Duck DNS and SSL encryption

In the d-diot image the remote access through Duck DNS and SSL encryption is disabled because the setup process requires some user specific data, but part of the job is already done (see here and here).

If you need to have a more general idea about the remote access read this introduction and if you wont a more detailed explanation take a look to this exhaustive Home Assistant guide.

In few words, to remotely access your Home Assistant instance (API and webui), you have to satisfy three conditions:

  • The Raspberry Pi must be reachable and the connection must not be blocked, for example by a firewall or a NAT.
  • Your external IP address must be always resolvable
  • To avoid security issue (man in the middle attack) your connection must be encrypted because you send your username and password from your device to your Raspberry Pi.

This step is necessary to satisfy the first condition stated above. You have to open the port 8123 in your router to reach the Home Assistant instance running on your Raspberry Pi.
Each router has its own interface, so it is not possible to write a specific guide, but you can easily find a specific guide for your router model searching it with google.
Make sure that your Raspberry Pi takes always the same IP address in your local network, otherwise the port forwarding is useless.
You can assign a static IP address to your Raspberry Pi, or better you can configure a specific MAC address reservation for your Raspberry Pi in your router.

This step is necessary to satisfy the second condition stated above and Duck DNS offer this service for free.
In fact in most cases your external IP address is dynamically assigned by your ISP and it may change over time. Duck DNS associate your IP address to the domain name of your choice and the duckdns component of Home Assistant takes care to keep the Duck DNS informed about your external IP address.
Register a domain name with duck DNS is easy; see the first part of this video.

Now you have a domain name and a token, use them to complete the Duck DNS component configuration in Home Assistant.
Open your configuration.yaml via samba and edit the following lines:

/home/homeassistant/.homeassistant/configuration.yaml
duckdns:
  domain: your_duckdns_subdomain_without_.duckdns.org
  access_token: !secret duckdns_token

After the “domain:” string insert your Duck DNS subdomain, without the “.duckdns.org” part. For example if your complete domain name is “mydomotics.duckdns.org”, simply insert “mydomotics”.
Save and exit.

Open your secrets.yaml and edit the following lines:

/home/homeassistant/.homeassistant/secrets.yaml
duckdns_token: your_token_here

Insert your token after the “duckdns_token:” string, then save and exit.

Restart Home Assistant to apply the changes.

This step is necessary to satisfy the third condition stated above.
Before the request of a ssl certificate, we need to configure dehydrated with your Duck DNS token and domain.
Open via samba the domains.txt file located in /home/homeassistant/dehydrated/domains.txt and change the following line

/home/homeassistant/dehydrated/domains.txt
your_subdomain.duckdns.org 

with your complete domain name, that in the example above is “mydomotics.duckdns.org”. Save and exit.

Now insert the Duck DNS subdomain name (without .duckdns.org) and the token in the hook.sh script located in /home/homeassistant/dehydrated/hook.sh.
Find the following lines and change them accordingly to your parameters.

domain="your_subdomain"
token="your_token" 

Save and exit.

Now we are ready to request a certificate for the domain, but first stop the Home Assistant instance and then open a terminal (CLI) and run the following commands to register a new account key:

pi@d-diot:~ $ sudo -u homeassistant -H -s
homeassistant@d-diot:/home/pi $ cd /home/homeassistant/dehydrated 
homeassistant@d-diot:~/dehydrated $ ./dehydrated --register  --accept-terms

Generate the certificate:

homeassistant@d-diot:~/dehydrated $ ./dehydrated -c

If a password is requested, ignore them and press CTRL+C.

The issued certificate expires in 90 days, run the following command to set a cronjob that push a renew request on every 1st day of the month:

homeassistant@d-diot:~/dehydrated $ crontab -e

Add the following line:

0 1 1 * * /home/homeassistant/dehydrated/dehydrated -c

Save and exit.

Now configure Home Assistant to use the ssl encryption. Open via samba the configuration.yaml file located in /home/homeassistant/.homeassistant/configuration.yaml and uncomment the following lines, changing the “your_subdomain” string with your own Duck DNS subdomain:

/home/homeassistant/.homeassistant/configuration.yaml
http:
  base_url: your_subdomain.duckdns.org:8123
  ssl_certificate: /home/homeassistant/dehydrated/certs/your_subdomain.duckdns.org/fullchain.pem
  ssl_key: /home/homeassistant/dehydrated/certs/your_subdomain.duckdns.org/privkey.pem

Restart Home Assistant and go to https://your_subdomain.duckdns.org:8123 from an external device to test your remote access.

When an encrypted connection is established between two devices, it is not possible to establish an unencrypted connection inside them.
This is exactly what happens when you connect to your Home Assistant webui and inside the webui you try to reach the lirc web interface, that uses an unencrypted connection.

According to this lirc_web supports ssl encryption, so, to solve the problem, we need to configure lirc_web to use the certificate obtained in the step above.

Open a terminal and run the following command:

pi@d-diot:~ $ sudo -u homeassistant -H -s
homeassistant@d-diot:/home/pi $ cd ~
homeassistant@d-diot:~ $ nano .lirc_web_config.json

Enter the following lines and change the “your_subdomain” string with your own Duck DNS subdomain:

/home/homeassistant/.lirc_web_config.json
{
  "server" : {
    "port" : 3000,
    "ssl" : true,
    "ssl_cert" : "/home/homeassistant/dehydrated/certs/your_subdomain.duckdns.org/fullchain.pem",
    "ssl_key" : "/home/homeassistant/dehydrated/certs/your_subdomain.duckdns.org/privkey.pem",
    "ssl_port" : 3001
  }
}

As you can see lirc_web use the port 3001 for the encrypted connection, while the port 3000 remains available for unencrypted connection. Now we need to update the iFrame Panel configuration in Home Assistant.

Open the configuration.yaml file located in /home/homeassistant/.homeassistant and change the following lines to this:

/home/homeassistant/.homeassistant/configuration.yaml
panel_iframe:
  lircweb:
    title: 'Ir remotes'
    url: 'https://d-diot.local:3001'
    icon: mdi:radiobox-marked

If your network supports NAT reflection or your router allows you to define a DNS record, you can use also the following URL, to avoid the security issue alert from your browser.
Change the “your_subdomain” string with your own Duck DNS subdomain:

/home/homeassistant/.homeassistant/configuration.yaml
panel_iframe:
  lircweb:
    title: 'Ir remotes'
    url: 'https://your_subdomain.duckdns.org:3001'
    icon: mdi:radiobox-marked

Reboot your Raspberry Pi to apply the changes.

  • how_to/home_assistant/remote_access/duckdns_and_ssl.txt
  • Last modified: 2019/11/18 22:31
  • by franzunix