Remote access HA behind CGNAT without reverse proxy, using IPv6 only

Hi

Here is a story of what I did to gain remote access to my HA behind a CGNAT without reverse proxy, hopefully, it teaches someone something :smiley: and maybe it will be useful for future reference!

Reason:
I have been testing 5G home modem (Vodafone Australia) and one of the issues I faced was CGNAT, which made accessing my HA remotely not possible as you simply can’t port forward

What everyone is using:
One way around this issue was to use a reverse proxy, which I just decided to avoid (no idea why!) and see if it is possible to utilise the benefits of the IPv6 that the home 5g provide

Using IPv6 with DuckDNS
As soon as I allowed the HA port in the router firewall it was accessible using the IP eg: https://[sample:IP:version:six]:8123
Now this was cool so I decided to make duckDNS add-on configuration update my ipv6 which was not clear, but I found out the plugin can’t do that automatically, however, if you enter a URL of a service that returns the ipv6 address, the add-on will fetch and use the address, so using https://api6.ipify.org/ will update your ipv6 inside DuckDNS
I’m not sure this actually works :smiley: but it is in the documents
however, I found this: GitHub - lfhohmann/ha-duckdns_ipv4_ipv6: A Home Assistant custom component to update both IPV4 and IPV6 addresses on DuckDNS which seems to target this very issue

Now I got my duckDNS working I thought that’s it, but testing from my mobile I wasn’t able to access it!, checked that the address and the port are accessible and conform all working using http://www.ipv6scanner.com

Then I found out that my mobile provider (also Vodafone!) doesn’t provide IPv6 through the mobile, and in order to access IP6 only address/DNS you need IP6
Use https://test-ipv6.com/ to test your provider

Not all providers offer IPv6
Back to square one, I looked into possible solutions and found a couple, one from netiter, is very simple, use the address at http://v4-frontend.netiter.com/ as your ipv4 (A record DNS) and it will automatically repackage your header as an IPv6 (based on my understanding) and take you to your IPv6 record AAAA
While this works, it will require having a domain name (or a sub) so you can define the A and AAAA record, also you need a way to update the IPv6 when it changes

So this led me to look at Cloudflare since we already have an integration to update the address and I found they do provide a similar service under the name Cloudflare Seamless IPv6 Gateway

So I decided to give it a go:

  1. Added a domain I have to cloudflare
  2. Added a subdomain inside cloudflare with an AAAA record with my HA address
  3. Enabled the IPv6 Gateway from the domain network section
  4. Got the token from cloudflare
  5. Configured the cloudflare integration to get the IP updated
  6. Then I noticed our integration doesn’t list the AAAA record as an option!
    Yes, IPv6 isn’t supported again!

There is a cloudflare add-on to update IP, but I haven’t tried this: GitHub - davidramosweb/hassio-addons: More add-ons for your Hass.io.

Conclusion:

  • Accessing HA with IPv6 is possible and easy, no need to worry about port forwarding, NAT or CGNAT
  • Accessing an IPv6-only machine from an IPv4 doesn’t work out of the box! (I think ISP should sort this) but there are ways around it (including using IPv6 Tunnel service like https://tunnelbroker.net which I didn’t try so its not mentioned above)
  • HA DNS integrations/add-ons support for IPv6 is bad/immature yet

I learnt a lot about ipv6 through this and want to share it, hopefully, when I’m back to 5G the situation is better as I decided to not continue with this path yet.

3 Likes

Very solid post! Thank you so much :slight_smile:

1 Like