You’re welcome

Glad it helped :)

You're welcome!

8126 was a slightly random port I chose for this demo, but you’re right to pick your own. And yes 2FA should definitely be enabled, been using the TOTP generator in Bitwarden myself, working really nicely

You're welcome!

What a great video. Thanks for sharing.

Glad it helped!

I’m glad to hear!

Glad it was of help :)

Glad it was helpful!

You’re welcome

Thank you!

I'm glad you found it useful, I hope you enjoy the other videos

You're welcome!

Glad it helped

Thank you

I hope it helped!

Glad it helped!

Thank you!

Glad it helped!

My pleasure!

You're welcome!

You’re welcome 😊

Glad it helped!

Thanks!

Thank you!

Yes, but it's not enabled by default. Go to the File Editor add-on's configuration page and UN-check the option to Enforce Basepath.

You're welcome

Hi, you can forward 80, but you forward 80 to 8123 because that's what Home Assistant uses. I'd suggest you don't though, much better to forward your HTTPS port only on your router, and then access your Home Assistant server using HTTPS remotely as you have already configured, or HTTP on TCP 8123 via the IP address if you want to do so locally.

Yes, I'm getting the same issue. I'll try the YAML.

Yup you’ve guessed it. The add-on is monitoring your external IP address and updates the Duck DNS record accordingly

@@SpeakToTheGeekTech Super, that is good news! Thanks for the reply :)

You are welcome!

You're welcome!

I’ve been using this method myself now for almost a year and prefer it to the alternatives out there.

@@SpeakToTheGeekTech sorry, I wasn’t clear, I’m sure your solution is great, it’s my ability to implement it is what is in doubt 😢

Have you tested it from outside of your network?

@@SpeakToTheGeekTech Found the problem & now everything works ok. My mobile operator had a different APN to be defined in the 4G modem for the subscription which has public IP address capability.

Thank you so much!

Thank you very much!

You're welcome!

Nothing really wrong with the Cloudflare approach especially for those who aren't given a public IP address by their ISP. However, my approach minimises the number of third party services you are relying on to just DuckDNS and LetsEncrypt, and lets you keep control of your server's security.

Glad it helped!

Are you definitely using the internal port 8123 and http not https when trying to access internally?

@@SpeakToTheGeekTech I doubled checked everything and had cleared my cache, however after restarting the windows PC to access HA worked locally, it's working now

Hi, firstly you need to make sure your ISP has given you a public IP address and is not using something called CGNAT. Then check you have port forwarding enabled on your router, and also only test access from an internet connection that’s external to your Home Assistant installation

@@SpeakToTheGeekTech thanks for your quick reply! I was double checking all the configurations. I noticed these lines were missing from my configurations.yaml file: ssl_certificate: /ssl/fullchain.pem, ssl_key: /ssl/privkey.pem - and now it works well.

Yes CGNAT will not work with this method and that’s something I should have mentioned in this video. CGNAT is very popular in the US, but less used in the UK although I suspect that will slowly change over time due to cost.

A perfect use case for Cloudflare tunnels. I run my Home Assistant instance using CF, there’s a HACS package to install it and it works without a static IP, dynamic IP or without punching holes in your firewall.

Yeah I think Cloudflare tunnels (or similar solutions) are going to be the future as IPv4 addresses become more infrequently used by ISPs on home broadband connections. My preference for the NGINX method is less reliance on third parties (yeah, I know, DuckDNS / LetsEncrypt - but even they can be worked around if necessary) but eventually I think proxied tunnels like Cloudflare are going to be the way forward, but how long they can offer that for free for is anyone's guess.

Many thanks!

Yup once you have set it up you can use your new external url in the app too

@@SpeakToTheGeekTech Nice. Think I'll work on that today...

@@SpeakToTheGeekTech Well, I started following your guide last Tuesday... took about 15 minutes to implement your fine instructions. However, I came to find out that Starlink does the CGNAT thing and a simple duckdns won't fix it. So, do I VPN tunnel or do I bite the bullet and go full IPv6!? After a 4 day learning journey I pulled the switch and converted to IPv6 on my home network and all seems to be working. I still don't fully understand some IPv6 stuff and Duckdns doesn't like it yet (still working on that) but I can access HA remotely with my new IPv6 public address:port number... Still some bugs to work out but I'm happy, happy, happy! Thanks for spurring my adventure.: Starlink set to Bypass mode gl.inet Beryl router set to IPv6 mode Router firewall set to open port 8123 2 factor authentication turned on in HA Cheers Eric--

This external access method does not change the internal unencrypted http access option. Perhaps the integration is not auto-detecting the URL properly and you need to manually set the “Override default Home Assistant API host panel URL” in the Konnected integration configuration. See that on the integration page: www.home-assistant.io/integrations/konnected/

Haha thank you, I'm trying to take a slightly different approach although I thought Lewis' videos were pretty good - he's done one on a alternative way to get remote access using Cloudflare which is great if you aren't able to forward ports through your router, or don't have a valid public IP on your broadband WAN interface.

It looks like there's a HACS component available for Tailscale. I've never used the service myself but I'll investigate. Initial thoughts are that it looks really easy to configure so there might not be much of a video to make.

@@SpeakToTheGeekTech I'm stuck behind CGNAT so port forwarding is a solid no-go for me as well. But with tailscale I had a VPN tunnel working in minutes. (IMHO Tailscale set is miles ahead of cloudflare and zerotier in terms of easy setup). So that solves my remote access needs, but what's missing now is https. I've been fighting with this for hours, playing with duckdns let-encrypt etc, and I cannot get the HA webserver to give me a https connection. I just want https so chrome will let me use the microphone for voice assist. If you have time, I sure could use some advice on the right way to solve this.

The thing is, the Cloudflare solution would solve that problem for you...

Hi, that sounds like you need to enable Advanced Mode first, see 6:36 in the video: kzfaq.info/get/bejne/sMiTm7mJ1LPXm58.html

That suggests that you either haven't added your duckdns domain name to the add-on configuration, or it didn't save correctly. Go and check that config page and you should see your domain name in a little bubble above the Domains field. If you switch to YAML mode on the config page (tap the three little dots in the top-right and choose Edit in YAML) then there should be lines of config saying: domains: - YOURDOMAIN.duckdns.org

@@SpeakToTheGeekTech Thanks I finely figured what I had done wrong! On entering the Domain Name I had not clicked on the x at the side of it took me a few attempts but got there in the end. Onto yaml file now! thanks! :-)

There is a risk of course, but you can minimise it by keeping Home Assistant up to date and enabling two-factor authentication for your user account. Connecting anything to the internet comes with a risk, but I don't think opening up the port for remote access is any less secure than making it accessible via any other method.

My method, using the Duck DNS add-on and configured exactly as I demonstrate in this video, will automatically renew the certificate before it expires. I've had it running for at least two renewal cycles so far (last renewal was December 11th, just checked!). The Duck DNS add-on manages the renewal and I never have to get involved - the certificate is placed in a location that NGINX can also read meaning that the two add-ons work together to procure and use that certificate without needing any special configuration from the end user. If you add in an alias or other configuration/complications then I couldn't say how that would react as I've never had the need to experiment with those options.

I have the same issue with DuckDNS and no solution yet.

Thanks @@SpeakToTheGeekTech for your response - without using the alias, renewal of the certificate works fine!

Not sure why's it's disabled, but there's an option to edit the configuration in YAML. On the add-on config page, three dots in the top right, choose Edit in YAML. You should be able to edit the config to have your domain in the list at the top: domains: - YOURDOMAIN.duckdns.org

https only works properly with a hostname because the certificate is tied to the domain. If you try and use an IP address you'll get browser warnings.

There’s the Filebrowser add-on, or if you’re feeling adventurous the Samba share add-on which will let you browse to the confit share on your server itself and edit the files using whatever local text editor you like.

You're using a DuckDNS certificate which is in the trusted chain for starters in order to encrypt the traffic between your browser and the server. Then once connected you authenticate with a username and password. You can also enable 2FA (standard TOTP method) too for additional security. The authentication component of Home Assistant is extendable so it's entirely possible for someone to write a component that allows client side certificate authentication if someone hasn't already done that.

@@SpeakToTheGeekTech thanks for the clarification.

I’ve not seen that at all before. Are you accessing it locally using http not https?

@@SpeakToTheGeekTech Locally, http. I solved by accessing with external url (https) even when I'm on a local computer. Google Chrome (used at work) also claims that HA is 'Dangerous' and that I should avoid revealing my password. The policies at my workplace don't like redirects, perhaps that's why?

Sounds like the duckdns addon hasn’t obtained your certificate for your hostname

@@SpeakToTheGeekTech thanks for the advice, I reset duckdns to default settings, created a new domain and started the process once more. This time I kept an eye on the duckdns log and the certificate was obtained correctly. All working now. I have also added an ip ban with login attempts threshold in yaml for extra safety but not sure if it was necessary.

Usually yes. You can either configure this manually in Home Assistant, or you can assign as a reservation in your router's configuration so as it always gives Home Assistant the same IP address. Otherwise if the IP address of Home Assistant changes, your forwarding rule will be pointing to the wrong location.

Hi, which part is deprecated and do you have a link to info about that? I'm still running with this method just fine, but if there's something deprecated I could do with knowing so as I can make an updated guide. I've not seen anything myself.

You're probably trying to access http on your https port.

@@SpeakToTheGeekTech I do not know, I forward ports properly, logs are ok..

@@SpeakToTheGeekTech SOLVED!!! I had to reboot whole system.

I can be of no more help with that than Google can be: www.pcwintech.com/port-forwarding-tp-link-tl-wr941n-tp-link-firmware

It sounds like you might not have followed my guide correctly - NGINX shouldn't listen on 8123 because that's Home Assistant's port, you need to configure it to use a different port. My guide suggests using 8126 in the NGINX configuration. It must be a port not already in use on your Home Assistant server.

@@SpeakToTheGeekTech Indeed, this is the solution. Shame on me 😔 Thank you for your support!! 👍

Yup

Hi, there are so many places to start looking. Firstly make sure that your router has a public IP address and your ISP is not using CGNAT. Make sure you are testing this from outside of your internet connection (so not from the same network that Home Assistant sits on). Make sure that the port on your router is open, configured correctly to point to Home Assistant's NGINX port that you set up, and that external services can see it (try using a port checker such as portchecker.co). If you're concerned about DNS propagation, you can test this using an IP address. You should also be able to check that NGINX is working correctly by browsing to your Home Assistant IP address on the secure port (so for example, 192.168.1.12:8126 instead of 192.168.1.12:8123 or whatever you have configured) - you'll get a certificate error but you should be able to get in as a proof of concept. As you can see, so many places it could go wrong and you need to rule out each part individually.

@@SpeakToTheGeekTech Thanks for taking the time to respond, I appreciate it

When you say not found or recognised, what actually happens and when do you see this error? When you type your domain into the configuration page (so just yourchosenname.duckdns.org with no or anything and press enter), it's not doing any checking at that point to my knowledge. It's only when you start the add-on that the checks on the domain happen.

I've just had a quick play with the add-on and it looks like there may be a bug in the GUI that doesn't allow you to type in your domain. (bug is here: github.com/home-assistant/addons/issues/2839 so you might want to add your name to the list so as you can keep an eye on the progress). As a workaround on the configuration page you can click the three dots and choose 'Edit in YAML'. You'll then need to make sure that the configuration starts like this: domains: - yourchosenname.duckdns.org

@@SpeakToTheGeekTech yes i just enter the domain name without the bit and press enter. nothing changes unlike in your example where the domain appears in a bubble above. Then when I click on Token , the domain name is cleared

@@SpeakToTheGeekTech brilliant, thanks do much for your help.

Thank you. I have it working with no issues myself, in the companion app settings you need to make sure that the internal URL is using http not https and the unencrypted port, so for example my internal URL is 192.168.1.12:8123

@@SpeakToTheGeekTech thanks. Just checked and everything is set fine. I think there is a problem with iOS. When I join the local wifi the app still thinks it should be using the external url. I have added the wifi ssd to the ios app so it should know to switch to the internal url

Glad it's working!

There are so many places it could have fallen over that it's impossible for me to assist easily. Start with the obvious, run through the configuration process step by step making sure each stage is working before checking the next.

So many cogs in that to inspect. Firstly make sure Home Assistant has a normal LAN IP address and hasn't been NATd behind your NAS's IP. You must be able to access Home Assistant on the local IP address on both ports 8123 and 8126 (if that's what you've configured on NGINX) on your local LAN before trying to access remotely.

@@SpeakToTheGeekTech Thanks for the fast answer. If i check my router, the HA's IP ends in .73 and the NAS's ip ends in .65. I opened the port 8126 on ip .73. But i can connect to HA locally on the port 8123 but not the 8126. So that is my first problem i guess. You might know how to fix it?

Trying to connect locally to the IP address using https on 8126 will not work, but you should get an SSL-related error (Chrome would say ERR_SSL_UNRECOGNIZED_NAME_ALERT for example) which indicates that it is at least reachable in theory. If you get that far then the problem is either with your forwarding (assuming you have other stuff working like this forwarding ports through to your NAS?) or your NGINX configuration. If you don't get that far then it could be your virtualisation platform or NAS blocking that port. Basically you have to go through each individual component and rule it out one by one, there's too much to diagnose in one go.

There are so many components involved here it’s impossible to diagnose from what you’ve said, but you need to go through each stage in the guide and confirm they have individually worked until you find the point where the fault is

Can I use 8123 port too or another one

Another one. 8123 is for Home Assistant unencrypted so you must configure a different port to be used by NGINX for the https access

@@SpeakToTheGeekTech I use 8126 but comes up with 400 Bad Request The plain HTTP request was sent to HTTPS port

Usually the browser will give you a bit more information about why it considers it not secure. Are you accessing it from an external internet connection, i.e. external to the network on which Home Assistant sits? If so, things to look for are whether the certificate the browser sees is valid, and making sure that you're using https not http in the address.

@@SpeakToTheGeekTech thanks, I will investigate further

You’ve managed to forward the port on your router to your Pi’s internal IP address ok? If that’s definitely ok then you should check if your router’s external IP address is public or not (Google what’s my IP). If it’s 10. 192.168. or 172.16 something then your ISP is giving you a private IP which means you’d need to use a different method (such as Cloudflare tunnels). That’s not common though on UK broadband, so if you’re UK based then my bet is on something being slightly mis-configured.

No I am US based. Yes I was able to do port forwarding with no issues. I’ll check the other stuff thank you for your help

I *think* (very happy to be corrected here) that it's a lot more common in the US for ISPs to give you a private (non-internet routable) IP address, so you're effectively behind a CGNAT on your own router. The only way to allow inbound traffic in that scenario is using some sort of external proxy that tunnels in. Have a look at this guy's video which will show you how to use Cloudflare to get around that. kzfaq.info/get/bejne/rr5xqrdqs5ObeKs.html

Port 8123 is already in use by Home Assistant, you need to enter a different port to use. I used 8126 in my video. So NGINX will listen on port 8126 and send requests through to Home Assistant which is listening on port 8123

ok thanks, got it working now.

@@SpeakToTheGeekTech I also tried this approach with HA installed as a VM in linux - however, I just cant seem to connect to the secure version. What diagnostics or logs can I check to see how I could fix this.- thanks

Very tricky question to answer. The first place I would check is the networking configuration for your VM. Ideally this should be using pass-through networking, i.e. your VM has its own IP on the same LAN as the host you are running it on, which is different to that of the host. My guess is you may have set it up as NAT networking, meaning your VM is hidden behind the IP of your host server and you may have to punch holes through like you would on a router (port forward). You should check that your secure port is listening on the host from another machine (use telnet if you have Windows) or nc on Linux (nc -z -v -w5 )

My guide doesn’t change the internal URL at all, it only configures NGINX as the proxy for external access. Are you certain you are accessing internally using http not https and with the correct port 8123?

@@SpeakToTheGeekTech I can access internal URL by http, but some add-ons such as Terminal & SSH, Studio Code Servers can't work anymore. These two add-ons are most often used. If the internet is down, it'll be a problem. Is there a way to make these two add-ons work?

Terminal & SSH works just fine for me on the internal URL, I don't use Studio Code so can't comment. All I can say is that my guide does not change anything at all do to with local access, you are purely configuring NGINX which is a separate service running on a separate port that forwards through to the internal unencrypted port. That was the whole point of my method - to leave the internal unencrypted access method alone and avoid local access issues.

But maybe have a good look in your configuration.yaml file at the http section and in particular the trusted_proxies list to make sure you have that section correct.

@@SpeakToTheGeekTech First of all, thank you for the answers and nice video. My http section is i.imgur.com/QIDCzRn.jpg and the Terminal SSH is i.imgur.com/uqvUsvg.jpg with error message 401:Unauthorized. I suppose the Terminal needs SSL, which becomes unavailable after ssl_key and ssl_certificate being marked in configuration.yaml.

Have you tested it from an external internet connection? It’s common for home routers to not support something called NAT loopback which prevents you accessing externally presented services when sitting on that network. Also do you have a public IP address provided by your ISP? This will only work if you do, otherwise you need to look at a third party proxy service such as CloudFlare for remote access

If your browser or Home Assistant is crashing for you when you save text configuration files then you have much bigger issues I think. This method is the one I still use for my own installation and have set it up recently too for others so I know it's still valid. HA does accept the 172 address exactly as per the tutorial. I've set this up on various types of Raspberry Pi installations so I can't comment on how well this works if you have Home Assistant configured in other environments.

Do you mean why am I not just using Amazon to control everything, or are you suggesting there's no point encrypting inbound traffic if I'm letting Amazon in anyway? If it's the former, it's because that's how I prefer to control my home remotely (either that or via Apple Home). If it's the latter your argument is confusing the issue of security over public networks (against all sorts of miscreants) with one of trust and security with a large third party who has potentially conflicting interests in your data. Both valid security concerns, but both totally unrelated.

@@SpeakToTheGeekTech My only point is that by securing your smart home it suggests you want to have no one else have access to or control of your devices and service whereas by using Alexa you are letting Amazon do exactly that... Amazon created Alexa to enable it to build a profile of each user so that it can market based on knowledge accrued via these means, eg. it has your permission to listen to everything that it can pick up and so you elect to give away your privacy by using it. More importantly, perhaps, is the greater and greater emphasis given to "political correctness" and so your actions and words could easily be interpreted as going against the "new rules" and Amazon could shut you off from having any control over your own network which is happening more an more regularly. This is just an example of someone who suffered that very loss of control: kzfaq.info/get/bejne/hMyZfLug1KqbZ6c.html It's totally doable now to secure the outside against attack while retaining control by using local voice activation solutions without selling ones privacy out to the likes of Google, Amazon, et al...

Yeah sadly that's becoming more and more common now. Try out a Cloudflare tunnel or similar, I've heard people having luck doing it that way instead.

Fair enough, but if you're just port forwarding to the unencrypted http port (8123 by default) then please be careful where you log on from. Your username and password will be sent in the clear over the network and it's quite easy to capture it.

@@SpeakToTheGeekTech I know, but I don't use Home Assistant that much and the password was created just for it.

Yup, very true, although not sure it needed the dramatic emojis! :) If you don't have a public IP address then you'll need to look into other solutions such as Cloudflare Tunnel or just paying Nabu Casa

​@@SpeakToTheGeekTech , emojis removed. I intended to warn about the Public IP requirement. I made the whole process you taught, but just realized about the limitation at the end.

You didn't need to, I was only joking! And yes, I should have clarified that in the video but I honestly didn't think about that scenario at the time. Here in the UK it's quite normal to be supplied with a public IP, but I realise that in places like the US it's much more common to be given a private one behind a CG-NAT.

​@@SpeakToTheGeekTech that's exactly what happened. I'm from Brazil, here 99% of the ISP deliver CGNAT. But anyway, thank you for the reply and the other videos which helps the community. Keep it up !

Ah ok glad to hear you have sorted it!

Thank you so much!