How to connect Google Assistant using the Cloudflare tunnel

Ok… I’m writing this post because I’ve been trying to solve this for 12 straight hours and I couldn’t find anyone to explain how to do it. I hope it will be useful to all the people who, like me, almost gave up.

In this post I will try to explain in the clearest and most complete way that my level of English allows me how to connect Google Assistant to Home Assistant if you are using the Cloudflare tunnel for your remote connection.
In my case I use the cloudflared add-on and a paid domain but I understand that with a free one and managing the tunnel from Cloudflare the procedure should be the same.

To a large extent we will be following the steps of this page, but with a few small changes. Google Assistant - Home Assistant

You can also see the EverythingSmartHome video that explains practically the same thing as on the previous page.

Difference number 1: When creating the new project in console.actions.google.com, choose the English language no matter where you are from. (in the country choose the option that you like the most)

After this you follow the process as in the tutorial except that where you have to put the URL of your remote connection and your port you are only going to put the URL. Then, before starting the test, it is essential that you return to the overview screen and enter “Enter information required for the Actions directory”

In this section it is very important to complete the description, the profile image, the contact email and the Privacy and consent policy.

I leave you what @Omnipius very kindly gave in the community that is perfect for what we need:

For the description I wrote:
Short: “Connect Google Assistant to a private Home Assistant server”
Long: “This Action is intended for personal use. It exposes smart home devices controlled by a local Home Assistant server to Google Assistant and by extension the Google Home mobile app.”

For the logo just upload the HA logo.

For the privacy policy, create a Google Doc that can be viewed by anyone with the link that says:

“This application is intended for the private use of its developer. Any unauthorized users who connect to this service should have no expectation of privacy or protection of their data.”

and in the contact a contact email and your nickname.

Once these data are completed, now we can click on the “Test” button.

In console.cloud.google.com we will also follow the steps of the tutorial with the difference that when creating the credential at the top of the page we will see a sign that says “Remember to configure the OAuth consent screen with information about your application” and there we click on “configure consent screen”

I’m not sure how necessary this part is, but just in case, I completed only the mandatory data and it worked, so I recommend you do the same.
(DO NOT UPLOAD THE IMAGE HERE, IF YOU DO IT WILL NEED A VERIFICATION THAT TAKES 2-3 DAYS)

After this once again we continue with the tutorial and in theory they should be able to link Google Home to HA correctly. At least that’s how it was for me.

It is very important that if you have any firewall rule configured in Cloudflare that you deactivate it at the time of linking and then to be able to activate them again I share a rule that enables google servers, this rule must be thanked to the reddit user @ krojack76.

https://www.reddit.com/r/homeassistant/comments/v0xea8/comment/iakgsgq/?utm_source=share&utm_medium=web2x&context=3

I think that would be all that is necessary for any doubt, I remain at the disposal of those who need it.

Thanks friend! I hadn’t been able to get it going two weeks ago when I tried. This worked for me. Thank you!

Still not working for me. Any ideas?

@Nict41 I found I had to change the two URLs in account linking as well as the URL in actions by just deleting the socket e.g. https://your-url-here.com:8123/auth/authorize became https://your-url-here.com/auth/authorize

Hope that helps

I’m facing a weird issue with regards to this. HA is blocking the login connection from the Google Home app because the X-Forwarded-For header carries my public IP address:

Login attempt or request with invalid authentication from host-XXX-XXX-XXX-XXX.something.com (XXX.XXX.XXX.XXX). See the log for details.

Has anyone faced the same? I have been banging my head against the wall for days, and I can’t seem to figure out what’s happening.

–

EDIT: I was able to get to the next (failure) step by using an Android device instead of my iPhone

Now what I’m facing is an error on the Google Home app side, which doesn’t seem to be able to connect to the Action. I will have to investigate further.

EDIT2: Success! I hadn’t activate the google_assistant integration in HA.

I was going through this tutorial scratching my head wondering why it’s still not working, then realised I set up WAF to block all traffic from other countries
Is there a clean rule to allow only Google’s IP’s? I see quite a range of them in the firewall events.

Edit: Found the trick, allow AS Num 15169 throguh

But has anyone managed to get this to work with CF Access/Applications?

I tried following the original tutorial as well as a video about it 4 times, and keep getting the same results - insanity. I tried with the additional steps here up until “test” and get the same " We’re sorry, but something went wrong. Please try again." Before I waste even more time, can you confirm that that means it won’t work even if I do the rest. I added include: “everyone” to my Cloudflare application. I had Google Assistant working (with a freenom dns) before I bought a domain name without all the additions you gave. At that time I didn’t know about “Access/Application/Policies etc” in CF so just had the domain address in my Home Assistant CF addon configuration. I am having the same problem with Amazon Alexa so obviously something to do with Cloudflare. I am literally losing my mind over this.

I am very new to homeassistant, if i follow this guide, will I be able to send commands via homeassistant to my Google nest to play a particular song etc??? e.g. play songs by Bryan adams

Doesn’t work for me either. Have you found a solution?

Is this still a valid solution?

Is there someone that can help us? I followed the guidelines putting also the rule on WAF (even if I had no rules) without success… The procedure ends with a 404 o 429 errors.

I had great luck with this Reddit… after I figured out how to input info into Origin Rules. Reddit - Dive into anything

In Cloudflare create a new Custom WAF rule, (Security → WAF) paste this code (is from this Reddit post) :

(ip.src in {8.8.4.0/24 8.8.8.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20 23.251.128.0/19 34.64.0.0/10 34.128.0.0/10 35.184.0.0/13 35.192.0.0/14 35.196.0.0/15 35.198.0.0/16 35.199.0.0/17 35.199.128.0/18 35.200.0.0/13 35.208.0.0/12 35.224.0.0/12 35.240.0.0/13 64.15.112.0/20 64.233.160.0/19 66.102.0.0/20 66.249.64.0/19 70.32.128.0/19 72.14.192.0/18 74.114.24.0/21 74.125.0.0/16 104.154.0.0/15 104.196.0.0/14 104.237.160.0/19 107.167.160.0/19 107.178.192.0/18 108.59.80.0/20 108.170.192.0/18 108.177.0.0/17 130.211.0.0/16 136.112.0.0/12 142.250.0.0/15 146.148.0.0/17 162.216.148.0/22 162.222.176.0/21 172.110.32.0/21 172.217.0.0/16 172.253.0.0/16 173.194.0.0/16 173.255.112.0/20 192.158.28.0/22 192.178.0.0/15 193.186.4.0/24 199.36.154.0/23 199.36.156.0/24 199.192.112.0/22 199.223.232.0/21 207.223.160.0/20 208.65.152.0/22 208.68.108.0/22 208.81.188.0/22 208.117.224.0/19 209.85.128.0/17 216.58.192.0/19 216.73.80.0/20 216.239.32.0/19} and ip.geoip.asnum eq 15169 and http.host eq "ha.example.com:1234" and http.request.uri.path eq "/api/google_assistant") or (http.request.uri.path eq "/auth/token")

Remember to replace the ha.example.com:1234 with your host and port #.

In “Choose action” select “Skip” and choose all the WAF components to skip (expand also the “More components to skip”).

tried this still doesnt work

what do you mean with "replace the HA.example.com:1234

we are all changing the it to something like homeassistant.mydomain.com.

Still add the ports ?or do it without ? and shouldnt it be HTTPS??

or should it be the internal http://internalipadress:8123 ??

ever since my home assistant has been restored cloudflared is driving me nuts. cant repair this part.

i see it sometimes doing this skip.

But on my phone it instantly blocks

This is working for me.

This worked in my case aswell. It’s important to notice, that the block countries rule comes in second and the google asn skip is in first place! I got them flipped first.

Thanks so much.

I got back to this a few days ago and finally got it working.

I tried many solutions from Google Home: Could not reach [test] myapp. Please try again - #49 by Zoomtronic but none of them would work.

What ended working for me in the end was to recreate the project in google (probably unnecessary) and temporarily go back to directly exposing the HA https interface on port 443 using NGINX SSL Proxy (Or NGINX Proxy Manager) and a port forward. I set this up and then created a new project on the google side and after following the steps I finally got a prompt to login through the google home app.

After this, I switched back to cloudflared and its been working fine since. I feel like there was something in the cloudflared configuration that was resulting in the timeout message, I didnt see anything obvious (checked WAF etc as mentioned above), either that, or I got lucky and it just happend to work this time around.

Since setup, i’ve had no issues, my IP has changed, I am only using cloudflare tunnel for access and HA has been restarted.

mTLS is a huge upgrade. Just install certificates on desired devices and block everything except traffic from these devices and the Google ASN.

mTLS isn’t compatible with the iOS app though, right? Otherwise, this would definitely be my goto approach as well.