How to connect Google Assistant using the Cloudflare tunnel

I had great luck with this Reddit… after I figured out how to input info into Origin Rules. Reddit - Dive into anything

In Cloudflare create a new Custom WAF rule, (Security → WAF) paste this code (is from this Reddit post) :

(ip.src in {8.8.4.0/24 8.8.8.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20 23.251.128.0/19 34.64.0.0/10 34.128.0.0/10 35.184.0.0/13 35.192.0.0/14 35.196.0.0/15 35.198.0.0/16 35.199.0.0/17 35.199.128.0/18 35.200.0.0/13 35.208.0.0/12 35.224.0.0/12 35.240.0.0/13 64.15.112.0/20 64.233.160.0/19 66.102.0.0/20 66.249.64.0/19 70.32.128.0/19 72.14.192.0/18 74.114.24.0/21 74.125.0.0/16 104.154.0.0/15 104.196.0.0/14 104.237.160.0/19 107.167.160.0/19 107.178.192.0/18 108.59.80.0/20 108.170.192.0/18 108.177.0.0/17 130.211.0.0/16 136.112.0.0/12 142.250.0.0/15 146.148.0.0/17 162.216.148.0/22 162.222.176.0/21 172.110.32.0/21 172.217.0.0/16 172.253.0.0/16 173.194.0.0/16 173.255.112.0/20 192.158.28.0/22 192.178.0.0/15 193.186.4.0/24 199.36.154.0/23 199.36.156.0/24 199.192.112.0/22 199.223.232.0/21 207.223.160.0/20 208.65.152.0/22 208.68.108.0/22 208.81.188.0/22 208.117.224.0/19 209.85.128.0/17 216.58.192.0/19 216.73.80.0/20 216.239.32.0/19} and ip.geoip.asnum eq 15169 and http.host eq "ha.example.com:1234" and http.request.uri.path eq "/api/google_assistant") or (http.request.uri.path eq "/auth/token")

Remember to replace the ha.example.com:1234 with your host and port #.

In “Choose action” select “Skip” and choose all the WAF components to skip (expand also the “More components to skip”).

1 Like

tried this still doesnt work

what do you mean with "replace the HA.example.com:1234

we are all changing the it to something like homeassistant.mydomain.com.

Still add the ports ?or do it without ? and shouldnt it be HTTPS??

or should it be the internal http://internalipadress:8123 ??

ever since my home assistant has been restored cloudflared is driving me nuts. cant repair this part.

i see it sometimes doing this skip.

But on my phone it instantly blocks

This is working for me.

2 Likes

This worked in my case aswell. It’s important to notice, that the block countries rule comes in second and the google asn skip is in first place! I got them flipped first.

Thanks so much.

I got back to this a few days ago and finally got it working.

I tried many solutions from Google Home: Could not reach [test] myapp. Please try again - #49 by Zoomtronic but none of them would work.

What ended working for me in the end was to recreate the project in google (probably unnecessary) and temporarily go back to directly exposing the HA https interface on port 443 using NGINX SSL Proxy (Or NGINX Proxy Manager) and a port forward. I set this up and then created a new project on the google side and after following the steps I finally got a prompt to login through the google home app.

After this, I switched back to cloudflared and its been working fine since. I feel like there was something in the cloudflared configuration that was resulting in the timeout message, I didnt see anything obvious (checked WAF etc as mentioned above), either that, or I got lucky and it just happend to work this time around.

Since setup, i’ve had no issues, my IP has changed, I am only using cloudflare tunnel for access and HA has been restarted.


mTLS is a huge upgrade. Just install certificates on desired devices and block everything except traffic from these devices and the Google ASN.

mTLS isn’t compatible with the iOS app though, right? Otherwise, this would definitely be my goto approach as well.

I totally agree with you. If I activate IP’s or geolocation in the Cloudflare tunnel, Google Home services do not work. If you can explain a little more or make a project of how you have set up Nginx ssl Proxy for 443, I would appreciate it. Thank you

this doesn’t seems to work for me.

I see first message that link is established but then after a while i see another message (error. please try again later).

Any hint?

This is working well for Google Assistant:

Expression Preview
(http.request.uri.path contains "/api/google_assistant" and ip.geoip.asnum eq 15169) or (http.request.uri.path eq "/auth/token" and ip.geoip.asnum eq 15169) or (cf.tls_client_auth.cert_verified)

By using URI filtering you get only legitimate GA requests not google search bots etc.

The rule order looks like:
image

1 Like

it worked!

What the second rule does?

in my case, the issue about error 404 it was related to the authorization URL. Was missing /authorize at the end.

I have followed all the steps in the integration guide and the post above, but I am always getting a “Cannot reach [test] myapp” error when trying to link google home.
I have the WAF rules from here https://community.home-assistant.io/t/how-to-connect-google-assistant-using-the-cloudflare-tunnel/545574/23 and I am able to access my external url from the HA app and outside network.
I tried disabling the WAF rules altogether, but it still doesn’t work. I do have access rules setup for some emails and the one here https://community.home-assistant.io/t/howto-secure-cloudflare-tunnels-remote-access/570837.

My configuration.yaml lines are as follows:

google_assistant:
  project_id: my_project_id
  service_account: !include SERVICE_ACCOUNT.JSON
  report_state: true
  expose_by_default: true

I get 405: method not allowed when I try to access my /api/google_assistant and /auth/token from both my external and internal url.

Do I just need to wait for some time or is there something I am missing?

I think it was because of the access rules. I can link it if I disable access rules completely

Where exactly should I set this? I’ve clicked through the entire cloudflare panel but don’t see anything similar. Did I miss something or has cloudflare changed the interface?

Where/how did you disable the access rules? I’m out of ideas with what I can try now.

Previously I had Google Assistant working with duckDNS, but after I migrated to the Cloudflare solution I tried to redo the entire Google Assistant setup, but I just won’t work!

I’ve followed the steps in the thread’s initial post. I’ve recreated the project and actions in Google Console from scratch, using English as language and entered all the details that are needed for it to work.

I’m able to access Home Assistant remotely and I can curl /api/google_assistant and /auth/token and I get a "405: Method Not Allowed" response back.

But when I try to test/simulate the action on console.actions.google.com I only get a “We’re sorry, but something went wrong. Please try again.” when I ask the assistant something.

When I try to add the Home Assistant devices in the Google Home app I selected "[test] My App" and initially I get a message saying the link is successful, but then it continues to load and eventually I get a “Something went wrong. Please try again” message.

I’ve tried to add rules on Cloudflares in the section “Security > WAF > Custom rules”. The ones that @paulka007 listed here, what @mbe used here, and what @Arduxxxx posted here. But none of the variants make any difference when I add them to Cloudflare, same issue and errors.

Does anyone have any advice what I could try or what could be wrong? I’m using iOS by the way.

I meant the access rules under zero trust as mentioned here:
https://community.home-assistant.io/t/howto-secure-cloudflare-tunnels-remote-access/570837

I’m the exact same. I had Google assistant working from when I used DuckDNS but once I moved to Cloudflare, I was no longer able to sync new devices but could use existing devices. I tried a number of times to get it working with Cloudflare but did but succeed.

I have recently added some more devices I want to be able to control through Google assistant so had another look and even deleted the whole Google project to start again.
I am now left with the situation that I can get as far as logging in with my home assistant credentials in the Google Home app but get the “Cannot reach [test] myapp” as seen by others.
It is very frustrating as I now have lost the ability to control all my devices through Google assistant.

I’m in the same situation. I used to use DuckDNS but occasionally got responses to voice commands saying the Home Assistant could not be reached. So I implemented NGINX which worked fine for remote access but still got the same error. Having been through all the threads on this problem I decided to use Cloudflared so I now have my own domain which again works perfectly for remote access but I can’t link Google Home at all now.

I’ve recreated the project from scratch (with new name) on 4 or 5 occasions now. I have been through the latest iteration with a fine toothcomb and checked that the project name and server name in the SERVICE.ACCOUNT.JSON and in the /google_assistant_integ.yaml files are correct.

When I use my phone to link to the new project (through a browser window not the app, as suggested) I choose the new project. The next screen where you put in your username/password, where it says "you are about to give [your project] access to your Home Assistant instance has one of the old project names and I can’t see how to change it.

Oddly, that project still exists in Google Project but it doesn’t appear on Google Assistant as one of my projects (nor do some other attempts), so I can’t select it in the first place. But I have changed all the parameters in Google Project to the correct ones yet it still won’t connect. Obviously there is mismatch of server & project names internally in the two files I mentioned above (also probably a load of other mismatches in internal namings which I can’t see).

At the moment I’m not even sure I can easily go back to my original arrangement - but at least that worked some of the time!!!

I am stuck and have pretty much run out of ideas. Has anyone got any thoughts please?