CloudFlare Argo

Third party integrations
#1

Having been annoyed by Nabu Casa and them being unable to give me a multiple house account I started investigating Argo by Cloudflare and wrote up a quick and dirty addon which seems to be working well.

Does anyone else use Argo and are there any security issues from running a pretty vanilla HA instance with it?

I can see there was a little buzz around 2018 when it launched, but nothing since then.

Its pretty cool that both Nabu casa and Argo dont require any port forwarding, and my stupid LTE dynamic IP is taking out of the equation by using it.

#2

I guess you mean argo tunnel. Thatā€™s a different story to argo. There is no bigger security issue with argo tunnel than exposing hass to the world. If you use cloudflare access on top, it should be pretty safe. Because without the 2nd factor authentication, traffic will never hit your local installation.

My favorite solution is nginx client certificates with a very small vps that forwards traffic to my local hass. But I am lucky having static ips so no need to worry about ddns.

Edit: last argo tunnel release was 19 days ago, so itā€™s still pretty active

#3

I use Cloudflare Argo Tunnel with Cloudflare Access for all of my exposed services. It works great and I have no open ports. Yes, you can use a VPS, and others will push on that, but if you can spare buying a coffee a month, you get a no hassle solution.

To make it easier, if youā€™re using Docker, use the Hera container.

#4

I did a hacky build which works on HASS.io:

Looks like building a HERA Hass.io module might be a better way to go.

#5

@gregg098 have been looking at Hera and possibly writing it into Hassio (even if its hacky to start).

Do you run this on Raspberry / ARM?

#6

No, I run it on a NUC.

1 Like
#7

was probably much easier on NUC than hassio based Raspberry PI.

I cloned the repo to:

Made the changes required to get it to compile on ARM and then added in a config.json / build.json to allow it to build for Hassio.

I was then playing around to see if i could get a config to work, thinking that the labels were applied to the hera container! Oops!

When i tried to build the repo directly in portainer it wouldnā€™t work, however building in Hassio worked, so i just built it and in portainer duplicated hera into another project. It then needed to be edited to use the ā€œhostā€ network which homeassistant uses.

I then had to run portainer in ā€œleave_front_door_openā€: ā€œtrueā€ mode to be able to edit the homeassistant container (Yes i know we shouldnt).

And also made a slight tweak to the configuration is suggests. Within the homeassistant container I put the .pem key into SSL and then mounted /mnt/data/supervisor/ssl to /certs and also /var/run/docker.sock mounted to /var/run/docker.sock

Iā€™d love to be able to build a module to make this easy, but from what I can see you cannot apply labels onto docker containers via a HASSIO addon.

#8

Also because you are doing things manually when you update you have to re-add the labels.

#9

Looks like for HASSOS Hera isnt really great unless its rewritten quite a bit.

I updated my addon to allow hostname2 and hostname3 (if they are present it runs other tunnels, if they arent it doesnt bring them up).

Hopefully at some point in the future iā€™ll have time to make it work in a much more pretty way!

#10

My ISP recently switched to CG NAT, and I lost my ability to route the traffic to my homeassistant server.
This addon saved me a lot of hassle and time. Great job @latic!

#11

I stopped using Argo awhile back since I started using using Nabu Casa, but before I did, I was using this Docker container.

It added some flexibility for me that I couldnā€™t get to work with Hera. Just throwing it out there as another option.

#12

Happy it helped!

Iā€™ve noticed an issue which can happen when rebooting it, so at some point iā€™ll get less lazy and do some development on it. Another user on github has also made vast improvements to how much space this will use (by using the right image) and really made it much less hacky, iā€™ve asked to merge in their changes.

#13

Converted the App over to Alpine so install is much quicker and it runs much lighter.

#14

Hi! Your add on works great, thanks. Is there a way to reduce the cpu usage of it? Iā€™m running it on a raspberry pi4 and itā€™s using 30%of the cpu, which I thought was a bit excessive

#15

Never saw this. It was actually really bad coding causing this (Iā€™m not sure if you submitted the github issue, but I got it solved).

I had 2 other tunnels running and when they werenā€™t used the services werent disabled, which meant they continued to load and die (hence CPU).

Just converted the app over to the new ā€œNamedā€ tunnel and ensured nothing like this happens now. It means using one version of the tunnel you can export out multiple names etc.

#16

@latic

Many thanks for the argo tunnel add-on. I use it extensively. Having a bit of a hard time with the upgrade, and while trying to troubleshoot ran into a bug. I submitted it on github in case you donā€™t see it.

Question:
Am I seeing correctly that the tunnel created will always be named ā€˜homeassistantā€™?
Do you have plans to tie the configuration values to this tunnel name in the near future?
Reason Iā€™m asking is because I use a single domain with to tie multiple HA installations together. Example:

ha1.domain.com
ha2.domain.com

Previously this worked fine with the same cert.pem at each location because the tunnels could be named differently. I think with the upgrade this will only work with a different cert at each location because a single cert couldnā€™t do multiple tunnels named ā€œhomeassistantā€. No big deal if thatā€™s the case, just wanted to see if this was in the cards near term.

#17

On further investigation it seems like tunnel names are global to an entire cloudflare account and not just per domain. No matter how many domains you own you can only have one tunnel called ā€œhomeassistantā€ from what I can tell.
A configuration value that allows the setting of the tunnel name would fix my problem.
Iā€™ll probably fork the repo and add the config value. Iā€™ll send a pull request if you have any interest in adding to the main repo.

#18

@latic thanks for the Addon, Iā€™m in a CGNAT and with this I have remote access to my HA.
Anyone have this working with Alexa??

#19

What should i write in tunnel_name , hostname , services?

my config-

certificate: /config/cert/argo.pem
tunnel_name: homeassistant 
hostname: home.example.com 
service: http://192.168.1.100:8123
hostname2: 'null'
service2: 'null'
hostname3: 'null'
service3: 'null'
addconfig: 'null'

i am getting error

[14:52:55] INFO: Starting CloudFlare Argo
error parsing tunnel ID: homeassistant is neither the ID nor the name of any of your tunnels

it runs perfectly if i do via cmd
cloudflared tunnel --hostname home.example.com --url http://192.168.1.100:8123

#20

Try deleting your cf-argo directory and starting it again. Thereā€™s code in there that creates the tunnel, but it only runs once when the add-on is initialized. If something went wrong during the initial startup it will never work. I put some detailed setup notes here: