Yet another DuckDNS / NGINX issue... hear me out

OK, I’ve read a ton of threads about the whole DuckDNS/NGINX not being able to access from the outside. And while some of them sound similar, none of them seem to be exactly what I’m seeing (although as a noob with this stuff, I could be very wrong, and I apologize for that up front!)

From the start, I was never able to access HA via the hassio.local:8123 address… always had to go via the direct IP at 192.168.1.X:8123. What I didn’t look for at the time was whether that gave me a secure connection or not BEFORE I tried the DuckDNS stuff for remote access.

Went through the setups in the following two threads that proved to be helpful… except it still doesn’t work:
DuckDNS - It's not just me - it's you!
https://help.konnected.io/support/solutions/articles/32000023964-set-up-hass-io-with-secure-remote-access-using-duckdns-and-nginx-proxy

The Konnected link shows a log from the NGINX app that shows it creating dhparams and a snakeoil certificate. My logs just say “INFO: Running nginx…” and it doesn’t change when I hit refresh.

.
.

So I’ve done a few other things to see what’s going on:

  • Port Forwarding works because when I use an outside (i.e. iphone) access and pull up the actual ip address of my router with the X.X.X.X:443 I get the HomeAssistant welcome page but it’s “Not Secure.”
  • FROM EXTERNAL: I can ping the XXX.duckdns. org address and get a return (averages about 55ms) and it shows that it’s going to the correct IP address
  • FROM EXTERNAL: When I tracert / traceroute the duckDNS address or direct IP address, it always goes dead at the same node: agg1.rcsntxiw01m.tx.rr. com
  • FROM INTERNAL: I cannot ping or Traceroute either the DuckDNS or direct IP address.

I’m probably missing something simple, but I’ve been at this for 1.5 days now and it’s driving me crazy!

Halp!

Sounds like duckdns working.
Sounds like HA working.
Not enough info provided to determine if nGinX working.
Not enough info to
Determine if port forwarding is setup correctly.

When you connect via IP:443 from internet, are you receiving the duckdns cert? Or a self-signed cert? Or no cert?

I wouldn’t worry about not being able to get to hassio.local. That is using mDNS to advertise to the local network the DNS over multicast. My guess is you have the rpi (or whatever device you have running HA) wired while your PC is wireless. Or something similar. Or have a router that just doesn’t support mDNS…or any number of things.

I wouldn’t worry about traceroute not completing too much. Wouldn’t be surprised if your ISP is blocking this. Or whatever router agg1.rcsntxiw01m… is. You shouldn’t really care the path it takes to get to you anyway.

You’ve verified your token you inserted in the config is correct?

Are you using a VM? Is HA installed on a rpi? You didn’t mention you were able to go to https://XXX.duckdns.org from your phone. Did that work the same as going to your router ip address?

Have you tried clearing the cache of your browser? I would use incognito mode or private mode when testing these things so you don’t have to worry about browser cache messing things up.

1 Like

I can’t help on the hassio.local:8123 issue as I have never even tried to use that, I also rename my servers, so not relevant either.
Comms on your local network is always insecure. You have to be on the inside (behind your firewall) to access it and if they are in your house, have attached a pc to boot, obtained an ip address from your dhcp - then network security is the least of your worries.
You don’t need the 443 from outside, https defaults to 443. But this wouldn’t stop it working.

1.5 days is nothing, I spent over a week on various permutations, and filtering out the wheat from the chaff.
So, first things first : -

  1. Does your ISP use CGNAT (this is NAT layering) (I don’t think they do as you are able to use the mydomain.duckdns.org address) but what does it tell you when you access it ?
  2. So you have an external ip address, where did you get this ? From your ADSL modem/router management page ?
  3. This is the address as given by duckdns when you apply via mydomain.duckdns.org, so it appears duckdns is working and giving the correct address.
  4. What happens when you enter this address directly ? You ‘should’ get an error as the associated SSL certificate was issued for mydomain.duckdns.org not 82.91.87.3 or whatever it is. The point is you should get a refusal and the notification ‘may’ tell you something.
  5. Does your modem support hairpin nat (i.e. Does it recognise that the address requested is the one it is assigned and direct the request internally ? What is the modem / router ?
  6. How many forwarding rules do you have ? You should only have one. (any more and for any other issues will just cloud this issue, you can only piss on one fire at a time)
  7. Is the rule to forward any traffic on 443 to 443 on your pi ? Anything else and you haven’t followed instructions.
  8. NGINX sorts out security and ports for access and you seem to have the right responses on that, so I’ll take your word for the moment.
  9. Now for the biggie: do you have ANYTHING in your config about http: or https: ? If you do, you aren’t letting nginx do it’s ‘thang’ and again you’re not following instructions.
  10. Have you tried disabling network on your phone and using that to access the external mydomain.duckdns.org (don’t depend on hairpin if your not sure it works).
  11. If it still doesn’t work. Then you ether have an undocumented hairpin issue (you could change your modem). You could have an ISP support person who doesn’t know what the hell CGNAT is and has just been told to say ‘no’. You may just have to fall back on Nabu Casa and pay for remote access. This isn’t all bad as it is the most secure method, no ports opened up it just woths and you get the voice assistant thrown in for free. AND it supports the HA project.

Fist off, thanks for the responses… my bad for not including some of the info y’all asked for; some of it was stuff I had in my first post which I accidentally blew away when I closed the wrong tab last night :man_facepalming:

I’ll start with Mutt and work my way back from there:

Still nothing… Think I’m going to try a new clean install with the lessons I’ve learned to see what happens.

:crossed_fingers:

1 Like

well, of course, with a clean install it all works as expected. gotta love stray electrons.

Thanks all for chiming in… sorry for the false alarms.

2 Likes

Don’t worry, we’ve all been tripped up by some B4574R& thing, that needed the equivalent of a reboot (some even needing retrieval from next door’s garden first) .

Look at it this way - you are now an expert !

:rofl:

And by “clean install” you mean that you reinstalled your entire hassio? Or just DuckDNS and NGINX?
For a long time I have been able to access my setup from outside (on my smartphone and being away from my own network), but suddenly it stopped working.
I have now tried reinstalling DuckDNS and NGINX but it still doesn’t work. My smartphone app just mentions “The request timed out”.