Trusted networks - accessing HA from DuckDns url

Hello all,

I have configured DuckDns plugin consulting official guidelines in order to make my HA instance accessible from internet.

That works great. Now I want to setup trusted_networks(Authentication providers) for my LAN to allow login without authentication.

I have updated my HA configuration based on the docs.

Now the issue. trusted_networks works when accessing HA from LAN address of HA host but not from duck dns url.

I understand that when I access the duckdns url, NAT translates my client’s internal ip to my ISP address which is not whitelisted.

But how I can achieve my initial goal, that is to enable passwordless login from my LAN when accessing HA from duck dns url?

Ever figure this out? I have the same question.

Can you show your trusted_networks configuration? I have this set and it does work fine. But then I also have trusted_proxy and x_forwarded_for so my real IP address is revealed to HA so maybe that makes it work.

Hi David,

If I use auth_providers I cannot access my HA locally. Not sure why? Maybe because its not encrypted locally? I type “” into my browser but I get, “This page isn’t working”.

Here is what I have in my configuration.yaml:

  name: Home
  latitude: !secret lat
  longitude: !secret long
  elevation: 16
  unit_system: imperial
  time_zone: America/Chicago
  customize: !include customize.yaml
    - type: trusted_networks
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

You might also need homeassistant auth provider I think.
I do use a reverse proxy but my config has:

    - type: trusted_networks
        - ::1
        - fd00::/8
        - !secret zerotier_network
        - !secret my_ipv6_network
      trusted_users: !secret user_id
        "::1": !secret user_id !secret user_id
        "fd00::/8": !secret user_id
        !secret trusted_ipv6: !secret user_id
        !secret zerotier_network: !secret user_id
      allow_bypass_login: true
    - type: homeassistant

  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
    - ::1
  ip_ban_enabled: true
  login_attempts_threshold: 5
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.

BTW I think you’re guaranteed to not be able to use the local IP address with your config. Your router also needs to support NAT loopback. A reverse proxy like Caddy will let you use the domain or ip address.