Expose Home Assistant For Google IPs only- IPV4 only

leviweb · April 7, 2020, 4:35pm

Hello people,
I was able to expose the Home Assistant only to Google’s IPs.
I use PFSENSE as a Firewall, but it can be easily adapted to other Firewall/Routers Vendors.

Google IPs.
https://md5calc.com/google/ip

Google has Tons of Range of IPs (Networks), but I find out what network Google Assistant use to comunicate with HA.

As Follow:
Any IP from this Network must be allowed to access HA
108.177.8.0/17
66.102.0.0/20
66.249.80.0/20

Bellow my NAT conf:

These Range are configured but disabled because Google dont use it to connect to my HA.
If Google Assistant change to any this range bellow I just enable NAT allowing Google Assistant access HA.

PS: Google can use others Networks to Comunicate with your HA

gurbina93 · April 7, 2020, 5:06pm

Or an easier, more accurate and safer way is to also use Cloudflare as your DNS provider and proxy.

They do publish the range of IPs for their servers and they’ll proxy your connection so nobody will know your private IP when resolving your domain. Then you can just block all connections not coming from those IPs on your router.

Benefit of this is that you’ll have their security as well like DDos, Rate Limiting, WAF, Access, User Agent Blocking, IP rules (block, challenge, bad browser), page rules, etc. In my case I have all of that set and Cloudflare Access so it requires 2FA to reach my HA instance.

On top of that can have full strict encryption by using their Cloudflare Origin CA, and you’ll also have DNSSEC.

I blocked bots, and medium to high threat scored IPs as some of my rules. 2FA required for all sites except for whitelisted stuff like Google Assistant (by URI since I don’t know their IP range, they also come from the US only), UpTime robot (by IP range), etc. Challenge sketchy IPs with lower threat score.

For Google Assistant to reach my HA I set it to bypass my rules by the URI used for Google Assistant calls:
https://[YOUR HOME ASSISTANT URL:PORT]/api/google_assistant

Reverse Proxy kinda feels like helps since you need to know the domain name and I have locked certain pages by URI and for other I set an additional username/password as some of my apps didn’t require one like some add-ons or showed too much info even before logging in. Other calls that are routed through the reverse proxy are blocked, it can also block common script exploits.

Pfsense is good, adding this on top of it gives you something new to play with, in my case I feel my instance is safer now. Pfsense is great as an IPS, it makes a great addition to all of this.

I think most of the danger is bots and more than anything users installing malware on their computer.

Best thing to do is prevention when it comes to security, prevention starts by blocking websites known for malware and other shady places which brings to another a Cloudflare product: Cloudflare Gateway which is basically a Pi-Hole on the cloud.

leviweb · April 8, 2020, 10:34pm

Just Fantastic!!! I managed to configure it, but it’s not for dummies. A shame!!!

someone · April 11, 2020, 4:54am

which plan do you need for this at cloudflare?

gurbina93 · April 11, 2020, 7:05am

Free tier should get you all of that. Certain limitations apply like number of security rules, number of users for Cloudflare Access, Rate Limiting up to certain amount of request, etc. But most of the essential features are free with no limits.

someone · April 11, 2020, 12:16pm

which product is it then? the one I think is the right one, only is free until September.

gurbina93 · April 12, 2020, 4:37pm

Mind sharing the link? All of them are free and will remain free. Haven’t received any updates on my free tier membership.

Update: just checked that’s free for business. You just need to create a new account, no need to enable or activate any subscription. For certain features you’ll need to enable billing like Cloudflare Access (won’t bill you unless you confirm it and go over the free stuff) and Rate Limiting (if you exceed 10,000 request once it kicks in by matching a malicious pattern).

CM000n · April 12, 2020, 4:49pm

Please excuse my ignorance. But what’s the advantage? I have only opened port 80 and 443 and Google Assistant works perfectly together with Homeassistant.

someone · May 1, 2020, 10:21am

Adding more security layers is better than just exposing your HA to the internet. Since it’s a smart home controller, you should protect it better from attacks.

kylehase · August 14, 2020, 7:06am

I’m using Cloudflare’s firewall and ran into this issue as my rules were also blocking Google Assistant. CF produced an error with your those IP ranges but these worked.

66.249.80.0/20 66.102.0.0/20 108.177.0.0/17

INTEL · February 26, 2021, 4:14pm

Little late to party but could you share SS od cloudflare setup for Google assistant? I have GeoIp block on cloudflare, and ofcourse gassistant doesn’t work…

Marcmk · May 7, 2021, 7:25pm

Great! thanks!!
only the first network range must be:
108.177.0 . 0 /17.
That makes the /17 complete…

lowrisk75 · May 11, 2021, 6:50pm

Access and Gateway firewall is awesome! the only thing wrong since I use it : I can’t have iOS notification with a snapshot attached anymore or even use NFC tag from my phone.

I know there is a service token provided by Cloudflare, but I don’t think it’s compatible with HAOS, I could use the URL bypass but I’m not too sure how to implement this neither.

If ever you feel like doing a tutorial on cloudflare security, I’m sure this would generate a lot of interest (I think cloudflare access/firewall/Argos is a must have for Home Assistant)

Marcmk · May 25, 2021, 9:04pm

@leviweb
Got an extra IP range maybe you can add it.
74.125.0.0/16
tried to connect to HA and failed.

Phr0z · June 6, 2021, 5:12pm

Just came for an overdue thanks.

Helped hardened my HA setup which I use Google Assistant with.

Thanks!

FaserF · July 13, 2021, 5:38am

Just to give some follow up, to use the google home app the following full URL also has to be whitelisted:

https://[YOUR HOME ASSISTANT URL:PORT]/auth/token

dronkeol · July 19, 2021, 6:46pm

Hi, i created an access ip rule (tools menú) by ASN (check the asn number in the log) and everything is working fine.

Ysiak · August 6, 2021, 6:50pm

Im pretty sure that is not a good idea, because ASN match all Google IP network ranges, so all GCP compute instances and services from GCP customers could connect to your HA.

Total amount of IPs for this ASN: 16,774,144

AS15169 - Goole IP List

Zipporobotics · December 29, 2021, 8:56pm

Hi
Same issue here

I’ve tried going to cloudflare → my domain → rules panel (on the left) → create page rule → cache level set to bypass

for the url

https://[YOUR HOME ASSISTANT URL:PORT]/api/google_assistant

doesn’t work

Anybody got success or can explain more specifically ?

MrHollow · January 3, 2022, 1:47pm

I’m also interested on how to fix this. Did you get it fixed?

I’m randomly getting: I’m sorry blabla is not available