#Tailscale and HA

Its basically my own setup.

The first thing is to hook your HA setup to tailnet.

Then, when you can access your HA at http://10.4.0.x:8123 (IP that Tailscale give to your instance, it shown in addon page), the rest is a piece of cake.

Spin a letsencrypt addon to get TLS certificate for any subdomain, because DNS-01 validation allows this, feed obtained certificates to HA, and point DNS record to internal Tailscale IP via MagicDNS or your own DNS server.

That's all 🙂

For letsencrypt:

domains:
  - <REDACTED>
email: <REDACTED>
keyfile: privkey.pem
certfile: fullchain.pem
challenge: dns
dns:
  provider: dns-cloudflare
  cloudflare_api_token: <REDACTED>
keytype: ecdsa

configuration.yaml

http:
    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem
    server_port: 443

DNS configuration I leave as an exercise for a reader.

With this setup all your IPs and domain names remain strictly confined and wouldn't leak to public.

Thank you so much for responding! I will try this all in a bit! But also sleep time soon, work tommorow

So there's some things here i dont understand. @stray field What is dns-01? Magicdns is also a add-on? What i have is cloudflare where i can enter dns records. Is that where i make a dns record to the tailscale ip?

And would it then also be possible to get a ssl for a different port? 1984?

dns-01
In a short, it's a protocol used by ACME-compliant software, way to confirm that you own this domain.
Magicdns is also a add-on?
It's a built-in DNS server in Tailscale
Is that where i make a dns record to the tailscale ip?
Sure, you can do this. It's an easiest way, to be honest.
And would it then also be possible to get a ssl for a different port?
Yes, it is possible, but why? If there is nothing else on the machine listening on port 443, and HA is the only software that needs HTTPS there, then leave it as it is.

i need it for port 1984, its being used by go2rtc thats build into frigate.

it serves a http page, a dashboard with video feeds. with ssl, i can use the microphone in that dashboard to talk to my cameras.

http or https?

so 192.168.1.184:8123 is home assistant. 192.168.1.184:1984 is go2rtc dashboard. it's http, i need it to become https with the certificate.

https supports mics in browsers. http doesnt.

so installing lets encrypt now.

Is go2rtc installed next to HA?

yeah, i guess. its running in the frigate container (frigate is a home assistant add-on)

its seperate from home assistant, its own http page.

It can be installed as HA addon, so this way you won't have to think about terminating TLS traffic (HA will take care of it).

the web UI/dashboard will then still be seperated from home assistant.

Have you configured TLS for go2rtc?

Judging by the port number, you haven't.

dont think so, i dont know what TLS is 😅

right now setting up lets encrypt.

trying to copy your settings

You can use 2-way audio from Add-on Web UI.
If I understand it correctly, the addon reuses HA ingress, which simplifies the task.

i dont know what the ingress is...i just know that its at least not standard included as its a different port and different http page then home assistant gives.

In short, if you can set up go2rtc so that you can access the dashboard not on a separate port, but through the HA Web UI, then you will have https for everything and on one domain.

https://github.com/AlexxIT/go2rtc?tab=readme-ov-file#module-hass

Anyway, let's start from configuring https for HA only, on the default (443) port. The rest will follow.

that sounds lovely, but hope it wont break frigate.

it might expect some links from that location

yeah agreed

Account registered.
Requesting a certificate for **************
Waiting 60 seconds for DNS changes to propagate

Requesting a certificate for **
Be sure that you filled proper cloudflare credentials (there is dedicated FAQ for this) and domain.

in cloudflare, do i simply point a A record towards the subdomain and the IP address that tailscale assigned to the home assistant host?

Yes.

Successfully received certificate.

• The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

hmm, also for later i guess.

Letsencrypt addon will take care of this.

Then, with TLS certificates in place, configure HA to use them.

[core-ssh ~]$ ls -al ssl/
total 16
drwxr-xr-x    2 root     root          4096 Feb 28 20:32 .
drwxr-xr-x    1 root     root          4096 Feb 26 22:01 ..
-rw-r--r--    1 root     root          3355 Feb 28 20:32 fullchain.pem
-rw-------    1 root     root           241 Feb 28 20:32 privkey.pem

It's an example output from my box.

ok, cloudflare pointing to the same subdomain i have set in lets encrypt, towards the tailscale IP.

awesome, domain working, but yeah no ssl yet. lets check...

https://community.home-assistant.io/t/how-to-configure-lets-encrypt-ssl-certificates-for-home-assistant-completely-100-free-updated-for-2022-2023/508329#finally-install-your-certificates-12

edit your configuration.yaml and point HA to obtained certificates.

Ensure you have the following lines under http:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Once updated, you’ll need to restart Home Assistant. And once it’s updated, you’ll need to start using your full domain URL to access Home Assistant.

Of course, https://your.domain will work only in your VPN, that's a point, didn't it?

yes, i only want it to work on tailscale.

ugh, now i cant access home assistant anymore 😅

also not on my local address.

the local port shows "400 Bad Request
The plain HTTP request was sent to HTTPS port"

Sure.

and my subdomain says "ERR_QUIC_PROTOCOL_ERROR"

Use https://… instead of http:// now.

Without port.

not working.

What kind of error do you see?

using the standard port 8123 gives a ERR_CONNECTION_REFUSED. the 443 port gives the "ERR_QUIC_PROTOCOL_ERROR"

What's on https://10.x.x.x, where 10.x.x.x Tailscale IP for HA? Again, without explicitly specified port.

any port gives the connection refused except for 443, so the port is set correctly.

well the go2rtc port still works lol

the tailscale ip also no longer works, i guess i have to hook up the minipc by hdmi and keyboard to make a change.

the tailscale ip also no longer works
Is your tailscale addon up and running?

using the tailscale IP on port 443 shows: 400 Bad Request
The plain HTTP request was sent to HTTPS port

makes sense, cant use ssl on a ip.

Give an output for curl https://your.domain

isnt there a way to make http working while also have https working? in case of something like this.

The entire point that you switched ports (and protocol) where HA listens for requests.

ah, can still access command line through ssh.

Okay, check what curl returns.

i am in CMD for the homeassistant minipc, and the command curl sub.domain.com is hanging, so it seems.

Double check that Tailscale works. If you not sure, revert or comment changed in configuration.yaml and restart HA. This will instruct HA to listen on previous port (8123) and on HTTP.

it works.

i have it set as exit node, and im connected to it with my pc.

also just checked my cloudflare settings, also correct.

i have it set as exit node
Uncheck this.

is that the cause yeah?

Nope. But uncheck this.

  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.30.33.0/24
#  server_port: 443
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem

i have these proxys from before, maybe they also cause trouble?

they come from tailscale https and cloudflared https guides.

or do i have to put something else in there?

Comment trusted proxies by now.

(again, each modification here requires restart of HA.)

yeap, so commenting out everything except for use_x_forwarded

what should i try after the restart or want me to check?

From the mistakes I saw, I realised that HA had just worked correctly. It was just the browser making the wrong requests.

http:
  server_port: 443
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

you know how to restart home assistant in cli?

i should try that in configuration yaml?

first disable tailscale exit node etc?

ha core restart

It you're stuck, modify this section as shown above, restart HA, open an incognito window in browser and try to open URL here.

ha core logs will give you logs, just in case.

seems these commands are not being executed.

i restarted the host, that worked.

just takes a bit....

welp, still not working...cant access the home assistant login.

still getting "400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx" on the 443 port.

in a ignoc browser tab

port 8123 not working

my configuration.yaml has this:

http:
  use_x_forwarded_for: true

Give me a screenshot of browser address tab with only domain edited (for a privacy reasons).

https://i.imgur.com/gwReot2.png timed out (domain)

local ip address connection refused.

Even https://your-local-ip-from-router:443?…

yes.

connection refused.

its like the configuration.yaml file change did nothing.

Have you tried to reboot this box?

yes.

host reboot

Well, let's fix this tomorrow. Comment that three lines and restart (ha core restart)

At least you will have an access to HA by domain name in the tailnet.

I pulled power and put it back in lol

That's strange.

Yeah, are you also living in EU?

Ukraine, Kyiv.

oh damn

hope all is good with you and family then.

seems the whole thing is fucked :/ no access

even no ssh access anymore for some reason

Even after commenting those lines?

i deleted the lines.

ah good, ssh access is back.

So, it should revert to listening on all interfaces and 8123 port.

now praying http works.

no, ffs!

am i editting the wrong configuration.yaml or something

is there a backup

Anyway, ping me tomorrow, I have an idea how to fix it.

https://i.imgur.com/nnILt09.png

that 443 thing shouldnt work anymore 😅

8123, if configuration doesn't contain ssl_* keys AND port.

i know...doesnt work.

https://i.imgur.com/z8zkJPW.png

Well, my wife just grabbed me away from a keyboard. I'll help you tomorrow.

thanks for the help so far anyway, and appriciate all the time. good night!

so i solved that issue, i configured http to use the 8132 port (instead of 8123) now i at least got access again and stuff works.

even zigbee2mqtt stopped working, that would have made my wife super pissed, so im glad things are working now at least

next time i do this, i make a backup 😅 😄

dont think it matters but i used this in lets encrypt config, because it complained port 80 was already in use.
https://i.imgur.com/1DciW8l.png

it says it should only matter for http challenge, and we use dns so...

when we got it working i'l paypal you some beers 😄

tailscale also had https on...and a certificate for that...maybe that was clashing with lets encrypt? is there a way to delete that? (already disabled https in tailscale dns dashboard)

now time to sleep, glad i can access the UI again.

Morning! I dont need nginx or something for a proxy? Lets encrypt does this as well?

@stray field, also is that a MLP avatar? Cute 😄

I'l try to mess around with it in 2h or so

Good.

right, lets see if i can make this work.

Okay, so.

@frosty lichen Do you have a linux box nearby or WSL with curl installed?

only the home assistant minipc with HAOS installed as OS.

i have a web server online that probably has curl, that i can use, but its not local.

im using windows 11 locally.

but can ssh into the cli of home assistant

I just forgot whether curl is included or not. But nevermind.

So, for now you have a working tailscale addon, and can access HA with tailscale-provided IP, right?

yep!

i disabled tailscale https, removed proxys from configuration.yaml, and stopped the proxy in tailscale add-on.

should i now make a configuration.yaml backup, and put back the following in configuration.yaml?

    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem
    server_port: 443```

there is no need to configure a proxy port in http in configuration.yaml? the tailscale add-on AND cloudflared add-on demand this..

Wait, wait.

First, I owe you some explanations, just to make sure you know what are you doing, okay?

you dont owe me anything, i appriciate your time a lot! ❤️

HA, as well as any network application, listens on some port of some interface. It's just plain TCP port, right now we don't care about actual protocol.
So, the port is 8123, and the interface is… well, by default, it's 0.0.0.0 — it's a shorthand for «all interfaces».

So, when you added a Tailscale addon, under the hood it created another, albeit virtual, network interface, got an IP address for it, and yeah, HA will happily serve requests on 8123 port on all interfaces, 192.168.or.whatever (local interface, wired be it or wireless, doesn't matter), and 10.x.x.x — the Tailscale interface.

100, or? (tailscale ips all starts with 100)

or is that the difference between interface and ip

Or 100, right. (I'm using custom control plane).

ah

So right now you can access HA on both IPs. At least, it should be so.

yep

Interface — it's a more low-level concept. It may have zero or more addresses.

and when i would enable ssl, home assistant forces it, so the local ip stops working, which is not ideal imo for my use case, but i'l take it.

Wait, don't rush.

So, enter TLS (or, in the ye olde good times, SSL).

It's a protocol too, basically wrapper for any other protocols.

Application, given enough permissions, in principle can «bind» (i.e. listen) arbitrary port on arbitrary interface, and speak arbitrary protocol over this port. So, TLS isn't special here: app can bind to any port, wrap opened connection in TLS, and start speaking in more high-level protocol, for example, http.

So, https it's just http+secure connection underneath.

And, as you might guess, choosing port numbers are nothing more than conventions.

this is already getting a bit complicated for me tbh 😅

yep, but 443 is considered default on many servers serving http, learned that from my web server and sites.

That's why we don't write http://example.com:80, but just http://example.com (because 80 used by default for plaintext http), and we don't write https://example.com:443, but just https://example.com (because 443 used by default for secure http, https)

(Fixed)

i am aware, stuff was just broken yesterday i figured to specify the ports in the browser.

For example, if an application listens to port 34662 but only understands http, and you try to reach it via https, the request will fail, and vice versa: sending a plaintext request (simple http) to a port where the application only understands https will also fail.

force it, because idk why it wasnt connecting to any port.

panic behavior, basically 😄

This is what happened yesterday.

That's why we're going to start with the simplest thing.

Forget about Tailscale for a moment, let's just bolt on https to your system.

Tell me, what happens when you try to open https://192.168.x.x:8123 ?

Assuming that you haven't changed anything yet.

it opens home assistant.

just like when i open the tailscale IP

those are the only access options right now. tailscale IP of course only with tailscale connected.

Note https.

Is there really no warning about the certificate?

ah!

ERR_SSL_PROTOCOL_ERROR

Sure. It's basically browser saying «screw that, app on this port doesn't speak https, I give up». And it indeed so.

Because you haven't changed anything yet.

makes sense since configuration.yaml isnt having any ssl paths.

Let's change this.

certificates should be installed already, though.

First, double-check this.

Open a SSH connection to your box, and verify contents of ssl directory.

where is this folder located?

ah, root directory.

https://i.imgur.com/YYr2kQH.png

(nginxproxymanager is disabled, also not set to start on startup)

So.
https://www.home-assistant.io/integrations/http/

i have put back the certs in configuration.yaml and restarted, the domain now works 🥳

what remains is getting that extra port also included on the domain.

so its ssl encrypted.

So everything is fine with the setup now? (except the port)

seems that way!

let me check if it works without tailscale.

nope, thats great!

Don't change the port, check first.

super secure.

Ok.

Well,

server_port integer (Optional, default: 8123)
Let you set a port to use.

Since you have working https on 8123 port, you can change this port to whatever you want.

Including 443 — the default one. Let's try.

i put 441 in configuration.yaml

443

a bit extra secure, for whatever reason people get access, they still need to know its port 441 lol

not the standard one.

It doesn't add security. Because you, and only you have an access to VPN.

It's closed for a public, by definition — Virtual Private Network.

trueeeee, but if someone would have access to my tailscale account my phishing or whatelse, they can add their own device.

with their own device they would then have access.

If so, you're screwed anyway, so don't bother.

Proper threat model is a key to balance between convenience and security.

I guess, issue has been resolved?

true, but with bookmarks...a other port nr isnt hurting. for sshing, people also recommend changing the default port on web servers. ok, sure, thats public, not in a private network.

yes, just need to know how to include the port 1984 to the network^^

It's another app that runs alongside HA?

when you install the frigate add-on, it installs go2rtc as well, it runs in the frigate container on home assistant OS, but it is outside of the home assistant http box, so to say.

its a seperate http page.

Give me a link to this addon, please. ||As long as I still have a beer.||

only accessable through http://192.168.x.xxx:1984

https://github.com/blakeblackshear/frigate-hass-addons

haha, i can paypal you some extra ones soon 🙂

https://i.imgur.com/kinBxXd.png

as you can see, a entire different page.

Oh, got it. I confused this Frigate with another Frigate.

There is a completely unrelated software with a same name.

this software allows you to connect to the camera streams with direct links

with https, i can use the microphone to talk to ppl.

https is a requirement of browsers to use the mic.

Well, well. Give me a couple of minutes to look into docs.

is it not possible to include that port somehow to have another subdomain of mine?

or to go to my subdomain:1984

It is possible, and there are many ways how to do so.

I'm looking for a simplest one.

Do you have an official integration, as described here: https://github.com/blakeblackshear/frigate-hass-integration ?

https://docs.frigate.video/integrations/home-assistant#installation — pay attention to this.

yeah, integration and add-on.

need both.

Please, open https://HA_URL:HA_HTTPS_PORT/api/frigate/

HA_HTTPS_PORT is that port you have configured.

I think that HA proxies this frigate web UI somewhere…

not found. which makes sense probably

(Like it does for z2m)

its not the frigate web ui, though.

its go2rtc. its seperate from frigate. frigate simply installs it because it relies on it.

also not frigate API.

also do you know if there is a way to force home assistant to also accept http, even if certificates are installed? or simply not happening? 😄

Well, I have more complex answer to both of this questions than I thought.

As you might guess, there is a rule of thumb: one application can listen on one combination of (IP:PORT).
So, if something binds to 0.0.0.0:80, or :443, it will prevent* anything to bind the same port.

In the old days this behaviour led to outdated for a modern standarts configuration: «1 IP — 1 SSL domain».

But today it's possible to serve arbitrary many domains over HTTPS on a single IP.

We just need an ingress, an application that would act as gateway, listening on :443 port on all interfaces, accepting all requests, unwrapping TLS and deciding where to forward traffic next.

that sounds complicated 😅

Like, request for https://ha.my.net to http://localhost:8123, https://frigate.ha.my.net to http://localhost:1111 and so on.

yeah

There is such ingress in HA, but I haven't touched it extensively to say how to configure it.

There is an option to replace it with full-fledged nginx.

hm...until then, is there a way to perhaps ONLY make https on the 1984 port? instead of home assistant?

There is an option to put anything in front of HA.

or just as complicated?

There is such an option, but an ugly one.

I don't see how I can configure https://github.com/AlexxIT/go2rtc with LE-served TLS certificates.

It meant to be put behind any ingress, nginx or whatever.

Integration for frigate indeed does such proxying for go2rtc API: https://github.com/blakeblackshear/frigate-hass-integration/blob/master/custom_components/frigate/views.py#L216

But I don't see where this integration exposes go2rtc's Web UI in HA, under, say, https://your.ha.net/frigate/ui/ instead of http://your.ha.net:1984.

Despite the fact that creating such a proxy is trivial and can be done in a couple of hours.

Something like that. I hope I've helped you, @frosty lichen .

Now I'm out of beer and I'm going to go write some code.