Cloudflare + Local direct connection failing because of wrong SNI (but only sometimes)

Configuration
, ,
1

Hi All

I currently am having issues connecting internally to my homeassistant.

I want homeassistant to be reachable from both internet (via cloudflare for added protection) and locally directly via the same DNS name as I would use from the internet. Both on port 443 for ease of use.

This is done in 2 ways:

1. Internet:

  • My external URL is https://hass.mydomain.com
  • DNS is setup to redirect to the cloudflare tunnel
  • Cloudflare manages the certificate
  • Cloudflared is running as an add-on in Homeassistant.

2. Local

  • My internal URL is https://hass.mydomain.com
  • My local DNS (pihole) resolves this to the IP address of the NPM add-on (also on 192.168.1.70)
  • NPM is listening on port 443 (certificate via let’s encrypt on my domain), this allows for the same DNS internally & externally
  • This NPM fowards the request to 192.168.1.70 (IP of Homeassistant)

Settings in NPM (no other fields are configured)

image
image492×534 13 KB

image

Option 1 via cloudflare always works. It’s been running like this for over 2 years without any issues.

Option 2 however recently decided to show issues. I think 30% of the time my requests end up with the following error in the browser:
image

When I go to inspect via the developer console, I can’t find much info, the page is not loading, but the certificate seems okay, except on the socket, not sure what this means.

image
image1764×894 50.3 KB

I looked at wireshark to see what’s happening, and then I found something that I think is causing the issue:

image
image843×20 1.45 KB

The SNI is pointing to Cloudflare-ech.com in some requests. (192.168.1.205 is my pc)
And my browser then wants to connect to that, but homeassistant or NPM? replies with “unreconized name” which I assume makes sense:
image
image904×14 1.46 KB

When it’s working, the SNI is always hass.mydomain.com:

image
image800×20 1.22 KB

But not when it’s not working, the sni is cloudflare-ech.com.

I thought maybe it’s a DNS issue, and my PC is getting the wrong DNS?
But no; all DNS requests correctly point to my internal IP 192.168.1.70
I don’t understand why my PC thinks it needs to connect to this SNI of cloudflare.

Also strange, my iPhone on the same network, same DNS is not having any issues like this, it always works.

The frequency is also not easily reproducable; once connected, it seems to stay working, but when I open a new tab, from time to time it doesn’t work; for more then a minute, and all other open tabs also fail their connection at the same time.
After retrying a few times (mostly after a few minutes) it works again.

I tried Brave, Chrome & Firefox, on my home pc, work laptop & server at home, all having the same behaviour.

CloudflareD configuration:

image
image1056×852 33 KB

My current setup
Homeassistant OS 2024.10.3 (OS:13.2)
Cloudflared addon: 5.2.0
NPM addon: 1.0.1

EDIT: added more information + corrected spelling