Remote access to HASS is required to setup Google Assistant and Alexa voice control, but just turning it on with Cloudflare Tunnels exposes your HASS to the internet similarly to a simple port forward except it doesn’t expose your IP address. Attackers can still directly hit your install if they know the URL. This approach removes most of that risk by only allowing access from Google Assistant’s IP ranges.
Note this is more secure than Nabu Casa cloud as they don’t restrict source IPs at the time I’m writing this. They could easily (and probably should) offer users that option though.
It’s fairly complicated and I didn’t find anyone writing a clear HOWTO do it, so I hope my experience can benefit others-- and I also hope the approach can be improved, if anyone has any tips!
- Install the Cloudflared addon (for HASS OS) or run it in a container or locally if you use a different install. More detail there is beyond the scope of this HOWTO, it’s well-documented.
-
Follow the instructions for the addon with the “remote managed tunnels” option. Yeah, we’re doing this the hard way. You will need to put the
Cloudflare Tunnel Token
in the cloudflared addon configuration, or set it up in cloudflared directly if you aren’t using HASS OS. ThatTunnel Token
comes from their dashboard below.Once you do this the config in the cloudflared addon is completely ignored, everything must be configured inside Cloudflare’s dashboard.
-
Test that your HASS is reachable on the internet using the domain name you chose. Great, Cloudflare tunnels work.
-
Go to Cloudflare’s dashboard on their website,
Zero Trust > Access > Tunnels
. Select your tunnel. (This is where theTunnel ID
comes from for theCloudflare Tunnel Token
above.)Check that everything is correct. The public hostname and service target (
http://yourip:8123
) must be right. Verify that remote access to that domain still works. -
Go to Cloudflare’s dashboard,
Zero Trust > Access > Access Groups
. Create a new group, named whatever you like. I used “Google Assistant IPs”.Under
Group Configuration > Include
, selectorIP ranges
, add the following ranges.This is a list of all the IP ranges Google Assistant queries currently originate from. No guarantee they won’t change in the future, thems the breaks.
Note: If anyone has IP ranges for Alexa ingress, please let me know and I’ll update this post.
Google Assistant Source IPs
66.249.80.0/29
66.249.80.0/29
108.177.0.0/17
192.178.0.0/15
66.102.0.0/20
74.125.0.0/16
You will want to add your home IP address also, so it works from your home for testing purposes. If you have any other people that you want to grant remote access you will need to add their IPs also, or just set them up with Tailscale for local access (which would be my recommendation).
If your home IP address is
12.24.48.96
, you would use12.24.48.96/32
.Note: You could also setup Cloudflare’s authentication to allow specific email addresses to access the site, or even authenticate with via Github or other sites but that’s beyond the scope of this HOWTO.
-
Go to Cloudflare’s dashboard,
Zero Trust > Access > Applications
. Add an application.Under Overview:
- Application name: Whatever you want, I used “HomeAssistant”
- Session duration:
15 minutes
- Domain: your domain
Under Policies:
- Add a policy
- Name: Whatever you want, I used “Bypass CF auth from Google IPs”
- Action:
Bypass
- Session duration: Same as app timeout
- Assign a group: choose your group name from above
- Click
Add Policy
to save it
Under authentication:
- Accept all available identity providers: enabled
Under settings:
- Default
-
Validation
- Verify access to your hostname still works from your home IP
- Verify access to your hostname does NOT work from an external IP. Turn off wifi on your phone, etc.
-
At this point, we should be done! Google Assistant should work and random internet attackers should be unable to access it at all, instead seeing an “access denied” page from Cloudflare.