This is a bit over my head - just wondering, if the certificate is essentially like certificate authentication? meaning if the client doesn’t have a certificate, they don’t even see the login page or beyond CF’s infrastructure??
Really liking this idea for my own iOS Companion App + Cloudflare Tunnel situation when the iOS companion app doesn’t work correctly with Cloudflare Access in place.
How are you “SSH’ing” into your desktop from the iOS shortcut? Are you using Cloudflare Tunnel SSH support? I haven’t been able to get Cloudflare Tunnel SSH working yet but it’s on my list. Are you leaving that that SSH’ability “wide open” or do you have some kind of Access rules protecting it?
Using tailscale only for that part. You might ask, why not just use tailscale to access HASS and get it over with? I find keeping VPNs on my phone and even on-demand settings to mess with internet connectivity on the phone especially if cell reception drops. Here is the simplified sequence of the iOS shortcut:
1- Get current IP
2- Connect tailscale
3- Run script over SSH. I have a script on the debian VM and I just call it with the IP as a variable. e.g. “./cf_access.sh 172.125.25.25”
4- Disconnect tailscale
The script in step 4 uses CF api to modify an access group and replace the used IP with the one I provide.
1 Like
Thank you for the update and details.
I am implementing something similar but instead of using Tailscale I am using Cloudflare’s WARP client for “VPN-like” connectivity (don’t call it a VPN in front of Cloudflare SE’s however).
Figured if I am already using Cloudflare Tunnels + Cloudflare Access, why not layer on the WARP client as well. Its use is still free as part of the free ZeroTrust account.
Took about 45 minutes of reading and playing around to get it working with pre-existing Cloudflare Tunnels and an IdP already in place.
Followed this guide here
Concepts · Replace your VPN · Learning paths (cloudflare.com)
Frankly, with how easy the WARP client is to use (no username/password required after a device token is issued) I might end up not even using the “scripting against the Cloudflare Access API to add my public IP when remote” paradigm and just enable the WARP client on mobile when needed accessing Home Assistant via WARP client.
I actually used the WARP client for a while and was honestly very convenient. I switched to this method because we wanted to have my and other house members’ location tracked via the HA Companion app. To do that via the WARP method, you would need the client installed and running all the time.
With the method I’m using, I whitelist a few IPs and it covers most scenarios (cellular carrier and friends’ WIFI public IPs).
Now the REAL reason I did all this is probably me never being content with my setup and always finding reasons to tinker. 
Haven’t experimented with HA Companion app tracking me/family yet. Given your goal, I see the appeal to no-WARP, no-VPN while at most of your usual physical locations. Saves battery life, saves data, saves dealing with nuances of always-on WARP/VPN on your phone.
I’m having issues adding a bypass WAF rule.
I’m on a free plan so the WAF tab is only usable under the domain not the account, I can see the rule getting applied but an email is still required (maybe its the policy I’ve set in zero trust)
Great tutorial. I was able to follow until the WAF rules and certificates part for Android. I believe Cloudflare’s dashboard has changed since and I am not able to add rules. Any tip?
Also not working for me. I followed the steps, but it seems like client certificates are not working. I created a pem certificate and used openssl to output the combined certificate and key as a p12 file.
I installed the p12 certificate to my windows machine and android phone. I have setup only two WAF rules. 1) skip rule for client certificate and 2) a block rule for country equals and not equals same as the last rule from this guide.
I don’t see that the client certificate is triggered and with the country rule activated I cannot access the hostname anymore. I trialed to use the client certificate as a block rule, but the clients can pass this rule. So something is wrong with the certificate handling.
Would appreciate if you could share more detail on the certificate section. Also took me a time to create the p12 file as a newbie.
Thanks!
Perhaps it’s time for me to update the tut?
I’m not using the ZeroTrust component as of now (December 2024). I can’t recall why I changed.
I will review my original post and follow up.
I will review the original instructions and provide a follow up.
I know how it’s frustrating to find a great tutorial for some thing X, only to go through the steps and find that some thing Y is completely changed.
Cloudflare is constantly changing and moving things organizationally. It can be daunting if you’re starting fresh.
It may be a day or two, but I will get back with an update.
Thanks Lewis for your time and dedication on this! Much appreciated.
Thanks for this @Lewis. I imagine updating a guide for a solution you don’t you yourself anymore may not be urgent for you. It’s understandable.
You mentioned that you don’t use it anymore. May I ask what do you use? I just know the VPN alternative but I find it difficult to implement and maintain on other people’s phone and the added battery consumption drawback as well.
BIG CORRECTION: I do use Zero Trust, but not the App side of it all. Sorry for that slip. Zero Trust is where the tunnels are configured.
I have just now re-read my instructions, and all the comments and other responses…
When I’m logged in to my Dash on Cloudflare, and have selected the appropriate domain, the WAF rules are still in the same place in the menu tree today, as they were when I wrote the original post. This part has not appeared to change.
Perhaps the only difference now is that when clicking in the sidebar into the Security drop-down, then selecting WAF, the main page opens to “managed rules” with an “Upgrade to Pro” button.
Be sure to select the “Custom Rules” menu on the left end of the menu bar.
My WAF rules are exhausted. However, you should also have the “free” tier limit of five available rules.
Just to be sure, are you able to access this page?
On which OS are you using a terminal to create the certificate(s)?
The one I do NOT use is Windows… I mostly use MacOS, or Debian/Ubuntu. I don’t know how much this makes a difference or complicates the procedure. Windows may not have the appropriate packages in PowerShell. And I wouldn’t be the best to answer any questions about it, because I never use it.
However, there is a comment somewhere up this thread where another person asked about the terminal process, and I printed out my bash_history for reference.
Perhaps have a look at that and try to follow through the steps I took.
Certificates, writing, combining, converting from type to type is sometimes quite convoluted especially when coming to it all as you’re learning about them and teaching yourself.
I’ve not tried it for this specific instance, but you could also try copying your command structure into ChatGPT and asking it to check your command structure and syntax.
I’ve been using ChatGPT frequently for other Home Assistant “projects” I’ve tasked myself with, especially in yaml and JavaScript. It’s not always accurate and sometimes returns incorrect code, but if you believe the answer is wrong, challenge the Bot and it will fess up to the error and provide an alternative.
Other than that, I can’t really say much more, the guid to certificate generation I referenced above is still valid and (at least for me) easily followed.
Many thanks for those screenshots. They put me on track and I was able to finish the setup. The missing step for me was that I was searching for SSL/TLS in the main Cloudflare dashboard and I had to select the domain I wanted to work with. So I was going back and forth between the main dashboard and Zero Trust dashboard looking for it.
Summing it up:
I had the addon installed with Local Tunnel setup on ha.mydomain.com
In zero trust I created a selfhosted application with email OTP for ha.domain.com
This way you will only get 24h access or so.
So, in the addon, add an additional host similar to that:
- hostname: `app-ha.mydomain.com`
service: http://192.168.0.2:8123
Where service is your internal url for HA
Then follow this guide using app-ha.mydomain.com
When creating the certificate copypaste the code into notepad for example and save it as cf.pem and cf.key respectively. If you used those filenames then use linux, mac or wsl for windows and in the directory you saved them use:
openssl pkcs12 -export -out cf.pfx -inkey cf.key -in cf.pem
Give it a password or for some reason you won’t be able to install it later.
Bring that cf.pfx to your phone and install it. Go to settings, search for certtificate > install cert form storage > VPN ...
Add https://app-ha.mydomain.com as a external URL in the companion app. Enjoy.
I apologize if some of this overlaps what you already explained (in a more concise and understandable way) but I wanted to resume my process in case it helps somebody else.
For reference, I got some info from here: Home Assistant App through Cloudflare Tunnel with Auth (Android)
Good to read that you’ve got over some of the hurdles of confusion!
When I previously (and incorrectly) stated I didn’t use ZeroTrust anymore, what I actually meant was, I don’t use the self-hosted application anymore.
The reason for this was that the Companion App and VaultWarden wouldn’t always be able to connect through the Cloudflare ZeroTrust Application.
When I removed the Application route, consistency was returned.
A visual guide to understanding traffic sequence / flow through Cloudflare in displayed in the WAF Custom Rules setup page, on the far right side.
There is even a method to simulate flow (for troubleshooting).
Perhaps this will give you a better comprehension of how Cloudlfare works.
It’s after all of those steps that it, if not dropped, enters the ZeroTrust.
Now, if the WAF rules have only allowed clients with your certificate, and dropped everything else, then perhaps the added condition of the ZeroTrust Application with IdP is not necessarily necessary. At least, that’s the logic I’m using.
And since this time, only my own devices are able to pass through to my Cloudflare Tunnel and into my HA.
It all works so well, I’ve mostly put it out of mind because I don’t need to worry about it at all.
There is only one function that does not work, and that is editing or saving passwords in VaultWarden. Mostly because I haven’t taken the time to sleuth out what url structure is being used when VaultWarden is attempting to save an entry. But if I connect to VPN (through Unifi), the save works without issue.
Thanks mate, this is the page I have
There’s a country and UA rule I put in place as a bypass for iOS and it is getting hit as per the logs but it still loads zerotrust
Thank you for your explanation. I think I’m getting the hang of it.
Last question if you don’t mind. You mention that you don’t use Zero Trust anymore. Does that mean you only use certificate access? What if you want to access externally through a browser? In that case you would normally use an identifier such as OTP through email. Right?