Cloudflared questions

Third party integrations
1

So, this isnt really HA related but, what better place to ask then a community of geeks and tinkers that will probs provide the best answers haha.

Im really trying to get my head around Cloudflare and what it offers. Mainly, what I’m after is a remote access VPN, which I currently have using OpenVPN cloud and works great (im also behind CGNat), but is very limited and hugely expensive for more then 3 connections, 1 of which is my pfSense as a client to the cloud.

My goal:

Create a remote access cloud based VPN using cloudflare to remotely access my entire internal subnet using the cloudflare WARP application. This will be the entire subnet 192.168.1.0/24 for example, allowing me to access all resources on the network.

I then also want to route all OUTBOUND traffic out through that same cloudflare tunnel, for the security features that cloudflare offers (TLS inspection etc), why not right, its free.
This means, access to HA is easy, use the private IP of HA and access it just as if you were on the LAN. Also, you can deploy remote access policies for different users but I will go down that path later.

My Setup:

Im using pfSense for my router! Now, this seems to be a problem trying to get cloudflared to run in pfSense or any other backward compatibility with other apps such as wireguard etc. So if anyone has done this, please let me know. I have managed to fire up a docker container with cloudflared (the one given when creating the tunnel) and connected it successfully, however this does exactly give me any control over routing or firewall rules in pfSense.

I also installed cloudflared on HA, and got the tunnel up. One thing I noticed is the tunnel does not appear to have a Private IP address assigned to it. (what am I missing here?) so I’m not actually sure how to route traffic over it. Im also not sure how I would route traffic out over the runnel from pfSense (maybe a static route in the docker container for 0.0.0.0/0, but again then there is no control within pfSense.)

I did notice I can enable Split Tunnelling and router subnets in the cloudflare dashboard, but still dont know how this works with the tunnels, as there is no private IP assigned with a tunnel that I can see.

I’ve been trying to get my head around this now for a few days, but seem to be going in circles and struggling to find any real definitive answers out there!

Any help much appreciated!

2 Likes
2

Let me make sure I understand - if not what you were trying to accomplish, at least it may help someone else :slight_smile:

You want to:

  • connect to your hass installation remote through the cloudlfare tunnel (you said VPN, this is not…but I think its the closer nect thing!?)
  • you already installed the cloudflared addon and your tunnel is recognized in the cloudflare zero trust > networks

if thats the case (not a VPN but remote access):

  • in cloudflare zero trust, go to networks, tunnels, and then click on your tunnel
    then public hostname > add >
  • ** I use hass under a sub domain, such as hass.example.com so in that case:
    enter a subdomain “hass”
  • type: http > url: yourHassIp and port… example 192.168.1.x:8123…where x is your hass IP.

**skip this step if not using a subdomain… all of your traffic to example.com will go to the IP you specify.

to make it private to only your account, make sure to create a verification with the option from zero trust menu, under:

  • Applications > add an application
    (before this, you would need to create an authentication method ***…under:
    • settings, Authentication > login methods:
      I currently use my email, google, and warp… keep in mind that Hass App does not like it and would not let you log in - or if it does, I dont know how to)

*** back to Applications:

  • Self-hosted
  • Application name: something like “hass”
  • Application domain (if left blank it will apply to all of the hostname… if you use the subdomain, then it would only apply to the subdomain… effective when using several subdomains and you want to protect some and not all)
  • Identity providers: here you will select the authentication methods selected before.
  • Warp authentication identity (currently beta): this one allows you to be authenticated with your warp connection… I have not tested if using it with warp in my phone allows access to the app…

(this is a quick overview and not a comprehensive installation, make sure to check and read about all of the other fields) if you need/want more help, let me know…I’ll be glad to help.

let me know, good luck.

PS: I was looking for something similar and stumble into your post… figured I try help… like I said, if not what you needed… no worries… hopefully someone else can use it :slight_smile: