Reverse SSH Tunnel/Remote Access Help

Configuration
1

Happy new year all! I have setup Home Assistant on my RPi3 and have it running internally, but my goal is to be able to remote access the frontend on my Pixel 3 from outside my network. The one rub is that my ISP is Verizon Wireless, which means my external IP is double NAT-ed so no go on port forwarding. I read this post (https://b3n.org/port-forwarding-verizon-wireless-nat/) and following it, I signed up for a free VPS with Google Cloud. I did the following to test:

a) Run the following on my Pi:

ssh -fNR 18123:localhost:22 vpsusername@vps-instance-ip-address

b) SSH from my Mac to the VPS, then from that console ran:

ssh -l pi-username -p 18123 localhost

Doing that, I was able to get to the console of my Pi, from my Mac on an external network, so I’m assuming the reverse SSH tunnel is working. This is were I’m stuck.

I assume I’m supposed to change the ssh command on my Pi from 22 to my Home Assistant port right?

ssh -fNR 18123:localhost:8123 vpsusername@vps-instance-ip-address

When I do that and type the following in a browser on my Mac: VPS.IP.ADD.RESS:18123, I get a connection timeout error.

Can anyone help me out?

2

I was in a similar situation using AT&T as my home internet service and not being able to open ports for remote access. I ended up using this. https://webhookrelay.com/blog/2018/10/12/hassio-tls-tunnels-duckdns/

3

Thanks for the reply. I’d actually rather keep it free if at all possible and don’t mind learning things the hard way…I just feel stuck at this point. Worst comes to worse, I’ll pull the trigger on the webhookrelay

4

I’m just using the free plan myself.

image
image783×235 6.78 KB

5

Well I feel like a doofus…

So I created an account and configured the add-on as per the instructions on the link you gave/the add-on itself, but when I type in the duckdns address with https it says “unexpectedly closed the connection”, and if i just use http it says “relay agent not connected or misconfigured”. I’m assuming you’re not using https because you have to have a paid plan for that. What do you do? Can you post your config?

6

{

"key": "Your-Key-String-Here",

"secret": "Your-Sectret-String-Here",

"forwarding": [

{

"bucket": "ha",

"destination": "http://127.0.0.1:8123"

}

],

"tunnels": [

{

"name": "ha",

"destination": "http://127.0.0.1:8123/",

"protocol": "tls",

"domain": "your-duckdns-domain"

}

],

"duck_dns": {

"token": "your-duckdns-token",

"accept_terms": true

},

"tunnels_enabled": true,

"forwarding_enabled": false

}

7

Sorry, thats not formatted correctly but you should be able to use the settings.

Screenshot_20190102-144102__01
Screenshot_20190102-144102__011080×2340 190 KB

8

Hm. That’s the settings I used and it doesn’t seem to be working. When I check the logs of the add-on I see this:

Blockquote
[✗] Your plan doesn’t include custom subdomains, set ‘subdomain’ for tunnel ‘ha’ to an empty string,
or upgrade your plan here: Webhook-Relay

Do you get the same things? Also, did you set up Let’s Encrypt or anything on your Home Assistant setup?

9

It’s been awhile since I set it up but I am pretty sure I had to setup the duckdns addon and have it running when this started, and then turn it back off. I have a bunch of emails from the guy that made the addon, give me a little bit to look thru them and get back with ya.

10

One of the steps in a previous email said to…
Get DuckDNS Addon-on and configure it.
Start it and wait until it provisions a certificate, Then stop it,
Configure Webhook relay addon.

Also, it says make sure your HA can work with HTTP(NOT HTTPS)

11

As a last resort, Here’s the guy that can answer all your questions.

12

Hey guys :slight_smile: @dmoses1969 it’s free for you because you really helped with the feedback early on (thanks for that)! However, for the basic functionality users will need to upgrade to $4.5/month plan.

I can enable paid features for anyone who wants to try, just to see how it works and see whether it suits your use case. Ping me either on [email protected] or here.

13

@dmoses1969 thanks for all your help!

@rusenask I appreciate you responding in the thread. I figured the plan would need to be upgraded. Think I may try to go back to the reverse SSH route but if all else fails I may bite the bullet and upgrade. Thanks again!

14

I have enabled paid features for you, if you still want to try :slight_smile:

Regarding your SSH, here’s some info: https://www.ssh.com/ssh/tunneling/example.

Also, your GCP VPS after the free credits run out won’t be free. You might want to get a VM on some cheaper cloud such as Digital Ocean (I think you can get there one for $5/m), Scaleway, Linode, OVH.

15

Thanks for the free preview! The tunnel is now creating, however I’m getting the following error where it says port 443 is already in use? Is there something else in HA I have to configure?

2019/01/03 11:34:26 [INFO] acme: Registering account for
2019/01/03 11:34:27 [INFO] [example.duckdns_org] acme: Obtaining bundled SAN certificate
2019/01/03 11:34:27 [INFO] [example.duckdns_org] AuthURL: https://acme-v02.api.letsencrypt_org/acme/authz/random-characters
2019/01/03 11:34:27 [INFO] [example.duckdns_org] acme: Could not find solver for: http-01
2019/01/03 11:34:27 [INFO] [example.duckdns_org] acme: Trying to solve TLS-ALPN-01
{“level”:“error”,“ts”:1546515291.3751533,“msg”:“failed to retrieve cert”,“domain”:“example.duckdns_org”,“error”:“acme: Error -> One or more domains had a problem:\n[example.duckdns_org] [example.duckdns_org] error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use\n”}

16

Hi, do you by any chance have a DuckDNS add-on that’s already running? It seems that the logs are coming from it as webhookrelay add-on uses DNS challenge, not http one

17

Blockquote
When I do that and type the following in a browser on my Mac: VPS.IP.ADD.RESS:18123, I get a connection timeout error.

Are you sure you want to open your HA to the world? Well, if it’s the case you should change your ssh command on the Pi to:

ssh -fgNR 18123:localhost:8123 vpsusername@vps-instance-ip-address

as per default ssh doesnt allow outside connections to local forwarded ports.

Since you own a VPS why not just install openvpn on it and let your pi and your mac/mobile connect to your vpn?

18

I did not have the DuckDNS add-on installed, but I have done that and configured it. I assume it’s working since now I have to use https://pi-ip-address:8123 to reach Home Assistant locally. However, I’m still getting this same error when starting the webhookrelay add-on:

Blockquote
{“level”:“error”,“ts”:1546523697.718215,“msg”:“failed to retrieve cert”,“domain”:“example.duckdns_org”,“error”:“acme: Error -> One or more domains had a problem:\n[example.duckdns_org] [example.duckdns_org] error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use\n”}

19

Okay, so DuckDNS add-on shouldn’t be installed as it will always just reset the correct IP address. You can disable it or just uninstall.

Is that example.duckdns.org entered somewhere in your config? I will do some testing with an updated HA on my end too.

20

OK I uninstalled the DuckDNS add-on. In which config are you referring? in my configuration.yaml my DuckDNS domain is in the “base_url” field under the http section. My webhookrelay add-on config is below:

Blockquote
{
“key”: “my-key”,
“secret”: “my-secret”,
“forwarding”: [
{
“bucket”: “ha”,
“destination”: “http://127.0.0.1:8123”
}
],
“tunnels”: [
{
“name”: “ha”,
“destination”: “http://127.0.0.1:8123/”,
“protocol”: “tls”,
“domain”: “example.duckdns.org”
}
],
“duck_dns”: {
“token”: “my-token”,
“accept_terms”: true
},
“tunnels_enabled”: true,
“forwarding_enabled”: false
}