Remote access, duckdns and forwarding problem

anon43302295 · June 25, 2017, 8:59pm

Hmmm, I’ll be honest, I’m a bit stumped with this one. I presume you can’t set homeassistant to 443 because it’s a ‘reserved port’ or some such, so if you can’t set your router to forward 443 to 8123 you’re going to be a bit buggered I think.

Surely there must be a way to get the router to forward the ports properly, have you looked in the manual for advanced port forwarding? Especially if it’s a Netgear router, they’re normally pretty hot with features.

Other than that I’m at a head scratch with this one I’m afraid. I’ll keep thinking and if I get any other inspirations I’ll come back to you.

jcbigears · June 26, 2017, 1:34am

Hi.
It’s got me stumped as well. The modem was supplied by my cable provider (Telstra) so Netgear won’t help and Telstra just refer off to a premium service, who charge for advice but cannot tell me off the cuff whether there even is a solution or not.
Thanks for your help anyway.
John

jcbigears · June 26, 2017, 1:40am

The only other suction I can think of is putting the computer in the DMZ, but that sounds like I’m exposing the whole computer to attacks, which I want to avoid, obviously. Would it be a solution to buy a raspberry Pi and put that in the DMZ?

(I’m talking the router DMZ, not the Korean peninsula)

John

AbraKabastard · June 26, 2017, 2:18am

Anyone here familiar with IP Tables as a solution to this problem?

jcbigears · June 26, 2017, 10:00am

This is the error when I close down HA and restart it afresh,

ERROR (MainThread) [homeassistant.components.http] Failed to create HTTP server at port 443: [Errno 13] error while attempting to bind on address (‘0.0.0.0’, 443): permission denied

any ideas why it may be attempting to bind at 0.0.0.0? The configuration is

http:
api_password: #######
ssl_certificate: /private/etc/letsencrypt/live/home-access.duckdns.org/fullchain.pem
ssl_key: /private/etc/letsencrypt/live/home-access.duckdns.org/privkey.pem
base_url: home-access.duckdns.org
server_port: 443

Thanks again for any thoughts or ideas.
John

jcbigears · June 26, 2017, 10:42am

Ok so I may be talking to myself here but if I set up a different router on my network as the DNS server, and port forwarded with that one instead of the current cable/modem, would that work just the same?
Thanks.

anon43302295 · June 26, 2017, 1:08pm

Ha, it’s the first sign…

I’m not sure exactly what you’re looking at doing, but I once had a service that sent me their own modem/router and the router bit was total shite, so I switched off the WiFi on it and connected another router (that didn’t have an integral modem) to it. Then the new router worked fine, just saw the old router as the Internet.

If that’s what you’re asking, yes, that would work.

I’m not sure about the DMZ option, I’d have to instantiate some Google-fu same as you. I definitely wouldn’t set it up in Korea, unless it’s well shielded.

I’m not sure about the 0.0.0.0 thing either tbh. I don’t really understand the way that a service binds to a port, just what you can do when (or in this case, if) it does.

rpitera · June 26, 2017, 1:25pm

I think you missed a joke here… LOL.

WIkipedia on networking DMZ:

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, usually a larger network such as the Internet.

DMZ is also a reference to an area between country borders:

The Demilitarized Zone (DMZ) is a region on the Korean peninsula that demarcates North Korea from South Korea. Roughly following the 38th parallel, the 150-mile-long DMZ incorporates territory on both sides of the cease-fire line as it existed at the end of the Korean War (1950–53).

Hey @jcbigears, what is the exact make and model of your Telstra router? I can’t believe we can’t find proper instructions with Google. I just searched on port forwarding Telstra router and got a number of hits, but would need to know your router make/model.

anon43302295 · June 26, 2017, 1:38pm

I didn’t miss the joke, I was adding to it (hence the shielded comment)

rpitera · June 26, 2017, 1:46pm

So I missed the joke then!

egs · June 26, 2017, 1:49pm

Go back to your original setup where you had it working on :8123.
Then instead of setting up 443 to 8123 forwarding, use 8123 as the start and end values, then connect using the Dynamic DNS URL you setup and specify the port at the end jbcigears.duckdns.org:8123 .

The only reason the article has you forward 443 to 8123 is so you don’t have to put :8123 at the end of the URL when you are trying to access it from your phone remotely.

anon43302295 · June 26, 2017, 1:59pm

^what he said.

Obvious when somebody actually says it!

jcbigears · June 28, 2017, 11:29am

Thank you all, and the problem is solved!
So, I hope this benefits anyone with a router where the port forwarding is limited, and thanks again for all of you that helped. I’ll try and be as precise as I can with what I found to have worked.
Let’s assume you are following the instructions here and you get stuck on step 5. It asks you to set up a port forwarding rule on a router with limited rule creation capabilities.

For router Netgear CG3100D-2, instead of what the instructions tell you in step 5, create rule as follows:

name: ha_ssl
start 443
end 8123
protocol both
192.168.0.### (the static IP address you set up in previous steps)

The other rule that should already be set up is:

name: ha_letsencrypt
start 80
end 80
protocol both
192.168.0.### (the static IP address you set up in previous steps)

The configuration file should read:

http:
api_password: obviouslyimnotgoingtotellyou
ssl_certificate: /private/etc/letsencrypt/live/examplehome.duckdns.org/fullchain.pem
ssl_key: /private/etc/letsencrypt/live/examplehome.duckdns.org/privkey.pem
base_url: examplehome.duckdns.org:8123

obviously replacing the above password and duckdns items “examplehome”.

When logging in remotely and locally, I then found that I could access HA via:

https://examplehome.duckdns.org:8123/

I would also add that I found that app dDNS Broker very helpful for keeping duckdns up to date, even though it costs $4, it’s easy to set up and run on a Mac. Secondly I installed https://brew.sh to help in step 4 with the commands used to download the certificate, using the instructions here.

Certificate renewal is easiest on a Mac IMHO by using the command

sudo certbot certonly --standalone -n -d examplehome.duckdns.org -d www.examplehome.duckdns.org

but I’m trying to figure out the best way of setting that up as I’ve just discovered that crontab no longer works

Thanks again everyone, and I hope this helps someone else in the future.

anon43302295 · June 28, 2017, 1:16pm

You can set a HA automation to renew the certificate, it’s in the guide

rpitera · June 28, 2017, 1:27pm

AH! I thought that was it!!

jcbigears · June 28, 2017, 1:27pm

I tried that alas but the Mac syntax no longer wants to play.
So I’ve got up to step 7, but now I’m stuck.

$ sudo apt-get update
$ sudo apt-get install ssl-cert-check

returns “command not found”

It’s late and I need some sleep. One day I’ll buy a Raspberry pi and dive in there because I suspect most of these instructions are written for that system.

jcbigears · June 28, 2017, 1:29pm

and adding :8123 to the base_url

rpitera · June 28, 2017, 1:33pm

And that’s something I am going to try on my set up. I want to see if it breaks anything.

anon43302295 · June 28, 2017, 1:41pm

In the note below those commands is the location where the script for ssl-cert-check can be found. I can’t help with how you would then use that script on a Mac, but I’m sure somebody can point you in the right direction.

Hope this helps.

jcbigears · June 28, 2017, 1:43pm

thank you. I’ll hunt around tomorrow.