I am rebuilding my system and I have a few questions related to network set up. I have installed a new Unifi system, set up IoT VLAN and opened port for HA. That part I THINK is right. My questions lie with setting up DuckDNS and Let’s Encrypt. I plan on doing more self hosting stuff in the future. Can/Should I be doing things like Dynamic DNS and certificates via an entity outside of HA such as my router or some other container in the “system” or is it better to handle HA’s requirements inside of HA itself?
Additionally, in my current config I can only reach the HA brain via the DuckDNS URL. What sort of set up is required to have the unit accessible when the internet is down? Seems with the mobile app it is the URL or nothing. What do I need to be doing for internal access when on local LAN?
I am running it on the HA Blue hardware and I plan to rebuild from scratch if that matters. I am sketchy on the network set up and making sure things are all secure. Bit paranoid lol. So if you have any good set up guides on this portion it would be appreciated. Thanks.
You must log in or # to comment.
it make sense to handle Certificate renewal where your reverse proxy is just because they are easier to install this way. Having a single homeassistant let it handle it. The day you’ll start hosting more staff and put all of it behind a single reverse proxy (caddy or nginx are the most popular options) you can move certificate handling on the machine with reverse proxy.
to make your homeassistant reachable even when internet is down you just need a local DNS that resolves yourdomain.duckdns.org to your local IP. This is usually easier configured on the router but many stock firmwares don’t allow it. Another option is to install a DNS (pihole is the most famous, I personally use blocky) somewhere and configure your router to advertise this DNS instead of its own.
so now HA needs an proxy server and a DNS server? There has to be a simpler method that adding additional devices on to the network. More devices, more complex and more points of failure.
HA doesn’t need either of these, but if you want an SSL certificate (to run over HTTPS instead of plain HTTP) it is bound to a domain name, which must be public unless you want to enter in the zone of adding our custom certification authority to each of your devices. This name is resolved by a public DNS. You asked how to use it when internet is down, in this case a public DNS is not reachable so you need your own on the local network.
The reverse proxy is useful when you have a bunch of web services and you want to protect all of them with HTTPS. Instead of delivering the certificate to each of them, you add the HTTPS layer at your reverse proxy and it queries the servers behind in plain HTTP. The reverse proxy has also the benefit of making handling subdomains easier. So instead of distinguishing the different services because they have a different port number you can have a few https://ha.my.domain/ and https://feedreader.my.domain/
If you just have homeassistant and not care of HTTPS the easiest option is to use the local resolution: modern OSes advertise the name of the device on the network and it can be resolved on the
.localdomain. But, if you configured HTTPS to use https://name.duckdns.org/ you’ll se an error when you try to use https://name.local/ because your browser sees a mismatch between the name in the certificate and the name that you are trying to connect to. You can always ignore this error and move on, but it mostly defeats the point of HTTPS.
You don’t need dundns or certs if you’re not opening this up to the world. Just use a VPN instead and make it easy on yourself. Tailscale wouldn’t be a bad idea.
To set up local and external network access:
Go to settings -> companion app (or just settings if you don’t have an admin account)
Select your server
And enter the external IP (or duckdns url) in the URL section, the network(s) where home assistant is locally accessible in the “Home network” section, and the local IP in the internal URL section.
I’m still working on making external access to my home assistant secure, so I don’t have enough experience to make suggestions there.
I have never had it work with a URL and an internal connection. Never connects on internal. at least it used to not. If I remember there was some reverse proxy requirement or something I was never able to get set up. So I was reliant on the duckDNS which had quite a bit of outages for me. I eventually gave up on the companion app.
It doesn’t really matter how you setup dynamic DNS and SSL. I prefer to handle dynamic DNS on the router, incase it’s smart enough to refresh the IP after DHCP renews it. I do SSL on a seperate nginx instance, but I run a few other sites; it might be easier to configure it directly on home assistant, but I haven’t tried.
If you want some extra security, I’d look into mTLS, as that establishes some cert based authentication at the TLS layer before HTTP, but it can be complicated to configure.
I have a number of apps I would like to implement down the road that will likely need some sort of connection either externally or internally via some sort of VPN. It is all very confusing as I everything I read seems to have me adding 4 or 5 more components for DNS, firewalling…etc when can’t my Unifi system just do that stuff? I paid more than enough that it should handle these tasks. It does DNS already, so why do I need an external DNS server? Very confusing. Why I have not moved forward on anything, it all feels over complicated and too many ways to screw it up.