“Unable to connect to Home Assistant” Home Assistant Android APP

oniscidea · July 9, 2023, 3:31pm

I have Home Assistant 2023.6.0 installed with container method (docker 24.0.4), running in a Linux Mint 20.3 machine. This machine has local IP 192[d]168[d]1[d]2.
I am trying to control it from the Home Assistant Android App.

I have my own public domain because I have a web server running in this Linux Mint, so I should not have dynamic IP issues…
Port forwarding has been established in my router: www[d]mydomain[d]com:8123 forwarded to 192[d]168[d]1[d]2:8123

(Sorry to use [d] but the forum does not allow me to post several “links”)

I have added to my configuration.yaml these lines:

homeassistant:
  external_url: "h t t p s://www[d]mydomain[d]com"
  internal_url: "h t t p ://192[d]168[d]1[d]2:8123"

I have not installed any additional complement or anything else to Home assistant, just changed “profile/advanced mode = on” to properly see “settings/system/network”: now it says “external access enabled” and inside I can see:
“Internet: www[d]mydomain[d]com”
“Local network: 192[d]168[d]1[d]2:8123”
“Network adapter: Auto Configure”

When I open the APP from the phone (connected through wifi to my local network) it proposes two connections: 192[d]168[d]1[d]2:8123 and www[d]mydomain[d]com, so the app is able to find my HA in the local network.

If I try the first one, after some time an error message comes up: Unable to connect to Home Assistant:
Error code: -8
ERR_CONNECTION_TIMED_OUT

I’ve been looking in forums for several hours and found nothing. What am I missing? Do I have to install some complement in Home Assistant or add any additional configuration lines?

I have seen here “www.wundertech.net/how-to-access-home-assistant-remotely/” in the last method (Port Forwarding – How to Access Home Assistant Remotely) that they are using duckDNS add-on, but I supposed that if I have a domain it is not necessary, right?

oniscidea · July 10, 2023, 9:07am

Sorry, this is my first post. Nobody there to put some light?
I see my topic greyed out in the list of latest topics: did I miss something?

SVD-NL · July 10, 2023, 9:55am

Hi

The topic is greyed out because it’s marked as read, that is just on your end, everyone else sees it as unread.

I’m not 100% sure, but i suspect there’s an issue with mixed use of http and https. from what i read it looks like you’re able to access the web interface, but the app doesn’t work. That is pretty unexpected in most situations.

DuckDNS add-on takes a lot of the back-end work away from you, including certificate management. So following a DuckDNS guide and leaving out those parts is not necessarily going to work.

Have you seen the following guide?

If you use the let’s encrypt container with the included reverse proxy, i think the setup should be significantly less complicated.
You could skip the reverse proxy and set your HA instance to https only, that’s up to you.

oniscidea · July 10, 2023, 11:10am

Thanks for the “greyed out” clarification!

I am having a look at the guide that you pointed, and making some tests.

However, regarding your answer, in fact I am ONLY able to access the web interface from the same machine where the container is running, with http://127.0.0.1:8123. When I try to access from another computer in the same local network (with http://192.168.1.2:8123) it can not connect.
I understand that if I use that “direct connection” method, inside my network, with no encryption, it is not necessary to use any encryption method like let’s encrypt, and that my configuration.yaml should only contain:

homeassistant:
  external_url: "https://www.mydomain.com"
  internal_url: "http ://192.168.1.2:8123"

Could you confirm if my suppositions are right?

stevemann · July 10, 2023, 11:46am

I’m not sure you understand what a public domain is. So you are paying your ISP for a static IP? Also something sounds wrong in your forwarding rules. How did you do this? You forward ports, not URL’s or IP addresses.

Forget Android for the moment.

First, let’s make sure your installation is correct. You should be able to connect to HA with any browser on your local network. The homeassistant: component has been depreciated for a while. You set the internal and external IP addresses in settings/system/network.

The local IP of your Home Assistant sounds wrong. What is the IP of the computer hosting Home Assistant? What is the IP of your PC you are running the browser on? What is the local IP of the router?

I looked at https://www.wundertech.net/how-to-access-home-assistant-remotely/, and, wow. Could anyone have made this more complex?

First, you need to have Home Assistant reachable on any browser on your local network. Fix that first.

SVD-NL · July 10, 2023, 11:54am

That is good info.
I suspect the problem lies in the firewall of the container host. Can you check the Linux Mint firewall config to see if it allows connections to port 8123 from all sources?

This part i don’t have experience with, i would assume you’d need a certificate to use https at all, i’m not sure if homeassistant uses self-signed certificates by default if you don’t specify it. I’d suspect with this config, http should work but https not, but again, not sure.
Generally speaking servers can’t run http and https on the same port.

The guide i linked in the previous post indicates that after enabling the ssl certificate config you can’t connect using http anymore.
You’ve got Docker running already, if you follow the guide and set up the let’s encrypt container, it’s completely set and forget, automatic renewal, etc. Doing it manually seems like a pain to be honest.

oniscidea · July 21, 2023, 10:07am

Hello again! Sorry for my late reply, I’ve been busy these days. Thanks all for the answers.

“I suspect the problem lies in the firewall of the container host” → In fact that was part of the problem: the firewall in my host was blocking port 443. I allowed traffic for this port and that made a step forward. But things were still not working. I’ve been struggling with it these days and I got it to work. I will explain how, in case it is useful to someone.

I basically followed this tutorial using swag and duckdns: Remote access with Docker

A particularity of my setup is that, as explained, I own a domain and I have an Apache2 server running on this host. My IP is dynamic, but I have a little script that makes my domain to always point to my actual public IP. This is quite usual for simple/little web servers. My website is http (not encrypted) and I am planning to move forward to https in short. But at this very moment I still don’t have a certificate for my website.

I have used a different port than 443 to access to my HA from outside to avoid using a known port. To achieve this I made a rule in my router that redirects [WAN_HA_PORT] to port 443 of my host. When I will introduce https to my webserver I guess I will have to change 443 to another port. But for the time being I left it like that.

These are my config files, in case these are useful to someone. What you see in CAPITALS you will have to adapt to your setup. Not the full files here, just what you need for remote access.

configuration.yaml (HA config file):

default_config:

homeassistant:
  external_url: "https://homeassistant.MYUSER.duckdns.org" 
  internal_url: "http://192.168.X.X:8123"

http:
  ip_ban_enabled: true 
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.10.0.0/24  # Docker network 

duckdns:
  domain: "MYUSER.duckdns.org"
  access_token: "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"

docker-compose.yml (docker compose config file):

version: "3" 

services:
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant
    volumes:
      - /home/[USER]/homeassistant_config:/config
    environment: 
      - "TZ=Europe/Brussels" 
    ports:
      - 8123:8123 
    network_mode: host
    restart: unless-stopped

  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000 
      - PGID=1000 
      - TZ=Europe/Brussels
      - URL=[MYUSER].duckdns.org 
      - VALIDATION=duckdns
      - DUCKDNSTOKEN=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
      - SUBDOMAINS=wildcard
    volumes:
      - /home/[USER]/swag_config:/config
    ports:
      - 443:443
    restart: unless-stopped

# set trusted docker internal network
networks:
  default:
      ipam:  
        config: 
         - subnet: 172.10.0.0/24

homeassistant.subdomain.conf (swag config file):

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.X.XXX;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

    location ~ ^/(api|local|media)/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.X.XXX;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

If someone sees something wrong in these files don’t hesitate to say!

To access my HA these are the URLs depending on if I am connecting from LAN or from WAN:
http://192.168.X.XXX:8123
https://homeassistant.MYUSER.duckdns.org:[WAN_HA_PORT]
These can be used in the Companion Android App or directly on the browser.

When I started with all this I had the idea that maybe I could avoid using duckdns because I had a domain of my own and my little script updates the DNS servers each time my public IP changes. I am still wondering how I could achieve this. Someone knows if this could be possible?