[Solved] Duckdns and nginx - remote access doesn't work from home network

vpalande · May 31, 2023, 1:43am

Hello awesome people,

I have duckdns and nginx setup for remote access to my HA instance.
I recently got a new modem (for new internet connection) and now I can’t access HA with <domain>.duckdns.org from my home network.

Current status:
HA access using <domain>.duckdns.org when connected to home network - Doesn’t work
HA access on local IP when connected to home network - Works
HA access using <domain>.duckdns.org when connected to cellular network or home network with VPN - Works

All of these used to work just fine before switching the modem. I have searched reddit and this forum for 2 days but I am still stuck.

I have forwarded external port 443 to internal port 443 on the new modem just like I had on the old modem.

duckdns add-on config:

domains:
  - <domain>.duckdns.org
token: <duckdns token>
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

nginx add-on config:

domain: <domain>.duckdns.org
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

http config in configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - 172.30.32.1
  ip_ban_enabled: true
  login_attempts_threshold: 5

Can you please help me?
Thanks in advance

Tinkerer · May 31, 2023, 8:07am

It sounds like your new modem/router either doesn’t support NAT Reflection or it isn’t enabled.

What make and model of router is it?

vpalande · June 1, 2023, 11:56pm

Its modem+router combo unit from ISP - optimum.

Model number is UBC1326.

Tinkerer · June 2, 2023, 6:45am

That’s made by Altice. A Google search for Altice UBC1326 NAT reflection doesn’t find anything that suggests it supports it.

It looks like you can’t use your hostname at home and will have to use the LAN IP and port.

exx · June 2, 2023, 5:14pm

That’s not true. He can simply install the dnsmasq add on and configure an A record for the fqdn of his HA server. Easy and done, and much simpler.

Not to mention that hairpinning a firewall is bad, which is why not all firewalls even allow you to do that.

Tinkerer · June 2, 2023, 5:45pm

Depends on your level of skill. There are many users of HA who’ll break their network trying to do that.

exx · June 3, 2023, 8:45pm

There exists good documentation for how to set it up, and when properly followed the chances of “breaking their network” are no greater than anything else they may be doing.

Simply telling someone “it can’t be done” doesn’t help them at all, especially when it’s not accurate.

vpalande · June 3, 2023, 9:36pm

I have dd wrt router and I have set up a dnsmasq record in it to reroute requests for my duckdns domain to internal ip address. Now I am able to access my duckdns domain from home network again.

Thank you for suggesting dnsmasq.

Based on what I know about dnsmasq, I think this is safe to do but one question,
Is it OK to use the config of dnsmasq as I have set it up ? Any risks I am opening myself to ?

exx · June 3, 2023, 9:43pm

You’re most welcome.

You’re fine to just use the A record you have configured on your ddwrt, no need to add the dnsmasq add-on.

dnsmasq is simply the name of a DNS server add-on. DNS servers come in many different flavors, from BIND on *nix, to Windows DNS, to dnsmasq, and many others that are purpose-built appliances for security (such as Cisco’s Umbrella, and others). At their core, they all do the exact same thing - resolve FQDNs to IP addresses.

All that entry is doing is when systems on your internal network ask for the IP address of your duckdns domain, your ddwrt system is returning the internal IP address, rather than your internal machines querying public DNS servers and getting the external IP address. Using a DNS A record provides better performance by keeping internal traffic off your firewall, and depending who you ask, is also more secure than hairpinning the firewall. From a purely traffic-focused point of view, that is the optimal way of addressing the issue.

There may or may not be additional mitigating factors in your particular environment that would make nginx a desirable addition, but if your only goal is HTTPS access of your Home Assistant server from the inside, then what you have done has accomplished that goal.

As for whether or not it is secure - I don’t know much about ddwrt. As long as that internal DNS server isn’t exposed to the internet, then no data leakage can occur. However, even if it were exposed to the internet, the most an attacker could get would be the internal IP address of your Home Assistant server. Since private, internal IP addresses are non-routable on the public internet, an argument could be made that it’s not a very useful piece of data anyway. Since you’ve posted your internal IP here on the forums, I think you are already of the opinion that it’s not a very sensitive piece of data to begin with - and I tend to agree.

-exx

vpalande · June 3, 2023, 9:54pm

Thank you for the detailed explanation.