Seeking help with secure remote Access to HA web and iOS companion app without port forwarding

Alright folks, i cant seem to find a wholistic approach to a secure remote access to your HA via both web AND iOS companion without port forwarding.

  • DuckDNS with Lets Encrypt provides secure https://mydomain.duckdns.org/ access to my internet-facing router and without port forwarding has no bearing on access to HA instance running on my internal network

  • Internally i still access HA web using either https://homeassistant.local:8123/ or https://ha.ip.add.ress:8123/ and deal with a SSL Cert warning(understandably since it expecteds mydomain.duckdns.org)

  • HA Companion IOS App relies on the same urls above, but it stopped allowing access when you have SSL issues and just like so its not useable at all. It seems that the app is driving users towards nabucasa.

  • a VPN or Wireguard seemed like great solution to this problem, but they dont solve the SSL issues that break access to iOS App.

Other than subscribing to nabucasa, what do you guys do to allow secure remote access to HA via both web and mobile without having to port-forward the internet to your HA installation?

Not sure of the problem.
Can’t you use https://my domain.duckdns.org:8123 in the iOS app?

Edit: or you don’t access thru internet at all? Unclear.
If so, what’s the actual certificate in HA?

1 Like

HA would only be accessible from mydomain.duckdns.org IF i port-forwarded 8123 into my internal HA instance which i want to avoid doing.

Based on my conversation in HA Discord, the sensible solution would be to ​Skip SSL or Self-sign with internal domain and get the cert into IOS and only access the UI via VPN or Wireguard

You could also use your duckdns certificate (letsencrypt I assume) and create a static DNS entry in you lan pointing the duckdns domain to the lan IP of your HA.

1 Like

It doesn’t break anything here…
Using IOS and L2TP vpn tunnel
and accessing HA with https://hassio.domain.mine:8123
But… it does require a valid ssl certificate for DNS hassio.domain.mine (which i happen to own)
I do use a let’s encrypt to generate my certificates :thinking:

So Koying’s way is a similar way as what I use

Can you elaborate how you configured being able to access your internal HA instance via externally signed url?
Do you host your own dns?

My router acts as a DNS , yes. I use an open-source product called OpenWrt on my router, which allows me a lot of flexibility.
But there are other solutions if yours doesn’t (PiHole, …)

A certificate has 2 aspects:

  1. It is a cryptographic key pair (public-private). When connecting to an SSL site, it sends its public certificate to the client, and they exchange encrypted data that way. The certificate is to be signed by a commonly trusted authority to be accepted. Letsencrypt is one of those trusted authorities.
  2. A certificate “identifies” a site by having the DNS names it is valid for. If the url used doesn’t match one of those domain names, it is assumed to be a possible “man-in-the-middle” attack and the SSL connection is not established.

Re 2), desktop browser allow to bypass this by “trusting” the cetificate on-the-fly. Typically, iOS and mobiles do not allow this.

So, the idea is:

  1. Put a properly signed certificate on your HA. The duckdns one, for instance.
  2. Make so that you can call the HA frontend using the DNS name specified in the certificate, e.g. “mydomain.duckdns.org

That way, all clients will be happy.
Note that it works because the domain ownership is only validated when the certificate is signed. There is no more 3rd party (letsencrypt) involved further.

I concur…
So…

  • add duckdns.org as domain name in your router
  • create DHCP reservation for your HA machine f.e. ‘ha’ (or add name to DNS, depends a little on type of router).
  • Generate and install certificates for ha.duckdns.org
  • Now your HA will be reachable on both internal as well as external network by using DNS https://ha.duckdns.org [external] and https://ha.duckdns.org:8123 [internal]

Have a look at my router config on a EdgeX here

Leaves me to note someone managed to install a self- signed certificate on android
I only don’t know if IOS can do the same…did a quick search and this looks useful

In companion app it is not possible to have separate external/internal sites with ssl unless you have split dns entry for your ha instance. My router does not support it and I am still not yet ready to run adguard or another local dns server server that you point your mobile to.
I ended up getting public domain name and doing filtering and forwarding via cloud flair.
So my phone connects via internet even though I am at home but my laptop has a static entry in the host file, so it’s local. Which means that if internet is down, my companion app will not work.
When I get to using tablets on the wall, I will use local ip dns mapping

You mean HA app on IOS??

I am using Android

Ah…didn’t know that it wasn’t available on Android…
Anyway…this topic is about IOS :wink:

=) no problem

That info comes from HA itself, and the Android companion uses it as well.

1 Like