Alright folks, i cant seem to find a wholistic approach to a secure remote access to your HA via both web AND iOS companion without port forwarding.
DuckDNS with Lets Encrypt provides secure https://mydomain.duckdns.org/ access to my internet-facing router and without port forwarding has no bearing on access to HA instance running on my internal network
HA Companion IOS App relies on the same urls above, but it stopped allowing access when you have SSL issues and just like so its not useable at all. It seems that the app is driving users towards nabucasa.
a VPN or Wireguard seemed like great solution to this problem, but they dont solve the SSL issues that break access to iOS App.
Other than subscribing to nabucasa, what do you guys do to allow secure remote access to HA via both web and mobile without having to port-forward the internet to your HA installation?
HA would only be accessible from mydomain.duckdns.org IF i port-forwarded 8123 into my internal HA instance which i want to avoid doing.
Based on my conversation in HA Discord, the sensible solution would be to Skip SSL or Self-sign with internal domain and get the cert into IOS and only access the UI via VPN or Wireguard
You could also use your duckdns certificate (letsencrypt I assume) and create a static DNS entry in you lan pointing the duckdns domain to the lan IP of your HA.
It doesn’t break anything here…
Using IOS and L2TP vpn tunnel
and accessing HA with https://hassio.domain.mine:8123
But… it does require a valid ssl certificate for DNS hassio.domain.mine (which i happen to own)
I do use a let’s encrypt to generate my certificates
My router acts as a DNS , yes. I use an open-source product called OpenWrt on my router, which allows me a lot of flexibility.
But there are other solutions if yours doesn’t (PiHole, …)
A certificate has 2 aspects:
It is a cryptographic key pair (public-private). When connecting to an SSL site, it sends its public certificate to the client, and they exchange encrypted data that way. The certificate is to be signed by a commonly trusted authority to be accepted. Letsencrypt is one of those trusted authorities.
A certificate “identifies” a site by having the DNS names it is valid for. If the url used doesn’t match one of those domain names, it is assumed to be a possible “man-in-the-middle” attack and the SSL connection is not established.
Re 2), desktop browser allow to bypass this by “trusting” the cetificate on-the-fly. Typically, iOS and mobiles do not allow this.
So, the idea is:
Put a properly signed certificate on your HA. The duckdns one, for instance.
Make so that you can call the HA frontend using the DNS name specified in the certificate, e.g. “mydomain.duckdns.org”
That way, all clients will be happy.
Note that it works because the domain ownership is only validated when the certificate is signed. There is no more 3rd party (letsencrypt) involved further.
In companion app it is not possible to have separate external/internal sites with ssl unless you have split dns entry for your ha instance. My router does not support it and I am still not yet ready to run adguard or another local dns server server that you point your mobile to.
I ended up getting public domain name and doing filtering and forwarding via cloud flair.
So my phone connects via internet even though I am at home but my laptop has a static entry in the host file, so it’s local. Which means that if internet is down, my companion app will not work.
When I get to using tablets on the wall, I will use local ip dns mapping
