#New setup of duckdns and port forwarding

I'm new-ish to HA and have been trying to setup duckdns following this guide (https://smarthomeaddict.co.uk/2022/07/home-assistant-remote-access-using-duckdns-and-letsencrypt/) but HA isn't accessible. Locally I can visit https://homeassistant.local:8123 (not secure) but when visiting from the app, on the same network, I get an certificate mismatch in the mobile app.

In additional, trying to access the website off network, I get ERR_CONNECTION_TIMED_OUT in the browser but I have setup port forwarding.

So I think I've one or two issues.

1. My SSL cert isn't allowing mobile login via the app (Android)
2. My website isn't reachable, from the web

I think the app doesn't allow ignoring SSL errors, you have to use the same URL for accessing HA internally. You could then point the domain to your HA's local IP address in your routers DNS server.
About the connectivity from outside, verify that duckdns correctly updates the IP.

Firstly, my advice is to stop - there have been quite a few post with people having issues when updating to 2025.8.x - in addition DuckDNS seems to have been suffering more and more outages over time.

You should see if your router supports a Dynamic DNS provider and set that up. Something like https://www.noip.com/ This provides the added benefit that your router will update the server when the IP address changes - with the DuckDNS add-on there may be a delay as the add-on has to poll to see when the address changes.

Then install the Nginx Proxy Manager addon - This will allow you to use Let's Encrypt to get a certificate for the name you set-up in the Dynamic DNS provider. It also means you only need to add the IP Address for the Mginx Proxy Manager Addon to your trusted_proxes setting in configuration.yaml (ie. you are not converting your HA to use SSL by default)

If you still want help with the DuckDNS set-up you are trying to do, I can try but have a few questions:

1). Locally I can visit https://homeassistant.local:8123/ (not secure) - what do you mean by 'not secure'? do you get a certificate warning? Are you sure you are using 'https://' and not 'http://'
2). What do you have for external_url and internal_url in the mobile app? You can mask private data by saying xxxx.duckdns.org or [host].duckdns.org
3). Can you confirm DuckDNS has the correct IP? You can visit https://whatismyipaddress.com/ which should show your public ip and compare it to the one in DuckDNS.
4). What ports have you forwarded on your router (both from - to).
5). Confirm that you are forwarding from the router to the IP Address of your HA Server.
6). Tell us the changes you made in configuration.yaml for http:

yeah, that's basically what I did too, moved my domain to namecheap and I use their dyndns service instead and use it directly on the router. For the certificate I switched to the let's encrypt add-on.

1. I get a cert warning. HA is only accessible via HTTPS
2. It'd be xxx.duckdns.org
3. WIP
4. I've setup both external ports 80 and 433 to internal port 8123 and IP
5. Router is showing the correct internal IP for HA
6. Only change I've made to the configuration.yaml is added http:

  # server_port: 443
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem```

I did try a tracert on my domain (xxx.duckdns.org) but it fails a lot. So I am thinking my router blocking outside traffic. Least that is my current guess

Fixing the certs I am a little less sure about. HA shows some certs, so not sure why they'd be Not secure and preventing me from adding it via mobile

Which router is it?

A crappy Linksys Smart Wifi node

Older model of these:

Are you just on your mobile or on a PC connected to your network?

also what os is the pc?

HA is on a separate computer than what I am currently running. A raspberry pi specifically. I connected via browser on a win11 PC.

ok, first lets get the internal ip of the HA server. open a command prompt and type ping homeassistant.local

Reponse is just a mac address. I got the IP from my router.

Using ping -a homeassistant.local I can confirm it's the correct IP

good

now type ping xxx.duckdns.org

where xxx is your host

is it giving the same ip or a different one

Ping request timeouts

don't care about timeouts - just want ip address checks

Oh, I see what you mean. My ping was showing the internal IP, you want to to see if the external IP match?

I'd to check what HA external IP is currently. Give me a sec

no, I want to see that when you are using your PC do you get the same IP Address or different

if you get an external public address when looking up xxx.duckdns.org we will probably need to add port 8123 forwarded to HA server on the router

Ah, same as duckdns? Yes they match

when you say they match, the two lookups on the pc both gave the same internal ip?

or the IP matched with the one at DuckDNS

The ping to xxx.duckdns.org matchs the IP listed in duckdns.org

not my internal IP

ok, add a port forward for 8123 to your router like you did for 443 - you can remove the one for 80

yes, add one that is 8123 to 8123

Done

now try https://xxx.duckdns.org:8123

Still that ugly ERR_CONNECTION_TIMED_OUT

sure port 433 correct? Shouldn't it be 443?

great spot!

although https://xxx.duckdns.org:8123/ should have worked

nope, if you forward port 443 then the external url is https://xxx.duckdns.org

"yes, add one that is 8123 to 8123"

Right, either should have worked. Maybe its my ISP?

why are we using xxx as example? feels like we are talking about a porn website 😂

the 433 to 8123 would need to be https://xxx.duckdns.org:433/

added privacy since its a public hostname - plus what is wrong with porn?

Its what the internet is built for, if you believe the song.

oh, haven't thought of that song for a pretty long time, but i remember ^^

back to the fix, change the 433 to 443

oh, yikes. Not sure how I missed that

Well, now my routers IP is directing me to HA

so, now you should also be able to remove the 8123 forward we added.

You would use https://xxx.duckdns.org for both internal and external

If I get somehow get back to my router settings.

However, I do recommend you add a proxy server rather than just exposing the HA Web Interface direct to the Internet

baby steps.

I think adjusting my port fwd has locked my out of my router.

Ah, thank god, port 80 still works

maybe use also 8123 as external port

Unfortunately still no luck. Bowser still giving me a ERR_CONNECTION_TIMED_OUT

There must be something I am missing with my router.

Looking into my ISP, some suggest that it uses something called CGNAT. Which prevents my router from having a "real" public IP. I think my end solution is to use Nginx Proxy Manger as you've suggested before.

Unfortunately my shitty router doesn't show my WAN IP anywhere so I cannot confirm it. But at this point it makes the most sense.

Which ISP is it? If it is running CGNAT then you won't be able to get external connections since you don't really have a Public IP address. You ISP has the Public IP address and would need to port forward to your CGNAT IP Address (they won't do this).

Solutions:

1). Ask ISP if they can provide a static IP Address - they will charge an additional fee for this if they offfer the service
2). Use a VPS (Virtual Private Server) and create a VPN from your network to the VPS. The VPS will forward the traffic to your network over the VPN.

3). Sign up to Nabu Casa cloud - HA will connect to their cloud servers

4). Change to a different ISP 🤷🏼

@slender turret @late valley If I have Nabu Casa account and signed in on HA, why would my duckdns still not work?

I don't use Nabu Casa, so not sure, but as they put it through their cloud they would would provide the domain. That means no need for DuckDNS

I have been trying to get my HA Voice going, but the 1 issue that I face, is that it says I don't have access to my microphone, due to the fact that my ui is "not secure". This being accessing my HA server on my local network, from my pc, to my HA server(Pi5), via http instead of https

when you set up your ha to use the nabu casa cloud service your ha connects outbound to nabu casa. and you get a nabu casa url to use as external address in the app. nabu casa then jost connects those two together. no need for messing with inbound connections through your isp and router. using nabu casa will not have any effect on duckdns problems

i do have inbound access to my home network through duckdns and nginx proxy manager (not running on ha), but i do not use that for ha.

For my personal education, can you set a custom hostname when you sign up to Nabu Casa or do you have to use the external address they provide?

OP, being able to set a custom hostname won't make a difference for you since you are behind CGNAT and cannot receive inbound connections. The custom hostname would allow you to register a domain name and use that instead of the Nabu Casa provided one.

Answering my own question:

https://support.nabucasa.com/hc/en-us/articles/26497540527517-Using-remote-access-with-a-custom-domain-for-Home-Assistant

i have not really bothered with my own domain name for nabu casa as i use the app when away from home.

for other (non ha) stuff that hits my nginx proxy i have multiple cname records in my dns domain that all point to the same duckdns name. the nginx proxy then uses the hostname in the url to decide which backend to route to.

That is the correct set-up, although it should be noted that DuckDNS name is pointed at your router's WAN IP. The router forwards the traffic to your Nginx Proxy. In theory this means if you use the DuckDNS name on your internal network traffic gets sent to your router and then reflected back to the Nginx Proxy (most routers automatically set up reflection when setting up port forwarding).

not all routers can handle that. but internally my domain is handled by my freeipa cluster, so internally those names resolve differently anyway 🙂

All routers that handle reflection (NAT Hairpin) when setting up a port forward will handle it correctly, since you don't need to set-up any custom DNS entries and the upstream name servers will query the DuckDNS servers.

By running FreeIPA you are using Split-Horizon DNS (running a local DNS that resolves with different information to the upstream servers).

I'm not saying there is anything wrong in doing this, however, it isn't a straight forward set-up and hopefully you have reasons for running this at home.

my home lab contains up to 40Gb networks... and a blade enclosure... it's a mess, but it's my mess 😛

so - yes - i need both the split dns, ldap, kerberos... and some day i'll look into the cert and key handling.

Is that the term eh? For our product (Linux based iptables firewall with many knobs on) we called them “reflective portforwards” in the UI and documentation. But I always called them “bouncy port forwards” in the code. 😀

My preference is Wireguard. No messing with DNS. iOS has a client, Macs have a client. I’m quite sure everything has a client these days. Put it on an obscure port and DROP all state=new traffic except that port and you are done.

Duckdns is of course awesome. Used to have to install binaries for that kind of thing, now it’s just a curl one liner.

Wireguard is good for setting up a vpn, but not the same as port forwarding especially if you need a third party to connect to a single service such as an Amazon skill.

That kind of scenario scares me to death. Can you at least limit the DNAT by client IP? I wouldn’t trust any authentication scheme really.