Having been annoyed by Nabu Casa and them being unable to give me a multiple house account I started investigating Argo by Cloudflare and wrote up a quick and dirty addon which seems to be working well.
Does anyone else use Argo and are there any security issues from running a pretty vanilla HA instance with it?
I can see there was a little buzz around 2018 when it launched, but nothing since then.
Its pretty cool that both Nabu casa and Argo dont require any port forwarding, and my stupid LTE dynamic IP is taking out of the equation by using it.
I guess you mean argo tunnel. Thatās a different story to argo. There is no bigger security issue with argo tunnel than exposing hass to the world. If you use cloudflare access on top, it should be pretty safe. Because without the 2nd factor authentication, traffic will never hit your local installation.
My favorite solution is nginx client certificates with a very small vps that forwards traffic to my local hass. But I am lucky having static ips so no need to worry about ddns.
Edit: last argo tunnel release was 19 days ago, so itās still pretty active
I use Cloudflare Argo Tunnel with Cloudflare Access for all of my exposed services. It works great and I have no open ports. Yes, you can use a VPS, and others will push on that, but if you can spare buying a coffee a month, you get a no hassle solution.
To make it easier, if youāre using Docker, use the Hera container.
was probably much easier on NUC than hassio based Raspberry PI.
I cloned the repo to:
Made the changes required to get it to compile on ARM and then added in a config.json / build.json to allow it to build for Hassio.
I was then playing around to see if i could get a config to work, thinking that the labels were applied to the hera container! Oops!
When i tried to build the repo directly in portainer it wouldnāt work, however building in Hassio worked, so i just built it and in portainer duplicated hera into another project. It then needed to be edited to use the āhostā network which homeassistant uses.
I then had to run portainer in āleave_front_door_openā: ātrueā mode to be able to edit the homeassistant container (Yes i know we shouldnt).
And also made a slight tweak to the configuration is suggests. Within the homeassistant container I put the .pem key into SSL and then mounted /mnt/data/supervisor/ssl to /certs and also /var/run/docker.sock mounted to /var/run/docker.sock
Iād love to be able to build a module to make this easy, but from what I can see you cannot apply labels onto docker containers via a HASSIO addon.
My ISP recently switched to CG NAT, and I lost my ability to route the traffic to my homeassistant server.
This addon saved me a lot of hassle and time. Great job @latic!
Iāve noticed an issue which can happen when rebooting it, so at some point iāll get less lazy and do some development on it. Another user on github has also made vast improvements to how much space this will use (by using the right image) and really made it much less hacky, iāve asked to merge in their changes.
Hi! Your add on works great, thanks. Is there a way to reduce the cpu usage of it? Iām running it on a raspberry pi4 and itās using 30%of the cpu, which I thought was a bit excessive
Never saw this. It was actually really bad coding causing this (Iām not sure if you submitted the github issue, but I got it solved).
I had 2 other tunnels running and when they werenāt used the services werent disabled, which meant they continued to load and die (hence CPU).
Just converted the app over to the new āNamedā tunnel and ensured nothing like this happens now. It means using one version of the tunnel you can export out multiple names etc.
Many thanks for the argo tunnel add-on. I use it extensively. Having a bit of a hard time with the upgrade, and while trying to troubleshoot ran into a bug. I submitted it on github in case you donāt see it.
Question:
Am I seeing correctly that the tunnel created will always be named āhomeassistantā?
Do you have plans to tie the configuration values to this tunnel name in the near future?
Reason Iām asking is because I use a single domain with to tie multiple HA installations together. Example:
Previously this worked fine with the same cert.pem at each location because the tunnels could be named differently. I think with the upgrade this will only work with a different cert at each location because a single cert couldnāt do multiple tunnels named āhomeassistantā. No big deal if thatās the case, just wanted to see if this was in the cards near term.
On further investigation it seems like tunnel names are global to an entire cloudflare account and not just per domain. No matter how many domains you own you can only have one tunnel called āhomeassistantā from what I can tell.
A configuration value that allows the setting of the tunnel name would fix my problem.
Iāll probably fork the repo and add the config value. Iāll send a pull request if you have any interest in adding to the main repo.
Try deleting your cf-argo directory and starting it again. Thereās code in there that creates the tunnel, but it only runs once when the add-on is initialized. If something went wrong during the initial startup it will never work. I put some detailed setup notes here: