Troubleshooting DuckDNS for Home Assistant Remote Access

Common Failure Points for DuckDNS Remote Access

When your remote access to Home Assistant via DuckDNS suddenly stops working, the issue usually lies in one of three areas: dynamic IP address updates, network configuration (port forwarding), or SSL certificate expiration.

DuckDNS relies on your Home Assistant add-on to periodically update your public IP address with the DuckDNS service. If this update fails, or if your router’s port forwarding rules are incorrect or have been reset, remote access will fail.

Step-by-Step Troubleshooting Checklist

Follow these steps sequentially to diagnose and resolve the most common DuckDNS issues.

1. Check DuckDNS IP Address

The first step is to ensure that the IP address recorded by DuckDNS matches your current public IP address.

1. Find your public IP: You can use an external service to check your current public IP. Run the following command from any device on your network:

   curl ifconfig.me
   

2. Verify on DuckDNS: Log in to the DuckDNS website and check the IP address listed next to your domain. If the IP addresses do not match, the DuckDNS add-on in Home Assistant is failing to update the record.

2. Review DuckDNS Add-on Logs

The logs for the DuckDNS add-on in Home Assistant provide crucial information about its operation, including successful updates and errors.

1. Navigate to Settings -> Add-ons.
2. Select the DuckDNS add-on.
3. Go to the Log tab.
4. Look for recent entries. A successful update will typically show an OK status. If you see errors, they will indicate why the update failed (e.g., authentication issues, network problems).

3. Verify Port Forwarding

DuckDNS and Let’s Encrypt typically require port 443 (HTTPS) to be forwarded from your router’s public IP to your Home Assistant device’s internal IP address (usually port 8123 or 443, depending on your configuration).

1. Access your router’s administration interface.
2. Navigate to the Port Forwarding or NAT settings.
3. Ensure there is a rule that forwards external traffic on port 443 (or 80 for certificate renewal, though 443 is standard for access) to the internal IP address of your Home Assistant device on the correct internal port (usually 8123 or 443 if you are using the Home Assistant reverse proxy setup).
4. Double-check that the internal IP address specified in the rule is correct and static for your Home Assistant device.

4. Check for CGNAT

Carrier-Grade NAT (CGNAT) is a network architecture used by some ISPs where multiple customers share a single public IP address. If you are behind CGNAT, port forwarding will not work because your router does not have a unique public IP address.

1. Access your router’s administration interface.
2. Look for the WAN IP Address or Internet IP Address.
3. Compare this address to the public IP address you found in Step 1 (using curl ifconfig.me).
4. If the WAN IP on your router is different from your public IP, or if it falls within the private IP ranges (e.g., 100.64.0.0/10), you are likely behind CGNAT and traditional port forwarding is impossible.

5. SSL Certificate Issues

The DuckDNS add-on uses Let’s Encrypt to generate SSL certificates, which expire every 90 days. While the add-on usually handles renewal automatically, sometimes it fails.

1. Check the DuckDNS add-on logs (Step 2) for certificate renewal errors.
2. If you suspect an expiration issue, you can force a renewal. In the DuckDNS add-on configuration, set the force_update option to true and restart the add-on. Remember to set it back to false after the renewal is successful.

Alternatives to DuckDNS

If you are unable to use port forwarding due to CGNAT, restrictive ISP policies, or security concerns, several secure tunneling solutions can provide remote access without opening ports on your router.

Cloudflare Tunnel

Cloudflare Tunnel (part of Cloudflare Zero Trust) is the primary recommendation for secure remote access without port forwarding.

It works by establishing an outbound-only connection from your Home Assistant instance to the Cloudflare network. This means you do not need to open any inbound ports on your router, significantly enhancing security. Cloudflare handles the public DNS resolution and secure connection termination.

Other Options

• Tailscale: A mesh VPN solution that uses WireGuard. It creates a secure network between your devices, allowing you to access Home Assistant remotely as if you were on your local network, without needing to manage firewall rules.
• ZeroTier: Similar to Tailscale, ZeroTier creates a virtualized network layer, allowing devices across different physical networks to communicate securely.