Trusted networks - accessing HA from DuckDns url

leopal · July 7, 2019, 7:37am

Hello all,

I have configured DuckDns plugin consulting official guidelines in order to make my HA instance accessible from internet.

That works great. Now I want to setup trusted_networks(Authentication providers) for my LAN to allow login without authentication.

I have updated my HA configuration based on the docs.

Now the issue. trusted_networks works when accessing HA from LAN address of HA host but not from duck dns url.

I understand that when I access the duckdns url, NAT translates my client’s internal ip to my ISP address which is not whitelisted.

But how I can achieve my initial goal, that is to enable passwordless login from my LAN when accessing HA from duck dns url?

jjwBullfrog · December 2, 2019, 12:12am

Ever figure this out? I have the same question.

DavidFW1960 · December 2, 2019, 12:23am

Can you show your trusted_networks configuration? I have this set and it does work fine. But then I also have trusted_proxy and x_forwarded_for so my real IP address is revealed to HA so maybe that makes it work.

jjwBullfrog · December 2, 2019, 1:21am

Hi David,

If I use auth_providers I cannot access my HA locally. Not sure why? Maybe because its not encrypted locally? I type “http://192.168.1.101:8123” into my browser but I get, “This page isn’t working”.

Here is what I have in my configuration.yaml:

homeassistant:
  name: Home
  latitude: !secret lat
  longitude: !secret long
  elevation: 16
  unit_system: imperial
  time_zone: America/Chicago
  customize: !include customize.yaml
  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 192.168.1.0/24
  
http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  base_url: https://xxxxxxxx.duckdns.org:8123

DavidFW1960 · December 2, 2019, 1:49am

You might also need homeassistant auth provider I think.
I do use a reverse proxy but my config has:

  auth_providers:
    - type: trusted_networks
      trusted_networks:
        - 127.0.0.1
        - ::1
        - 10.90.11.0/24
        - fd00::/8
        - !secret zerotier_network
        - !secret my_ipv6_network
      trusted_users:
        127.0.0.1: !secret user_id
        "::1": !secret user_id
        10.90.11.0/24: !secret user_id
        "fd00::/8": !secret user_id
        !secret trusted_ipv6: !secret user_id
        !secret zerotier_network: !secret user_id
      allow_bypass_login: true
    - type: homeassistant

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
  ip_ban_enabled: true
  login_attempts_threshold: 5
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: https://xxxxxxxx.duckdns.org:xxxxx

BTW I think you’re guaranteed to not be able to use the local IP address with your config. Your router also needs to support NAT loopback. A reverse proxy like Caddy will let you use the domain or ip address.