[Tutorial] SSL and remote access

Community Guides
1

Since I am struggling to get remote access with SSL every time I setup Home Assistant and the internet is filled with posts about this topic with somewhat useful information that is useless without proper explanation, I will give it a try to get it up and running for complete beginners.

Background: I am using Homeassistant OS VM on Proxmox, but everything should be the same as Home Assistant OS on bare metal. I am using Operating System 16.2 and Core 2025.10.4.

Preface: Home Assistant should be up and running and you should be able to connect and login from your home network. If not, you must make sure this is possible first.

Goal: Being able to access your Home Assistant running on a dynamic IP address (home internet connection) remotely from anywhere in the world in a web browser or app with a secure connection.

Index:

  1. Use Duck DNS to create a static name for a dynamic IP address
  2. Install and configure Duck DNS add-on in Home Assistant to update your IP address
  3. Forward the necessary ports in your router
  4. Install Nginx Proxy Manager add-on in Home Assistant to manage SSL certificate and forwarding

Detailed walkthrough:

Use Duck DNS to create a static name for a dynamic IP address

  1. Go to https://www.duckdns.org/ and sign in on one of the supported account types.
  2. Use the name of your choice to make a http://yournameofchoice.duckdns.org/ and press the add domain button. Every time I refer to yournameofchoice.duckdns.org, you will have to change yournameofchoice to the actual name you have chosen.

Install and configure Duck DNS add-on in Home Assistant to update your IP address

  1. Keep this site open and go to your Home Assistant.
  2. Press Settings, Add-ons and Add-on store
  3. Search for Duck DNS and press the Install button.
  4. After installing, make sure that both Start on boot and Watchdog are enabled.
  5. Go to the configuration tab of the Duck DNS add-on.
  6. Press the cross on the empty domain name, in case this has been added by default.
  7. Under domains, write yournameofchoice.duckdns.org
  8. Under token, write your personal token that you will find on https://www.duckdns.org/ after you have been logged in.
  9. Under Let’s Encrypt, make sure that accept_terms is disabled or off. Some tutorials use this to generate a SSL certificate, but since we will let Nginx Proxy Manager add-on manage this, it should be disabled in this case.
  10. Press Save and go back to the Info tab.
  11. Press Start to start the Duck DNS add-on.
  12. Go to the Log tab and check that the last line resembles something like:

[18:52:10] INFO: Starting DuckDNS…

  1. Go to back to https://www.duckdns.org/ and refresh / login again to check whether current ip has been filled in.
  2. From now on, the Duck DNS add-on will make sure that yournameofchoice.duckdns.org will point to your IP address, even when it changes frequently like it usually does on a home internet connection.

Forward the necessary ports in your router

  1. I can’t possibly know what type of router you have, so you have to figure out for your model how to login and make a port forward. This is important because your router has to know to which connection it has to forward the request to access your Home Assistant server.
  2. Since we only will allow SSL connections, we will only need to forward external port 443 to internal IP address of your Home Assistant server to internal port 443. Since Home Assistant by default listens to port 8123, we will use the Nginx Proxy Manager add-on to make this work. Do not make any changes in your Home Assistant configuration.
  3. If you don’t know the IP address of your Home Assistant server, connect a monitor to your Home Assistant server and login as root. Write the following command:

ip addr

  1. A list of many adapters will popup and something like this is the interesting part:
2: enp6s18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:72:37:5a:8a:d6 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/24 brd 10.0.0.255 scope global dynamic noprefixroute enp6s18
       valid_lft 276sec preferred_lft 276sec
    inet6 fe80::79db:9f90:f6f8:daa8/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
  1. My ethernet adapter is called enp6s18, yours can have a different name. At least I can confirm that it is not lo, docker*, hassio* or veth*. In the exemple it shows that my internal Home Assistant server IP address is 10.0.0.5. Yours will certainly be different.
  2. Use this IP address in the port forwarding in your router. Don’t forget to save in your router.
  3. Write down the hassio IP address and subnet that showed in step 19, you will need this in step 31.
3: 4: hassio: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 0a:8a:19:87:c9:da brd ff:ff:ff:ff:ff:ff
    inet 172.30.32.1/23 brd 172.30.33.255 scope global hassio
       valid_lft forever preferred_lft forever
    inet6 fd0c:ac1e:2100::1/48 scope global nodad 
       valid_lft forever preferred_lft forever
    inet6 fe80::88a:19ff:fe87:c9da/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
  1. In my case, the hassio IP address and subnet is 172.30.32.1/23. Yours may differ.

Install Nginx Proxy Manager add-on in Home Assistant to manage SSL certificate and forwarding

  1. In your Home Assistant, you have to edit the configuration.yaml file.
  2. Go to Settings, Add-ons and press the Add-on store button.
  3. Search for File editor and press the Install button.
  4. Press the Start button.
  5. Press the Open web UI button.
  6. In the upper left corner of this add-on, press the Browse Filesystem button (a folder icon).
  7. Press on configuration.yaml and the file will open to the right.
  8. Write the following text in this file:
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.32.0/23
  1. My hassio IP address and subnet is 172.30.32.1/23, the fourth number of the IP address must be 0 in configuration.yaml, so I will write 172.30.232.0/23. Yours may be different, but the fourth number must always be 0. Save this file.
  2. Go to Settings and press the 3 dots in the upper right corner.
  3. Choose Restart Home Assistant.
  4. Once more, choose Restart Home Assistant.
  5. If no errors are made in configuration, yaml, press Restart. Otherwise you are prompted to correct the errors in the file.
  6. After restarting, in your Home Assistant, go to Settings, Add-ons and press the Add-on store button.
  7. Search for Nginx Proxy Manager and press the Install button.
  8. Make sure that both Start on boot and Watchdog are enabled.
  9. Go to the configuration tab and confirm that the standard settings are used:
    HTTP Entrance port 80
    NGinx Proxy Manager Admin web interface 81
    HTTPS/SSL Entrance port 443
  10. Go back to the Info tab and press Start to start the Nginx Proxy Manager add-on.
  11. Press the button Open web UI.
  12. A login windows for Nginx Proxy Manager will show. Login with the default email and password.

email: [email protected]
password: changeme

  1. You will be prompted to change email and password. Change this as it suits you. You will only use this for logging in on this particular part.
  2. After logging in and changing password, press the Hosts in the menu and choose Proxy Hosts.
  3. Press the Add Proxy Host button
  4. Under domain name, write yournameofchoice.duckdns.org
  5. Under Scheme, choose http
  6. Under Forward Hostname / IP, write the IP address of your Home Assistant server, the same one you discovered in step 21. I wrote 10.0.0.5 here since this is my IP address. Yours will probably something different.
  7. Under Forward Port, write 8123. This is the default port for Home Assistant and there is no need to change this in Home Assistant.
  8. Enable Block Common Exploits (optional, recommended)
  9. Enable Websockets Support
  10. Go to the SSL tab
  11. under SSL Certificate, choose Request a new SSL Certificate
  12. Enable Force SSL
  13. Enable HTTP/2 Support (optional, recommended)
  14. Write down your mail address and agree to the Let’s Encrypt Terms of Service
  15. Press Save
  16. After a while, you will see the item you made under Proxy Hosts.
  17. Open your browser and browse to https://yournameofchoice.duckdns.org/. You will have access to your Home Assistant. You will probably have to login again.

So what did we actually do?

We want to connect to https://yournameofchoice.duckdns.org/ without port numbers, like any other website. When connecting, Duck DNS checks what IP address is connected to this name. It should always be up to date, since the Duck DNS add-on is continuously checking this in the background.

After the DNS check, your browser will connect to the right IP address and is greeted by your router. Since you made the port forward in your router, it will forward port 443 (standard for https connections) to the internal port 443 on the IP address of your Home Assistant.

There, the Nginx Proxy Manager add-on will take over with the SSL certificate for a secure connection and forward this to your Home Assistant server on port 8123.

Please, let me know if this is useful or if something is off. I tried to be as concise as possible, but I could have made some mistakes.

2

Step 4:

Is not required. All you have to do is set accept_terms: true in the DuckDNS config and it will install LetsEncrypt and create the SSL certificates for you. It will also auto-renew them.

Then all you have to add to your configuration.yaml file is:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

As per the add-on instructions.

One of the main reasons for using a reverse proxy like NGINX is if you want to keep using http access locally. But it is totally not required for secure remote access.