Connect a Google Home to Home Assistant behind a Cloudflare Tunnel

Freeman59 · January 17, 2024, 8:23pm

I have a technical question on the integration of a Google Home with Home Assistant.

Until now, I was able to display a dashboard on my Google Home but I have just secured my network by switching from a reverse proxy on Synology to a more secure Cloudflare tunnel.

Only problem, when I want to connect the Google Home dashboard, I find myself with an error: I arrive at the display with the HA logo, a heart and NABU CASA and below: Not Connected Error: Unable to connect to the Home Assistant websocket API.

I also tried via https://cast.home-assistant.io/ I enter my URL, I log in and it tells me Unknown error (SyntaxError: Unexpected token ‘<’, "<!DOCTYPE ". … is not valid JSON).

I followed this tutorial https://www.reddit.com/r/homeassistant/comments/v0xea8/comment/iakgsgq/?utm_source=share&utm_medium=web2x&context=3&rdt=39407 to add a WAF rule for Google IPs but without any change as also deleted temporary rules for limited countries to access my apps in the tunnel.

Also added in configuration.yaml :

  base_url: https://myhassio.mydomain.com
  cors_allowed_origins:
  - https://myhassio.mydomain.com
  - http://192.168.1.222:8123
  - http://300.400.500.1
  - http://300.400.500.1:8123
  - https://cast.home-assistant.io

not working either

Do you have any idea how to get out of this? THANKS !

tyron · May 1, 2024, 1:21am

I know this is a very old thread, but I’m facing the same issue here in 2024. Did anyone find a solution for this?

RosensRauk · May 4, 2024, 11:30am

Try exclude the websocket in a WAF block rule. This made my cast to dashboard work again.

(http.host eq “ha.domain.com” and not cf.tls_client_auth.cert_verified and http.request.uri.path eq “/api/websocket/”)

For trouble shooting check out cloudflare site/security/event

tyron · May 4, 2024, 12:26pm

But that means you need a bypass rule in CloudFlare Access, correct? Unless you are not using it to secure the access to your HA instance.
Can you tell me what’s your current setup? I have a bypass for “Google Assistant IPs” (technically, I used the CIDRs from HOWTO: Secure Cloudflare Tunnels remote access).
I wonder if I need extra IPs in the bypass rule (Google Home servers?), otherwise I think the traffic won’t even hit the WAF rule and be dropped due to authentication anyways…

Thanks!

Kitkat · September 12, 2024, 7:42am

Hi,

I’ve just got cast working to a Google Nest Hub (2nd gen) after a lot of faffing…

I’m using the Cloudflared add-on which works perfectly. I was getting authentication fail and unable to connect errors when starting the cast. For me, adding a bypass rule for traffic hitting Cloudflare from my external IP did the trick.

In Cloudflare console → ZeroTrust → Access → Access Group, add a new group with the Selector set to IP Address/Range and a value of whatever your external IP address is.

Back in the ZeroTrust Home Assistant application, under Policies tab, Add New…
Call it ‘bypass for internal traffic’ or whatever, ‘Action’ set to BYPASS and add in the new Access Group created above.

This should allow traffic originating from your own external IP to completely bypass Cloudflare auth while still enforcing it for all other traffic.

Worked for me, with the added plus of also fixing the long standing problem I had getting my Galaxy Watch working with HA too.

Peeshow · November 15, 2024, 12:59pm

Hello Kitkat
When you refer to “your external IP”, you mean my public IP?
If yes, do you know how can I make it this input “dynamic”?

Also, do you mind clarifying the Policies Tab you are referring to specifically?

Sorry, I’m a noob…

Kitkat · November 22, 2024, 7:14pm

Hi yeah, your public address. There’s probably a way to update it using a cloudflare API, but not looked into it.

For me though, I find it almost never changes - it seems to persist through router reboots, but of course that doesn’t mean it won’t change.