How to connect Google Assistant using the Cloudflare tunnel

Is this still a valid solution?

Is there someone that can help us? I followed the guidelines putting also the rule on WAF (even if I had no rules) without success… The procedure ends with a 404 o 429 errors.

I had great luck with this Reddit… after I figured out how to input info into Origin Rules. Reddit - Dive into anything

In Cloudflare create a new Custom WAF rule, (Security → WAF) paste this code (is from this Reddit post) :

(ip.src in {8.8.4.0/24 8.8.8.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20 23.251.128.0/19 34.64.0.0/10 34.128.0.0/10 35.184.0.0/13 35.192.0.0/14 35.196.0.0/15 35.198.0.0/16 35.199.0.0/17 35.199.128.0/18 35.200.0.0/13 35.208.0.0/12 35.224.0.0/12 35.240.0.0/13 64.15.112.0/20 64.233.160.0/19 66.102.0.0/20 66.249.64.0/19 70.32.128.0/19 72.14.192.0/18 74.114.24.0/21 74.125.0.0/16 104.154.0.0/15 104.196.0.0/14 104.237.160.0/19 107.167.160.0/19 107.178.192.0/18 108.59.80.0/20 108.170.192.0/18 108.177.0.0/17 130.211.0.0/16 136.112.0.0/12 142.250.0.0/15 146.148.0.0/17 162.216.148.0/22 162.222.176.0/21 172.110.32.0/21 172.217.0.0/16 172.253.0.0/16 173.194.0.0/16 173.255.112.0/20 192.158.28.0/22 192.178.0.0/15 193.186.4.0/24 199.36.154.0/23 199.36.156.0/24 199.192.112.0/22 199.223.232.0/21 207.223.160.0/20 208.65.152.0/22 208.68.108.0/22 208.81.188.0/22 208.117.224.0/19 209.85.128.0/17 216.58.192.0/19 216.73.80.0/20 216.239.32.0/19} and ip.geoip.asnum eq 15169 and http.host eq "ha.example.com:1234" and http.request.uri.path eq "/api/google_assistant") or (http.request.uri.path eq "/auth/token")

Remember to replace the ha.example.com:1234 with your host and port #.

In “Choose action” select “Skip” and choose all the WAF components to skip (expand also the “More components to skip”).

1 Like

tried this still doesnt work

what do you mean with "replace the HA.example.com:1234

we are all changing the it to something like homeassistant.mydomain.com.

Still add the ports ?or do it without ? and shouldnt it be HTTPS??

or should it be the internal http://internalipadress:8123 ??

ever since my home assistant has been restored cloudflared is driving me nuts. cant repair this part.

i see it sometimes doing this skip.

But on my phone it instantly blocks

This is working for me.

1 Like

This worked in my case aswell. It’s important to notice, that the block countries rule comes in second and the google asn skip is in first place! I got them flipped first.

Thanks so much.

I got back to this a few days ago and finally got it working.

I tried many solutions from Google Home: Could not reach [test] myapp. Please try again - #49 by Zoomtronic but none of them would work.

What ended working for me in the end was to recreate the project in google (probably unnecessary) and temporarily go back to directly exposing the HA https interface on port 443 using NGINX SSL Proxy (Or NGINX Proxy Manager) and a port forward. I set this up and then created a new project on the google side and after following the steps I finally got a prompt to login through the google home app.

After this, I switched back to cloudflared and its been working fine since. I feel like there was something in the cloudflared configuration that was resulting in the timeout message, I didnt see anything obvious (checked WAF etc as mentioned above), either that, or I got lucky and it just happend to work this time around.

Since setup, i’ve had no issues, my IP has changed, I am only using cloudflare tunnel for access and HA has been restarted.


mTLS is a huge upgrade. Just install certificates on desired devices and block everything except traffic from these devices and the Google ASN.

mTLS isn’t compatible with the iOS app though, right? Otherwise, this would definitely be my goto approach as well.

I totally agree with you. If I activate IP’s or geolocation in the Cloudflare tunnel, Google Home services do not work. If you can explain a little more or make a project of how you have set up Nginx ssl Proxy for 443, I would appreciate it. Thank you

this doesn’t seems to work for me.

I see first message that link is established but then after a while i see another message (error. please try again later).

Any hint?

This is working well for Google Assistant:

Expression Preview
(http.request.uri.path contains "/api/google_assistant" and ip.geoip.asnum eq 15169) or (http.request.uri.path eq "/auth/token" and ip.geoip.asnum eq 15169) or (cf.tls_client_auth.cert_verified)

By using URI filtering you get only legitimate GA requests not google search bots etc.

The rule order looks like:
image

1 Like

it worked!

What the second rule does?

in my case, the issue about error 404 it was related to the authorization URL. Was missing /authorize at the end.

I have followed all the steps in the integration guide and the post above, but I am always getting a “Cannot reach [test] myapp” error when trying to link google home.
I have the WAF rules from here https://community.home-assistant.io/t/how-to-connect-google-assistant-using-the-cloudflare-tunnel/545574/23 and I am able to access my external url from the HA app and outside network.
I tried disabling the WAF rules altogether, but it still doesn’t work. I do have access rules setup for some emails and the one here https://community.home-assistant.io/t/howto-secure-cloudflare-tunnels-remote-access/570837.

My configuration.yaml lines are as follows:

google_assistant:
  project_id: my_project_id
  service_account: !include SERVICE_ACCOUNT.JSON
  report_state: true
  expose_by_default: true

I get 405: method not allowed when I try to access my /api/google_assistant and /auth/token from both my external and internal url.

Do I just need to wait for some time or is there something I am missing?

I think it was because of the access rules. I can link it if I disable access rules completely

Where exactly should I set this? I’ve clicked through the entire cloudflare panel but don’t see anything similar. Did I miss something or has cloudflare changed the interface?

Where/how did you disable the access rules? I’m out of ideas with what I can try now.

Previously I had Google Assistant working with duckDNS, but after I migrated to the Cloudflare solution I tried to redo the entire Google Assistant setup, but I just won’t work!

I’ve followed the steps in the thread’s initial post. I’ve recreated the project and actions in Google Console from scratch, using English as language and entered all the details that are needed for it to work.

I’m able to access Home Assistant remotely and I can curl /api/google_assistant and /auth/token and I get a "405: Method Not Allowed" response back.

But when I try to test/simulate the action on console.actions.google.com I only get a “We’re sorry, but something went wrong. Please try again.” when I ask the assistant something.

When I try to add the Home Assistant devices in the Google Home app I selected "[test] My App" and initially I get a message saying the link is successful, but then it continues to load and eventually I get a “Something went wrong. Please try again” message.

I’ve tried to add rules on Cloudflares in the section “Security > WAF > Custom rules”. The ones that @paulka007 listed here, what @mbe used here, and what @Arduxxxx posted here. But none of the variants make any difference when I add them to Cloudflare, same issue and errors.

Does anyone have any advice what I could try or what could be wrong? I’m using iOS by the way.

I meant the access rules under zero trust as mentioned here:
https://community.home-assistant.io/t/howto-secure-cloudflare-tunnels-remote-access/570837