| Posted: Thursday Apr 24th, 2025 02:11 am |
|
1st Post |
slychiu
Administrator
| Joined: | Saturday Apr 29th, 2006 |
| Location: | Singapore |
| Posts: | 5865 |
| Status: |
Offline
|
back to top
|
This is a guide to setting up encrypted remote access using DuckDns and Lets encrypt to secure the connection. This content is mainly from https://smarthomeaddict.co.uk/2022/07/home-assistant-remote-access-using-duckdns-and-letsencrypt/ which is one of the best guides.
Why this method?- It’s a quick and relatively easy way to get remote access to Home Assistant.
- It provides an SSL certificate to keep your connection secure.
Some downsides- There is a need to open up a port in your router to forward the port.
- Internal access will now report a certificate error, but you can safely ignore this
First Go to DuckDNS.org. Sign in or create an account. Create a domain with the name of your choice, it will end in duckdns.org. Click Add Domain.
The domain will then appear below. To link your account with the addon, select and copy the string in the token field. Don’t give anybody this token, as it’s a security risk to share it.
Next Install the DuckDNS addon. Go to Settings, Addons and then click on Addon Store. Click DuckDNS. Click Install. Once it’s installed, enable the watchdog and go to the Configuration tab. As you can see, we need some information to add to the config.
 
add the duckdns URL in the domains box eg xxxx.duckdns.org You should see the same URL above the Domains box with an X.
Warning - you may see another X on the left. Press X to delete this blank domainotherwise the add on will not work. This caused me a lot of time to sort it out
Also when you copy and paste the token from the duckdns page, check that there are no spaces in the front of the token. By default the token is copied with one or more spaces.
In the Let’s Encrypt section, change false in accept terms to true in order to allow the addon to request an SSL certificate. Finally click Save.
We now need to let Home Assistant know it’s using an SSL certificate. To do this, edit the configuration.yaml file and add an http section, then add the following two lines.
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
Click Save.
Click Developer Tools, and check config. If there are any errors correct them – If all is well click Restart.
Next forward forward a port in your router to allow traffic through so that you can access your Home Assistant instance from the Internet.
Go to your router IP address. - Forward port 8123 to internal Port 8123. Protocol is TCP
- Forward port 443 to internal Port 8123. Protocol is TCP
As we’re using an SSL certificate, we’ll be using https. This means that the traffic between your browser or mobile and Home Assistant is encrypted, so nobody can intercept or see what you are doing. The standard port for https is port 443, however Home Assistant is on port 8123.
When you go back to Home Assistant, eg http://homeassistant-local:8123 you will get an error. This is because you’ve turned on SSL, so we need to change the URL slightly to use https instead of http, ie https://homeassistant-local:8123
Once you do this, you’ll get a warning that your connection is not private as we’re using the IP address. It is safe to ignore this as this is inside your network. Click Advanced, and then the Proceed link. Home Assistant will now display and you can use this as normal.
From a browser outside the home network, enter your DuckDNS url that you set up, ensuring you precede this with https:. eg https://mydomain.duckdns You do not need port 8123
Log in using your normal credentials. Once logged in, you can then operate home assistant as if you were browsing from your home network.
You can use the remote access domain eg https://mydomain.duckdns even within your home network so you do not need to use the local IP address.
Warning: as local access now requires https, theHone assistant Voice Preview dition may not be able to connect as it requires http access
Last edited on Saturday May 17th, 2025 08:03 am by slychiu
|
| Posted: Monday May 19th, 2025 04:06 am |
|
2nd Post |
slychiu
Administrator
| Joined: | Saturday Apr 29th, 2006 |
| Location: | Singapore |
| Posts: | 5865 |
| Status: |
Offline
|
back to top
|
Here’s how to set up local HTTP access for Home Assistant OS while keeping DuckDNS and Let's Encrypt for external HTTPS access (I have not tested this)
You'll typically be using two key add-ons:Let's Encrypt add-on: To obtain and renew your SSL certificates for your DuckDNS domain.Nginx SSL proxy add-on (often called "Nginx Proxy Manager" or the official "NGINX Home Assistant SSL proxy"): This add-on uses the certificates from Let's Encrypt to handle secure external connections and then forwards the traffic to Home Assistant. The goal is to have:Here's the setup:
Step 1: Ensure DuckDNS and Let's Encrypt Add-ons are Correctly ConfiguredYour DuckDNS add-on should be correctly updating your IP address.Your Let's Encrypt add-on should be successfully generating SSL certificates for your DuckDNS domain.Your Nginx add-on should be configured to use these SSL certificates and forward traffic to Home Assistant. In the Nginx add-on configuration, it usually points to http://homeassistant:8123 or the internal IP of Home Assistant. Step 2: Modify Home Assistant's configuration.yaml
This is the crucial step to tell Home Assistant to trust the Nginx proxy and allow HTTP connections from it. Access your Home Assistant configuration.yaml file. You can do this via:The File editor add-on (if installed).The Samba add-on (to access files from your computer).The Terminal & SSH add-on (using a text editor like nano). Add or modify the http section as follows:
YAML http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24 # This is the default Docker network for Home Assistant OS add-ons
ip_ban_enabled: true # Optional, but recommended
login_attempts_threshold: 5 # Optional, but recommended
# IMPORTANT: If your Nginx add-on is handling SSL, REMOVE or COMMENT OUT the following lines:
# ssl_certificate: /ssl/fullchain.pem
# ssl_key: /ssl/privkey.pem
use_x_forwarded_for: true: This tells Home Assistant to look at the X-Forwarded-For header set by the Nginx proxy to get the true client IP address.trusted_proxies: 172.30.33.0/24: This is the typical internal Docker network range that add-ons in Home Assistant OS use to communicate with Home Assistant Core. Your Nginx add-on will be communicating from an IP within this range. This is usually the correct setting for Home Assistant OS. ssl_certificate and ssl_key: Crucially, these lines must be removed or commented out (by adding a # at the beginning of the line). This is because your Nginx add-on is now responsible for handling SSL encryption and decryption. Home Assistant Core itself will only serve HTTP. If these lines are present, Home Assistant will try to handle SSL itself, which will conflict with the Nginx setup and likely prevent local HTTP access.
Step 3: Configure Your Nginx Add-onEnsure your Nginx add-on (Nginx Proxy Manager or NGINX Home Assistant SSL proxy) is configured to: Listen on port 443 for external HTTPS traffic.Use the Let's Encrypt SSL certificates.Forward traffic to Home Assistant Core on port 8123 using HTTP (e.g., forward to http://homeassistant:8123 or http://172.30.32.1:8123 if you know the specific internal IP, though homeassistant as a hostname usually works within the Docker network).The Nginx add-on usually handles the SSL termination, meaning it decrypts the HTTPS traffic from the internet and forwards it as plain HTTP to Home Assistant locally. Step 4: Router Port ForwardingOn your internet router, you should only need to forward external TCP port 443 to the internal IP address of your Home Assistant device on port 443 (this port will be listened to by your Nginx add-on).Do NOT forward external port 80 to internal port 8123. If you do, your Home Assistant will be accessible via unencrypted HTTP from the internet, which is not secure. Local HTTP access does not require any port forwarding for port 8123 from the internet. Step 5: RestartSave the changes to your configuration.yaml file.Restart Home Assistant Core: Go to Developer Tools -> YAML -> Check Configuration (to ensure no errors). If it's valid, then click "Restart" in Server Management.It might also be necessary to restart your Nginx add-on after Home Assistant restarts. Step 6: Test AccessThis setup ensures your external access remains secure with HTTPS, while allowing you the convenience of local HTTP access without SSL certificate warnings on your internal network.
Okay, great! Using Home Assistant OS makes this process quite streamlined as it relies heavily on add-ons for these functionalities.Last edited on Monday May 19th, 2025 05:18 am by slychiu
|
|
