: always
      - /dockerfiles/nginxproxymanager/data/mysql:/var/lib/mysql

Step 4: Log into Nginx Proxy Manager using the IP of the machine you installed it on and port 81. The default username and password are ‘[email protected]’ and ‘changeme’, respectively. You’ll be prompted to change these the first time you login.

Step 5: Go to the SSL certificates tab in Nginx Proxy Manager and create a new SSL certificate for your domain (via the LetsEncrypt option). All you need to do here in enter your duckdns domain name, your email address, and agree to the ToS.

Step 6: Go to the Host tab in Nginx Proxy Manager and create a new proxy host. Here you need to enter your duckdns domain name, the IP and port of your HA installation (use http here since the traffic will be local only), and enable “Websockets Support.” Before saving this new proxy host, head over to the ssl tab and choose the ssl certificate you created previously. Now click save.

That’s it! You should be able to access HA securely and remotely using your duckdns domain!


Have you tried Zerotier or Tailscale?

I intend to experiment with both because they provide a very easy (and free) way to implement secure remote access (and more). No external domain address, SSL certificate, reverse-proxy, or opening of ports is needed.

I’d be interested in a Zerotier guide if you get the time.

Aren’t you using HA OS? Did you try the ZeroTier One add-on yet?

I’ve never heard of zerotier before so I’ll have to look into it some more. Does it still provide you with a https domain? The whole reason I setup secure remote access is to be able to configure the Google integration manually.

I’ve opted to run HA Core instead of HA, so I need to setup everything manually instead of using add-ons. Docker-compose makes this incredibly easy to do.

Are you also using docker-compose to start Home Assistant? If you are, then you are running Home Assistant Container (which is Home Assistant Core distributed as a docker container).

The definition of the term ‘remote-access’ tends to vary a bit. For example, WireGuard is a VPN solution that can provide remote-access to Home Assistant. However, it requires client software to establish the connection to Home Assistant. As a result, it cannot be used by services like Amazon Alexa and Google Assistant which require a public-facing IP address.

Like Wireguard, Zerotier and Tailscale use client software to establish a connection to your local machine (so they won’t meet your requirement for supporting the Google Assistant service). However, all offer a fairly easy way to establish a remote-connection to Home Assistant.

FWIW, I only recently learned about Tailscale from reading openHAB’s documentation. The company was formed by ex-Google staff and their product is based on WireGuard’s communication protocol but provides a service more similar (at first glance) to Zerotier.

FYI: I’ve tried/played with ZeroTier and TailScale recently.

ZeroTier is layer 2 “VPN”, TailScale is layer 3 “VPN”.

ZeroTier’s Android app’s UI seems to be broken (duplicated fields, without explanation, status doesn’t refreshed, small, annoying things), the Win version can’t even connect, “port error”, suggested methods to repair it didn’t worked, the only version that worked was a downgraded HA addon. After seeing these bugs, it seemed immature and I lost my trust in it, uninstalled it.

TailScale’s Android and Win versions worked without problem (how it works). But there is no HA addon, no Docker image (#504), no Alpine Linux package (#230) (HA addons are based on Alpine Linux). I’ve tried to create a HA addon based on the Tailscale arm binaries, without success, though my HA/docker/addon/tailscale knowledge is very very minimal, I’m new to this world.

Currently I’m waiting for an available TailScale solution. :frowning:

I am using zero-tier, but I it was working awesome until I started using https (esp-home requires it for flashing via browser). Now I can’t access HA on mobile app