Expose Home Assistant For Google IPs only- IPV4 only

This seems to have fixed most of the issues. I can see in the logs the requests coming in.

If anyone has a better idea on how to streamline this let me know.

I run Home Assistant in a docker container on my Synology NAS. The NAS has a basic firewall where I block unwanted traffic. I used the IP ranges mentioned in this thread to allow communication between Google Assistant and Home Assistant. Recently some of the requests give a time out so it seems Google has added a new range for Google Assistant. Anyone else experienced this and has already figured out what the range is. Unfortunately I can not seem to figure it out myself as the NAS does not log any dropped requests.

Google Assistant requests will appear within the Known Bots list. I include Known Bots and URI Path to limit the traffic within this rule.

3 Likes

you’re a life saver :slight_smile: this worked perfectly and i haven’t had any issues since I added this new rule.

1 Like

Thanks! This is an efficient rule! I just added the IP range from Google Assistant to it, so only GA can pass through. All other bots are being blocked.

2 Likes

Are you also using Cloudflare Access? If yes, how did you set up your access policies for Google Assistant to pass?

1 Like

Good call on adding the IP range for Google Assistant. I updated my Known Bots rule to include those and haven’t experienced any blocks to Google Assistant commands for HomeAssistant devices.

I’m not using the Cloudflare Access features, only the DNS proxy and firewall rules.

For anyone curious, this is my second Cloudflare Firewall rule which blocks traffic from all countries expect US, Canada, and Mexico. The Known Bots rule sits above this one in case any requests for Google Assistant reach out to servers outside the country white list.

Is is still working for you?

I have a similar geoIP rule where i am blocking the US as part of that rule but I thought the knownbots rule above that in the list would mean i allow google assistant through.
Instead, the google assistant requests (often from addresses like 108.177.77.X) are being blocked by the second (geoip) rule and nothing is being logged in rule 1.

Edit: I removed the known bots line from above and it worked right away.

1 Like

I haven’t attempted blocking any US traffic in the Cloudflare Firewall Rules, but it appears like you got it working from your edit.

It looks like there is some Google Assistant traffic coming from outside the Known Bots list.

Yep that was it. I’m not in the US hence I’m blocking it by only allowing my own country.

I was finding more and more IPs that were being blocked and causing issues with my google assistant integration.

I’ve ended up creating another rule to allow googles ASN through when accessing those two urls.

Google do officially publish all their IP ranges, and also have a separate list of IP’s they only give to their customers to use ( in GCP etc ). If you compare the latter list to the former, you end up with only the IP ranges used by core google services ( such as googleapis etc ).

I found this very helpful: 비공개 Google 액세스 구성  |  VPC  |  Google Cloud

It even has a python script to do the ‘washing’ of the list so you end up with only the IP ranges you might conceivably need to whitelist.

Wouldn’t take much to automate this so you can update the IP list regularly to ensure it’s kept up to date.

Hey guys,

For those that want extra protection, here is what I did and seems to work. I have a domain name in Cloudflare with two A (one for my VPN that isn’t proxied since wireguard doesn’t like that and one for HA for Google API and backup):

  • In cloudflare zero trust, I added 3 applications

    • One for HA domaine name without any path added with a rule that allows only my email and Pin authentification
    • One for HA domaine name with /auth/token with a rule that anyone can access it (maybe I can find a better solution) via bypass
    • One for HA domaine name with /api/google_assistant with a rule that anyone can access it (maybe I can find a better solution) via bypass
  • In the firwall (cloudflare dashboard, not the same website), I added the rule:

    • Block all requests that are not from my country except where ASN is not the one from Google (since they request from USA)
    • Block all requests on the /api and /auth except if the ASN is from Google
2 Likes

I’ve been setup similarly for a few years. Randomly started having some Google Home → Home Assistant communications fail.

Looks like a new ip-range is being used by Google: 192.178.0.0/15

Yes 192.178, you can see it here https://www.gstatic.com/ipranges/goog.json

Figured I’d add it to the solution.

3 Likes

Anybody figured out how to use bypass (for authentication) so you only have 1 application ?

1 Like

For future reference:

I defined an ‘Access group’ in my zero trust environment that lists all the google IP addresses:

And used that for my google assistant application:

For the auth token you also need to include the countries from which you want to use your companion app:

1 Like

Did you find a way to paste all of the IP ranges in one shot or did you have to do it a hundred times?

Also, did you end up using URI filtering or just completely open?

1 Like

I wrote a python script that fetches the list of addresses from google and then puts them in Cloudflare.
Not using URI filtering buf different applications.

Any chance you’d be willing to share the script?