Remote Access using a FritzBox & the AVM myFritz DDNS Service

Hey,

first of all I want to mention that I am not that knowledgable with all of the port forwarding etc. Therefore I tried to follow the instructions but got stuck in step V.2
My problem is, that I seem to not be able to add the myFritz domain to the settings, since it claims that the settings are done in the configuration.yaml.
(Displayed message: “Editor deaktiviert, da die Konfiguration in configuration.yaml gespeichert ist.”)

I had a look at the configuration file but at least in my opinion there is nothing that should conflict with the external access settings? Only settings I had in there were the proposed ones in V.1?

Do you have any idea what might cause this issue?

Greetings
Jan

Hi Jan,
my network configuration looks like this. Of course you have to replace xxxxxxxxxx with your host ID. If this does not help you to solve this problem then please post the content of your configuration.yaml file. And yes, you need to add the lines from V.1 into your config file. Make sure the indentations are exactly as shown.

ha_network_config847×568 52.8 KB

Hey @starob,

thanks for your help. This window is exactly, where It says that it is configured by configuration.yaml.

This is the current content of the file:

homeassistant: 
  name: Home 
  #latitude: xx.xxxx
  #longitude: xx.xxxx 
  unit_system: metric
  time_zone: Europe/Berlin
  packages: !include_dir_named packages
  
  
#Für Externen Zugriff über Fritz DDNS Service
#see: https://community.home-assistant.io/t/remote-access-using-a-fritzbox-the-avm-myfritz-ddns-service/611990
http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5
  
#logger:
#  default: info
#  logs:  
#    homeassistant.components.zha: debug
#    zigpy: debug

# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes
 
panel_custom:
  - name: ha_integ
    sidebar_title: Integrations
    sidebar_icon: mdi:chip
    js_url: /api/hassio/app/entrypoint.js
    url_path: 'config/integrations'
    embed_iframe: true
    require_admin: true
    config:
      ingress: core_configurator  
  - name: ha_auto
    sidebar_title: Automations
    sidebar_icon: mdi:cog-outline
    js_url: /api/hassio/app/entrypoint.js
    url_path: 'config/automation'
    embed_iframe: true
    require_admin: true
    config:
      ingress: core_configurator  
  - name: ha_file_editor
    sidebar_title: File Editor
    sidebar_icon: mdi:file
    js_url: /api/hassio/app/entrypoint.js
    url_path: 'hassio/ingress/core_configurator'
    embed_iframe: true
    require_admin: true
    config:
      ingress: core_configurator   
  - name: ha_esphome
    sidebar_title: ESPHome
    sidebar_icon: mdi:car-esp
    js_url: /api/hassio/app/entrypoint.js
    url_path: 'hassio/ingress/5c53de3b_esphome'
    embed_iframe: true
    require_admin: true
    config:
      ingress: core_configurator   
  - name: ha_addons
    sidebar_title: Addons
    sidebar_icon: mdi:plus
    js_url: /api/hassio/app/entrypoint.js
    url_path: 'hassio/dashboard'
    embed_iframe: true
    require_admin: true
    config:
      ingress: core_configurator 


# Text to speech
tts:
  - platform: google_translate
  
#Rest_commands
rest_command:
    example_request:
        url: "http://example.com/"
        
    luigi_dock:
        url: "http://192.168.188.72/Dock?"
        
    luigi_clean:
        url: "http://192.168.188.72/Clean?"
        
    music_on_rest:
        url: "http://192.168.188.24/SocketAOn"
        
    music_off_rest:
        url: "http://192.168.188.24/SocketAOff"
        
    tv_on_rest:
        url: "http://192.168.188.24/SocketBOn"
        
    tv_off_rest:
        url: "http://192.168.188.24/SocketBOff"
        
    screens_on_rest:
        url: "http://192.168.188.24/SocketCOn"
        
    screens_off_rest:
        url: "http://192.168.188.24/SocketCOff"
        
    hdmi_splitter_on_rest:
        url: "http://192.168.188.24/SocketDOn"
        
    hdmi_splitter_off_rest:
        url: "http://192.168.188.24/SocketDOff"
        
    socket_a2_on_rest:
        url: "http://192.168.188.24/SocketA2On"
        
    socket_a2_off_rest:
        url: "http://192.168.188.24/SocketA2Off"
        
    socket_b2_on_rest:
        url: "http://192.168.188.24/SocketB2On"
        
    socket_b2_off_rest:
        url: "http://192.168.188.24/SocketB2Off"
        
    printer_on_rest:
        url: "http://192.168.188.24/SocketC2On"
        
    printer_off_rest:
        url: "http://192.168.188.24/SocketC2Off"
        
    socket_d2_on_rest:
        url: "http://192.168.188.24/SocketD2On"
        
    socket_d2_off_rest:
        url: "http://192.168.188.24/SocketD2Off"
        

device_tracker:
  - platform: ping
    hosts:
      ping_a40_jan: 192.168.188.21
      ping_iphone_salo: 192.168.188.23

spotcast:
  sp_dc: !secret sp_dc
  sp_key: !secret sp_key
  country: SE #optional, added in 3.6.24
  
  
#Additional Helper-Variables, that are NOT switchable in the UI
var:
  salo_long_gone:
    friendly_name: 'Salo_away'
    initial_value: false
    icon: mdi:bug
  jan_long_gone:
    friendly_name: 'Jan_away'
    initial_value: false
    icon: mdi:bug
    
#Additional Helper-Variables, that ARE switchable in the UI
input_boolean:
  #Disable some automations when guests are staying over for the night
  guest_sleepover_mode:
    name: Guest Sleepover Mode
    icon: mdi:party-popper
    initial: off
    
  #Change some automations when we are both on holidays
  holiday_mode:
    name: Holiday Mode
    icon: mdi:airplane
    initial: off
    
  #Try to find out if somebody was in the bathroom
  bathroom_occupied:
    name: Bathroom occupied
    icon: mdi:toilet
    initial: off
    
  #See If the window message has already been sent
  window_open_message_cooldown:
    name: Window Message Cooldown
    icon: mdi:curtain
    initial: off
    
  #Luigi has not cleaned for x days
  luigi_cleaning_overdue:
    name: Luigi Cleaning Overdue
    icon: mdi:robot-vacuum
    initial: off
    
  #Shutters of Window kitchen east wants to close
  shutters_kitchen_east_closing:
    name: Shutters Kitchen East closing
    icon: mdi:window-shutter-alert
    initial: off
    
  #Shutters of Window kitchen south wants to close 
  shutters_kitchen_south_closing:
    name: Shutters Kitchen South closing
    icon: mdi:window-shutter-alert
    initial: off
    
  #Shutters of Window living room wants to close
  shutters_livingroom_closing:
    name: Shutters Livingroom closing
    icon: mdi:window-shutter-alert
    initial: off
    
  #Shutters of Window bedroom wants to close
  shutters_bedroom_closing:
    name: Shutters Bedroom closing
    icon: mdi:window-shutter-alert
    initial: off
    
    
# This gets the max temp of the day
#sensor:
#  - platform: template
#      max_temp_today:
#        value_template: >
#          {% set tomorrow = (as_timestamp(now().date() + timedelta(days=1)) | timestamp_utc).replace(' ', 'T') ~ '+00:00' %}
#          {% set today = state_attr('weather.home_hourly', 'forecast')| selectattr('datetime', 'lt', tomorrow) | map(attribute='temperature') | list %}
#          {{ today | max }}
#        unit_of_measurement: "°C"
#        friendly_name: "Max Temp Today"

    
#THERMOSTATGRUPPEN
climate:
  - platform: climate_group
    name: 'Thermostate Wohnküche'
    temperature_unit: C  # default to celsius, 'C' or 'F'
    entities:
    - climate.thermostat_kuche
    - climate.thermostat_wohnzimmer
  - platform: climate_group
    name: 'Thermostate Alle'
    temperature_unit: C  # default to celsius, 'C' or 'F'
    entities:
    - climate.thermostat_kuche
    - climate.thermostat_wohnzimmer
    - climate.thermostat_bad
    - climate.thermostat_arbeitszimmer
    - climate.thermostat_schlafzimmer
    
#Helligkeitssensor ohne externe Hardware
sensor:
  - platform: illuminance
    # Name of new sensor entity
    name: Home Outdoor Illuminance
    # Existing entity that provides current weather conditions
    #entity_id: weather.home
    #entity_id: weather.forecast_apf85_u
    entity_id: sensor.openweathermap_cloud_coverage

    
zha:
  zigpy_config:
    #TO UPDATE THE IKEA 5btnremote TO THE NEWEST VERSION!
    ota:
      #otau_directory: /config/zigpy_ota
      ikea_provider: true
      ikea_update_url: http://fw.ota.homesmart.ikea.net/feed/version_info.json
      inovelli_provider: false
      ledvance_provider: false
      salus_provider: false
      sonoff_provider: false
      thirdreality_provider: false
  #CUSTOM QUIRK TO MAKE THE NEW CHANGES OF IKEA 5btnremote WITH VERSION 24.4.5 WORKING!!!
  #Custom quirk was released end of January 2023 - as of march first 2023 not yet integrated - might delete later??
  #Test for this: test if the automations with left and right of 5btnremote is working or not...
  custom_quirks_path: /config/zha_new_quirks/ 
  #EDIT 24.10.2023 --> Added another quirk file for the tuya thermostats

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

Do you find anything that I would need to have commented out?

Jan

I don’t see anything that might cause this. But you have packages configured:

Maybe some of those are causing this. Can you check those for potential problems?

Hey,

just for tests I commented out the line with the packages. But the message still remains. What exactly am I looking for that might overwrite the UI-control? I mean what yaml-command? Maybe I can search for that ones in particular.

This might help you: https://community.home-assistant.io/t/network-grayed/435665

I’m having problems with setting up nginx.

I made everything like you said until you had written this:
" 2. Add your myFritz domain to the Home Assistant URL in Setup → System → Network"

How? For me “Remote Access” is disabled… How am I able to put the domain inside this settings?

You have to enable “Advanced Mode” in your user profile to see this.

Thank you! Now I can insert the domain.

Problem now is, when I try to access the https[…] url, it tells me, that “Diese Website kann keine sichere Verbindung bereitstellen[…]”. What now? I had run the cert-bot, the following is the log of it:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[02:06:12] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxx.myfritz.net

Successfully received certificate.
Certificate is saved at: /data/letsencrypt/live/xxx.myfritz.net/fullchain.pem
Key is saved at:         /data/letsencrypt/live/xxx.myfritz.net/privkey.pem
This certificate expires on 2024-03-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

I don’t quit understand that we need to choose “http” at the “Challenge”-Configuration. How are we able to access it via https?

Did you configure port forwarding in your router? Which https URL do you use? Cerbot is not included (and not required) in my setup. What are you doing differently?

Did you configure port forwarding in your router?

Yes, I did. Have a look:

image1281×847 79.9 KB

Which https URL do you use?

I use an automatic provided link from AVM. Something like “xxxxxxxxx.myfritz.net” for example, with the addition of the port: xxxxxxxx.myfritz.net:8123
With the port-forwarding it should forward me to the nginx-server, I guess, but there only comes this error:

400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx

Even if I try to put “https://” before the url, it gives me a error, but a different:

Die Website ist nicht erreichbar
Die Webseite unter https://home-assistant.dns.navy:8123/ ist eventuell vorübergehend nicht verfügbar oder wurde dauerhaft an eine neue Webadresse verschoben.

ERR_SSL_UNRECOGNIZED_NAME_ALERT

Cerbot is not included (and not required) in my setup. What are you doing differently?

I am doing nothing differently, that’s the problem i’m having lol

I managed to make HA reachable from the outside, but with no certificate/ssl.
So when I change the port-forwarding from 443 (internal, the port of nginx) to 8123 (internal, the port of HA itself), then I can reach it, but without a trusted connection.

I’m writing this while writing this answer, so I did recognize my fault while complaining lol:
I use 2 different DNS-Services. I made a fault while trying to reach HA, because I used the the different DNS-adress (from DynV6), which (of course) wasn’t ssl-secured (I couldn’t even get to the HA-interface).
After I tried reaching HA via the myfritz-adress (with “https://” in front of it), I could login and use HA (with a ssl-secued connection, recognizable from the “lock”-symbol on the top left of the browser, beside the link.)

Thank you, allthough I managed to find the solution to my problem myself xD

I have an issue renewing the certificate:

[07:42:38] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for xxxyyyzzz.myfritz.net

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: 0vo3t2bvbdpigvq6.myfritz.net
  Type:   connection
  Detail: 91.63.188.168: Fetching http://xxxyyyzzz.myfritz.net/.well-known/acme-challenge/Dg1D6vjiMP0RpOEEjWZIibvaj1kqobvVOXbpgybW4mY: Connection refused

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

What can I try here?

EDIT: I found my mistake.

I had the port forwarding incorrect. It should be like this:

grafik912×525 16.3 KB

Now it is working as expected!

Yes, this is step II.4

I was looking into remotely connecting my HA with my Fritz!box but i found a much quicker solution. I just added the VPN to a user in my Fritz!box by going to System- FRITZ!Box Users - Add user with VPN or add VPN to an existing user. Then you copy the VPN Data right next to it from Show VPN Settings to your mobile phone.

I tried using the MyFritz!App but i kept getting errors when i tried connecting to the internet so i manually added the VPN to my phone via settings-Connections-More connections-VPN. If anyone wants to use this also check on your Fritz!box that VPN is enabled at Internet - Permit Access - VPN(IPSec) your newly added user should be ticked off under enabled.

PS: If you use this you don’t need to configure port forwarding.

I know this isn’t what you were looking for because you didn’t want to use VPN but i find this much easier than using wireguard or following all your steps. Just wanted to share this info for other less advanced users like me

I know this but this thread is NOT about using VPN.

Just wanted to give some feedback to my problem with the greyed out UI-control.

I did not find a solution to enable the UI-control again, that is why I decided to simply write the external myFritz domain into the configuration.yml like this:

homeassistant: 

  external_url: "https://xxxxxxxxxxxxxxxx.myfritz.net:8123"

With this setup, everything works as expected

I tried to follow your steps but now i can’t login to home assistant anymore and i see an Nginx failure via my Rpi.

In step V do i need to replace the ip 172.30.33.0/24 to 192.168.178.0/24 ?(because my router is ip 192.168.178.1 and my HA is ip 192.168.178.60. because i thinks that’s the problem.

No, use the IP exactly as shown. These are the IPs used by HA docker containers.

Thanks for the instructions, remote access is working fine with myfritz. Only thing I couldn’t get to work is the alexa skill. When I try to activate the skill and fill in my username and password it says “Konto konnte nicht mit alexa verknüpft werden”.
Is the skill working for you?

Are you using the Nabu Casa Cloud?