Remote access - single URL setting: router with no NAT loopback, no DNS server customization

In that case, you might want to edit / update / clarify the 1st post of this thread, with all the supporting info about your LAN network, and with boundary conditions (no cost solution, etc.)
The setup screen from your companion app would be key also. Do not omit any detail - otherwise the forum would have to guess and thus might not be helpful.

====
… or maybe… is it just me not understand these sentences…?

I was able to understand quickly but not sure if i have been lingering around too much or it was just clear

Sorry for the delay.

I tried to summarize my network details as much as I can in the following picture (I omitted some devices on purpose for the sake of clarity).

home network details1151×878 159 KB

Companion app on my Android phone is configured with Home Assistant URL set to my DuckDns address (https://_________.duckdns.org:8123/).

To reiterate my problem, when my phone is connected to my home WiFi network Home Assistant Companion can’t connect to Home Assistant and display the error message can’t connect to Home Assistant.

In order to solve this problem, I’m looking for a free solution and won’t mind reconfiguring my network, tweaking Home Assistant or both.

A reverse proxy is the simplest, and free, solution - if you’re using HAOS then the NGINX add-on is what you need.

It could be a quick config change. Like I said, the screenshot (which is still missing) of the setup screen in your Companion app is key. The information below is not enough.

Now,
If you use this address http://192.168.11.4:8123 from the browser of your PC, would you be able to connect to the HA? (Attention: use http, not https)
If you use the same address from the browser of your phone, when it is connected to your home wifi, would you be able to connect to HA?

If yes to both.
Grant location permission to your Companion app. Go into your Companion app, open the setup screen, plug in your Home Network WiFi SSID, and use http://192.168.11.4:8123 as your Internal Connection URL… and maybe play with the Prioritize Internal URL switch and see what works better.

If this works, then you don’t need AdGuard nor Dnsmasq, you don’t need nginx or any reverse proxy, and you don’t need to change your remote access setup (which is already working).

=== may or may not related ===

1. You might want to change the DNS on your HAOS into 1.1.1.1 or 8.8.8.8.
2. What’s the primary and secondary DNS, when you setup your DHCP server on your router? Or is your router only give you the option to enable / disable DHCP plus IP range? Note that, depends on your router, this DNS setup under DHCP may not be the same that your router would be using, which is your ISP Gateway.
3. What exactly is/are the DNS server(s), that your PC obtains automatically?

My bad, as it is the only setting I changed I thought it would be enough.
Here is a capture of Companion settings (sorry, it’s all in Japanese).

Screenshot_20220208-224954_Home Assistant1080×2280 151 KB

I did the following test:

• from my computer
  http://192.168.11.4:8123 : no access (ERR_EMPTY_RESPONSE)
  https://_________.duckdns.org:8123/ : no access (ERR_CONNECTION_REFUSED)
• from my phone using the internet browser (when connected to my home WiFi network)
  https://192.168.11.4:8123 : access
  http://192.168.11.4:8123 : no access (ERR_EMPTY_RESPONSE)
  https://_________.duckdns.org:8123/ : no access (ERR_CONNECTION_REFUSED)

1. By default, the router LAN IP address but but it seems they can be manually configured.
   

   

   config514×538 65 KB

2. 192.168.11.1

I happen to know a little bit Japanese

This works? That’s good news. I do not know how you handle certificate from inside your LAN, but if this works, then:
(a) plug in your home wifi SSID into this Home Network WiFi SSID
(b) use https://192.168.11.4:8123/ in the next field, the 内部接続のURL
(c) disable AdGuard and DNSmasq (at least for now) and don’t touch the DNS settings under DHCP just yet.
(d) test around. test the switch of 内部URLを優先 and see which works better.

What were the odds I encounter someone who also understand Japanese on my first post!

I followed your instructions to the letter and … I’m sorry to report that it didn’t work.
I may have omitted an important information in my previous reply
I managed to access HA with my phone via https://192.168.11.4:8123 but after I ignored a certificate error message from Chrome.

Just a quick test first: use http instead of https in that 内部接続のURL field, and see if that works.

If that wouldn’t work either, I see 2 routes going forward:

1. Figure out why http would not work. By default HAOS should allow http, at least from your home LAN (anyone with 192.168.11.xxx), so something else is going on. Is that a setting in your router? gateway? HAOS? I unfortunately do not know where to start on this one.
2. Try AdGuard Home
   2a) First we setup AdGuard Home, likely from that community add-on, in your HA box (RPi) - following the documents of that add-on.
   2b) Then we add a rule, to rewrite the yourname.duckdns.org with a local IP 192.168.11.4
   2c) Then we config and enable DHCP in your AdGuard Home, at the same time we point these on your router to 192.168.11.4
   
   (save, restart, reboot, verify, etc., so that AdGuard would be active, and your wifi clients are getting DNS server instructions pointing to AdGuard Home @ 192.168.11.4, and blocking ads for your lan.)
   2d) Use nslookup command from your PC, to verify that it would indeed resolve yourname.duckdns.org with 192.168.11.4
   2e) Clear both 内部接続のURL and Home Network WiFi SSID settings in your Companion app. And then save & test.

I guess route #1 would be easier, if we know where to start.

And maybe other members here in the forum has other ideas.

when you enable SSL in your home assistant, it only accepts https connection and two options ahead;

• https://local.ip.address:8123 - this will generate certificate error. using http://loca.ip.address:8123 would not work.
• https://xyz.duckdns.org - this will a valid https connection with a valid certificate
  if your router supports reverse NAT, when you hit duckdns domain, all would work fine. Some routers does not support this and you end up setting up nginx to take care of this.

when you move forward with nginx,

• you set your router 443 port to nginx server and you use https://xyz.duckdns.org, which will redirect to nginx and then home assistant (over http)
• you can use http://local.ip.address:8123
  in this option, as home assistant is not enabled with https, your mobile app would not fail to connect any of these hosts. inside mobile app, you will set your internal URL and external URL, so depending on SSID you connected, it will either try internal URL (no https) or external URL (https).

P.S.: I was a bit lost on overall thread, so I just summarized, pardon me I this had been covered already.

Right. This would work also. Thanks fuakakgun.

@misterobotique - All else are equal, this is likely the same or less amount of work, comparing to route #2. I’d start with the NGINX Home Assistant SSL proxy add-on, along with your existing Duck DNS.

@Tinkerer, @anon63427907, @k8gg thank very much for your help.
Installing the add-on NGINX Home Assistant SSL proxy solved my problem.

For users with a similar problem, here is what I did:

• installed the add-on NGINX Home Assistant SSL proxy
• following the documention
  1. I verified I have a /ssl directory on my HA machine and that it contains both my fullchain.pem and privkey.pem
  2. I commented out both ssl_certificate and ssl_key lines in the configuration.yaml
  3. in the same configuration.yaml, in the http section I added

       use_x_forwarded_for: true
       trusted_proxies:
         - 172.30.33.0/24
     

• in the Configuration tab, under Options I replaced home.example.com by my DuckDns address
• I configured my Wifi router to direct port 443 traffic to port 443 of my HA machine
• I restarted my router and Home Assistant
• accessing HA via http://192.168.11.4:8123, I started NGINX Home Assistant SSL proxy add-on and waited a few minutes until I could see “Running nginx…” in the log.
• on my phone, I opened Home Assistant Companion and in settings:
  1. Home Assistant URL: https://_________.duckdns.org
  2. Added my WiFi router SSID
  3. Internal connection URL: http://192.168.11.4:8123/

Hello could you help me with the point:
“I configured my Wifi router to direct port 443 traffic to port 443 of my HA machine”

These are my settings now. what do i have to change?

grafik993×754 16.8 KB

Thanks in advance

Sorry for the late reply.
My port mapping settings on my router looks like this:

• external port 8123 (TCP) to port 8123 (TCP) of Home Assistant machine
• external port 443 (TCP) to port 443 (TCP) of Home Assistant machine

Not being an expert, I would suggest to try my settings using the Port Mapping Settings functionnality in your router.

Hi there

I am a little bit lost with this very long posts. At the end, did you change the DNS settings on your wifi router? Seems like you said it above, but you didn’t mention it here in your solution.

Same: what the 172.30.33.0/24 relates to, your address seems to be 192.168.X.X?

Sorry for the extremely late reply, I haven’t logged in for a while.

At the end, I didn’t change the DNS settings on my WiFi router.
Regarding 172.30.33.0/24, I don’t know. I just follow the documention on how to use " NGINX Home Assistant SSL proxy" and it requires to add this to the configuration.yaml.

I also would be interested why 172.30.33.0/24. Is it necessary or just an example?

It’s the Docker IP ranged used by Home Assistant OS (or more accurately, the Supervisor).

If you’re using a proxy add-on then the IP it uses to connect to HA will (typically) be in that range.

So it specifies the inner IP range within which NGINX and HA communicate and they bargain one of the IP’s within the range?

Would it break, if I fully remove this setting?

Yes

HA won’t accept connections from the proxy if it isn’t a trusted IP.