Expose Home Assistant For Google IPs only- IPV4 only

Tags: #<Tag:0x00007f3282741808>

Hello people,
I was able to expose the Home Assistant only to Google’s IPs.
I use PFSENSE as a Firewall, but it can be easily adapted to other Firewall/Routers Vendors.

Google IPs.
https://md5calc.com/google/ip

Google has Tons of Range of IPs (Networks), but I find out what network Google Assistant use to comunicate with HA.

As Follow:
Any IP from this Network must be allowed to access HA
108.177.8.0/17
66.102.0.0/20
66.249.80.0/20

Bellow my NAT conf:

These Range are configured but disabled because Google dont use it to connect to my HA.
If Google Assistant change to any this range bellow I just enable NAT allowing Google Assistant access HA.


PS: Google can use others Networks to Comunicate with your HA

1 Like

Or an easier, more accurate and safer way is to also use Cloudflare as your DNS provider and proxy.

They do publish the range of IPs for their servers and they’ll proxy your connection so nobody will know your private IP when resolving your domain. Then you can just block all connections not coming from those IPs on your router.

Benefit of this is that you’ll have their security as well like DDos, Rate Limiting, WAF, Access, User Agent Blocking, IP rules (block, challenge, bad browser), page rules, etc. In my case I have all of that set and Cloudflare Access so it requires 2FA to reach my HA instance.

On top of that can have full strict encryption by using their Cloudflare Origin CA, and you’ll also have DNSSEC.

I blocked bots, and medium to high threat scored IPs as some of my rules. 2FA required for all sites except for whitelisted stuff like Google Assistant (by URI since I don’t know their IP range, they also come from the US only), UpTime robot (by IP range), etc. Challenge sketchy IPs with lower threat score.

For Google Assistant to reach my HA I set it to bypass my rules by the URI used for Google Assistant calls:
https://[YOUR HOME ASSISTANT URL:PORT]/api/google_assistant

Reverse Proxy kinda feels like helps since you need to know the domain name and I have locked certain pages by URI and for other I set an additional username/password as some of my apps didn’t require one like some add-ons or showed too much info even before logging in. Other calls that are routed through the reverse proxy are blocked, it can also block common script exploits.

Pfsense is good, adding this on top of it gives you something new to play with, in my case I feel my instance is safer now. Pfsense is great as an IPS, it makes a great addition to all of this.

I think most of the danger is bots and more than anything users installing malware on their computer.

Best thing to do is prevention when it comes to security, prevention starts by blocking websites known for malware and other shady places which brings to another a Cloudflare product: Cloudflare Gateway which is basically a Pi-Hole on the cloud.

5 Likes

Just Fantastic!!! I managed to configure it, but it’s not for dummies. A shame!!!

which plan do you need for this at cloudflare?

Free tier should get you all of that. Certain limitations apply like number of security rules, number of users for Cloudflare Access, Rate Limiting up to certain amount of request, etc. But most of the essential features are free with no limits.

which product is it then? the one I think is the right one, only is free until September.

Mind sharing the link? All of them are free and will remain free. Haven’t received any updates on my free tier membership.

Update: just checked that’s free for business. You just need to create a new account, no need to enable or activate any subscription. For certain features you’ll need to enable billing like Cloudflare Access (won’t bill you unless you confirm it and go over the free stuff) and Rate Limiting (if you exceed 10,000 request once it kicks in by matching a malicious pattern).

Please excuse my ignorance. But what’s the advantage? I have only opened port 80 and 443 and Google Assistant works perfectly together with Homeassistant.

Adding more security layers is better than just exposing your HA to the internet. Since it’s a smart home controller, you should protect it better from attacks.

I’m using Cloudflare’s firewall and ran into this issue as my rules were also blocking Google Assistant. CF produced an error with your those IP ranges but these worked.

66.249.80.0/20 66.102.0.0/20 108.177.0.0/17