Hi everyone

So, that’s a 2 in 1 post. First a more general question then looking for advice for a friend.

  • What is your preferred way to access HA from outside (and why)?

  • a friend of mine use duckdns and I often read (recently) that some people are having issue with it. Is wireguard a better way or another solution that is not too techy to deal with?

  • wewbull@feddit.uk
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    2 months ago

    Very different solutions.

    • DuckDNS: you expose your HA to the internet like a public website and register it’s address with DuckDNS so you can look it up.
    • Wireguard: you VPN to inside your firewall and can access anything on your private network.

    Wireguard all the way. Exposing just a VPN endpoint that can’t be connected to without the right cryptographic keys is a much more secure and maintainable attack surface.

    BTW I assume that’s what you meant by “DuckDNS”. Using that service is orthogonal to making HA visible externally, but is (I think) the common pairing.

    • pafOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Thanks, wireguard sound much better then for just accessing HA, wonder why is duckdns so popular then

      • Because DuckDNS means you don’t have to buy your own domain. I don’t know their product offerings; they might offer VPN services, like Mullvad.

        Wireguard doesn’t provide you with a DNS entry. Without a domain name, you’ll have to always either edit your hosts file on every computer you use, or access your services via IP (https://65.147.69.34:8080/), whether or not you have Wireguard. DuckDNS lets you create http://pafha.duck.dns (or whatever). Using subdomains also helps with reverse proxying, because routing rules are usually configured by host name. For example, your proxy server can route pafha.duck.dns requests to port 8124, which is where your Home Assistant is listening; while pafmympd.duck.dns proxies to port 8091 which is where your MyMPD server is listening. If you own your own domain, you don’t need DuckDNS. If you don’t, it’s very useful.

        Wireguard gives you a VPN. It’s for creating encrypted subnetworks. Security, and privacy. It doesn’t solve the DNS problem.

        • pafOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Will check that, thanks

      • Lee@fosstodon.org
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        @paf @wewbull In fact, even if you’re using Wireguard you’d likely need DuckDNS (or a real domain with something like Cloudflare) to point your wireguard clients to. All DuckDNS does is associate a domain name with your external IP. You could just use the IP directly but your ISP likely doesn’t assign you a static IP so it’ll change randomly, so you run a script that updates your IP with DuckDNS.

        • pafOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          I have same ISP than my friend and it gives option to keep static ip so it’s not a problem but thanks for pointing it