I have set up a Cloudflare Zero Trust tunnel in the Cloudflared plugin to connect Google Home using it as instructed below:
Unfortunately, after creating a project according to the tutorial, my HAOS does not automatically detect the Google Assistant integration, so I am concerned that the problem is the secured tunnel. I am using Cloudflare Zero Trust with SSL Full (strict).
Does anyone of you use Google Home integration via Cloudflare Zero Trust?
I have a setup like you mention.
If you mean the way HA can automatically detect the availability of an integration and prompt you to install it, that does not work for all integrations, and not for any that are configured manually as this one is. You need to put the appropriate lines in configuration.yaml and restart HA. However that’s covered in the video, so I guess I’m not sure exactly what problem you’re seeing.
And that video is hooking up duckdns not cloudflare. There is a video about this specific combo here that you might find more useful.
@michaelblight Thanks for your reply and I’m glad you’re using the same setup as me because that means my problem is solvable. 
I watched the guide you sent and configured Cloudflared with Cloudflare Zero Trust in exactly the same way. Write whether you use an additional form of security in Cloudflare Zero Trust, i.e. Application / Self-hosted. Did you have to add any exclusion rules in Cloudflare Firewall before connecting to Google Home / Google Assistant?
In addition, I found a guide from the same author on how to configure Google Home with Home Assistant:
However, I am not sure whether he is supposed to use this particular video as the author adds devices from GH to HA, and I want to do it the other way round, i.e. add devices with Home Assistant to Google Home in order to be able to control them by voice using Google Nest Audio.
Yeah the second video is a different use case - it’s for devices that are not compatible with HA, but can be set up in GH. I had one such device and set it up that way, but then found somebody had created a HACS integration for it. I’m not sure what you mean by “my HAOS does not automatically detect the Google Assistant integration”.
My initial set up was identical to the first video - I might have even followed that one. Over time it has changed a bit - I think I added SSL full/strict later, and I have also geo-blocked all countries except mine and the US (since GH comes in thru Cloudflare).
What specifically is going wrong?
I’ve watched a lot of tutorials and some of them, after just setting up the project in Google and Home Assistant, showed Google Assistant integration in Settings → Devices and Services. But at this point it’s not important anymore.
Today I made another attempt at configuration and managed to locate the problem, which is the additional security layer - Application Self-hosted. When I removed it for a moment, everything actually started working, but when I turn it back on (I care about security), an error appears when trying to connect in Google Home to the created Google project.
It seems to me that in this situation it would be necessary to make Bypass exclusions in the CFZT application for domains, e.g.:
However, I do not know how to do this, because the available selectors do not include domain names, only e.g. IP Range.
I have set up applications for all my sites except HA. I figured it would be too much of a pain to do it for HA because of the companion app on multiple devices. Obviously you can’t do the simple option of requiring a google login as I’ve done with my other sites, so you’d presumably have to check for a certificate/token. So I just rely on HA security and restrict Cloudflare access to my country and the US using WAF. Since geo-blocking I haven’t had any suspicious login attempts (touch wood).
Would you be able to guide me on how I should do it?
Could you send a screenshot of how you have it configured?
In general, the Cloudflare WAF tool is available only in the paid plan. I understand we are therefore talking about the location Cloudflare dashboard → Zero Trust → Gateway → Firewall policies.
I live in Poland, but I’m not sure which other countries I need to allow to avoid blocking the connection with Google Home.
Haha yeah I initially thought that too - you see the first WAF on the dashboard and it prompts you to purchase, but there’s another location. From the cloudflare dashboard, click on your domain and then expand Security and click on WAF. By default it shows you Managed Rules and suggests you sign up, but under Custom Rules you can create a new one using your country. I live in Australia and mine looks like this:
Just allowing my country and the US seems to be enough for Google Home.
Since I’m using a Zero Trust tunnel, I assumed that in that section, I should define the firewall rules, i.e., in the location Cloudflare dashboard → Zero Trust → Gateway → Firewall policies.
You’re right, it’s possible to create up to 5 firewall rules completely free! This can be done in the following location Cloudflare dashboard → Websites → [YOUR DOMAIN] → Security → WAF → Custom rules.
I have created 3 independent rules:
BlockCountries
(not ip.geoip.country in {"PL" "US"})
BlockUserAgent
(http.user_agent eq "") or (http.user_agent contains "curl") or (http.user_agent contains "python") or (http.user_agent contains "attack") or (http.user_agent contains "scan") or (http.user_agent contains "sqlmap") or (http.user_agent contains "nessus") or (http.user_agent contains "nikto")
BlockURIQuery
(http.request.uri.query contains "cmd") or (http.request.uri.query contains "exec") or (http.request.uri.query contains "select") or (http.request.uri.query contains "union") or (http.request.uri.query contains "sleep") or (http.request.uri.query contains "benchmark") or (http.request.uri.query contains "drop") or (http.request.uri.query contains "delete") or (http.request.uri.query contains "update") or (http.request.uri.query contains "insert") or (http.request.uri.query contains "shutdown") or (http.request.uri.query contains "shell") or (http.request.uri.query contains "curl") or (http.request.uri.query contains "powershell")
Of course, I am aware that they are not perfect, but they certainly provide additional protection against various attacks, including SQL injection.
Additionally, I have enabled 2FA and IP blocking after 5 failed attempts in my HAOS:
http:
ip_ban_enabled: true
login_attempts_threshold: 5
@michaelblight Would you add or change anything else? 
That’s more than I’ve got - I’m wary about adding more because it can be very hard to track down when things don’t work. Currently I have Apple Watch Complications that only update when I’m on my local network, despite the Companion App working fine outside the house - no idea why, but it’s not high on my priority list to investigate.
Unfortunately, security never goes hand in hand with user comfort.
For me, security is a high priority, so I’ve accepted that I’ll have to take it on the chin and tackle any potential issues. Even creating the rules I mentioned above took a bit of time before I managed to develop a working set. During testing, I found that, for example, these elements were blocking the connection between HA and GH:
(http.user_agent contains "wget")
(http.user_agent contains "bot")
(http.referer eq "")
BTW. I kind of regret that this forum is so large because new threads quickly disappear like a needle in a haystack. It would be nice to connect with other HAOS users who are also interested in security. 