HA container's root webserver not accessible over vpn while HA container's web api and other containers on the same device are accessible.

[pop-vapor]

The problem

I’m running containerized HA via docker-compose running on a raspberry pi 4 8gb

My HA instance is on at http://192.168.0.5:8123/, i can access that from the local net, but not the VPN
My Node-Red instance is accessible at http://192.168.0.5:1880/ from the local net and the VPN
My Hass-configurator instance is available at http://192.168.0.5:3218/, I can also access this from both the local net and vpn

I noticed that it seemed like the webpage was loading forever so I curled it, and that was successful as well. Let me know if any of you would like to see curl output

I only have one error in my error log, but I’ve been getting that error since I installed HA and long before I attempted connecting via VPN:

Logger: aiohttp.server
Source: /usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py:421
First occurred: 4:22:38 AM (92 occurrences)
Last logged: 4:30:14 AM 
Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message:
  Invalid method encountered:

    b'\x16\x03\x01\x01T\x01'

Since I can navigate to the node-red and hass-configurator pages, I have to assume the issue lies directly with Home Assistant. I haven’t edited my configuration.yaml in any way to support using the VPN (i.e. allowing connection from the vpn’s lan), am I missing something?

Edit: Additional Note
I realized that the issue is with the reply from the HA webserver because of this:

I connected my phone to wi-fi and disabled the vpn, then logged into HA. On my dashboard there is a button card that controls a light in my room.

I disabled wifi and connected the vpn

I pressed the button to toggle the light, and the light toggles! The state of the button as shown by the page doesn’t change though. If i refresh the page, it times out. This leads me to believe that requests are getting sent to and processed by HA, HA just cant reply.

How can I troubleshoot the reason why the HA webserver isn’t replying to IP’s on the VPN lan?

Edit 2: I've also created a forum post and asked extensively in the discord about this, no one knows what the problem and since it's only occurring with the HA webserver I assume it's a HA bug.

What version of Home Assistant Core has the issue?

2024.5.3

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

http

Link to integration documentation on our website

https://www.home-assistant.io/integrations/http/

Diagnostics information

No response

Example YAML snippet

I made no changes to my configuration.yaml to support using the vpn. This is what my configuration.yaml looks like:

default_config:

scene: !include scenes.yaml

http:
    trusted_proxies:
        - 10.8.0.0/24
    use_x_forwarded_for: true

sensor:
  - platform: feedparser
    name: New York Times
    feed_url: 'https://rss.nytimes.com/services/xml/rss/nyt/NYRegion.xml'
    date_format: '%a, %b %d %I:%M %p'
    inclusions:
      - title
      - summary
      - link
      - media_content
    scan_interval:
      hours: 1
  - platform: feedparser
    name: Scientific American
    feed_url: 'http://rss.sciam.com/ScientificAmerican-Global?format=xml'
    date_format: '%a, %b %d %I:%M %p'
    inclusions:
      - title
      - summary
      - link
      - image
    scan_interval:
      hours: 1

assist_pipeline:
  debug_recording_dir: /config/www/assist_pipeline/

script: !include scripts.yaml

### Anything in the logs that might be useful for us?

_No response_

### Additional information

_No response_

[home-assistant]

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of http can trigger bot actions by commenting:

• @home-assistant close Closes the issue.
• @home-assistant rename Awesome new title Renames the issue.
• @home-assistant reopen Reopen the issue.
• @home-assistant unassign http Removes the current integration label and assignees on the issue, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

http documentation
http source
_{^{(message by IssueLinks)}}

[pop-vapor]

Additional note:
I am able to create/get the state from a binary http sensor via curl on termux over the vpn. I used the following commands:

Create sensor:

curl -X POST -H "Authorization: Bearer LONG_LIVED_ACCESS_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"state": "off", "attributes": {"friendly_name": "Radio"}}' \
    http://192.168.0.5:8123/api/states/binary_sensor.test

Get sensor state:

 curl -X GET -H "Authorization: Bearer LONG_LIVED_ACCESS_TOKEN" \
       -H "Content-Type: application/json" \
       http:/192.168.0.5:8123/api/states/binary_sensor.test

The sensor is being created with the POST, and the GET request for the sensor state is responded to properly over the vpn.

So HA is replying to curl requests over the vpn -- why isn't it replying to the HA app or standard web browsing over the vpn?

Edit: Additional api request testing

I've confirmed I can access the API over both the local net and vpn via the following jquery in Kiwi Browser dev console, with a successful replying showing sensor state:

fetch('http://192.168.0.5:8123/api/states/binary_sensor.test', {
  method: 'GET',
  headers: {
    'Content-type': 'application/json',
    'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkODMwMWVlYjBiYjg0MjkxOTQwNTlhZjFiZjliNTMxOSIsImlhdCI6MTcxNjAwNDc3MCwiZXhwIjoyMDMxMzY0NzcwfQ.vIkphM_9lrVPYaz8QjLqVelGvmF7OHo7-5y4HM9Xkbg',
    'Origin': '10.8.0.6'
  }
})
.then(res => res.json())
.then(console.log)

On the same browser (kiwi-browser), I am unable to navigate to the root home assistant webpage (http://192.168.0.5:8123/) while on the VPN, it times out after loading forever. Looking at the dev console, I can see that only the initial page load request is sent, and nothing is sent back.

Why can I access the api everywhere, but the root webserver only on the local net?

[pop-vapor]

Issue was high mtu -- fixed by putting mss-fix max in my client config (openvpn)