HOWTO: Secure Cloudflare Tunnels remote access

Edit Aug 2024:
Just had someone point out Matterbridge (also available as a Home Assistant addon) which does what it says on the box, it bridges HA devices to Matter. This means both Google Home and Alexa (and Homekit too, but that already worked locally) can see anything in HA as a matter device, even if it’s native wifi or bluetooth or zigbee or whatever, and trigger everything locally! Secure and fast, that’s what we want.

It’s still pretty early days for Matterbridge and the HASS addon author may be changing over a new implementation entirely but once whatever results is stable it should largely obviate the need to secure Google Home access to Home Assistant, because it’ll never need to leave your house.


Remote access to HASS is required to setup Google Assistant and Alexa voice control, but just turning it on with Cloudflare Tunnels exposes your HASS to the internet similarly to a simple port forward except it doesn’t expose your IP address. Attackers can still directly hit your install if they know the URL. This approach removes most of that risk by only allowing access from Google Assistant’s IP ranges.

Note this is more secure than Nabu Casa cloud as they don’t restrict source IPs at the time I’m writing this. They could easily (and probably should) offer users that option though.

It’s fairly complicated and I didn’t find anyone writing a clear HOWTO do it, so I hope my experience can benefit others-- and I also hope the approach can be improved, if anyone has any tips!

  1. Install the Cloudflared addon (for HASS OS) or run it in a container or locally if you use a different install. More detail there is beyond the scope of this HOWTO, it’s well-documented.
  1. Follow the instructions for the addon with the “remote managed tunnels” option. Yeah, we’re doing this the hard way. You will need to put the Cloudflare Tunnel Token in the cloudflared addon configuration, or set it up in cloudflared directly if you aren’t using HASS OS. That Tunnel Token comes from their dashboard below.

    Once you do this the config in the cloudflared addon is completely ignored, everything must be configured inside Cloudflare’s dashboard.

  1. Test that your HASS is reachable on the internet using the domain name you chose. Great, Cloudflare tunnels work.

  2. Go to Cloudflare’s dashboard on their website, Zero Trust > Access > Tunnels. Select your tunnel. (This is where the Tunnel ID comes from for the Cloudflare Tunnel Token above.)

    Check that everything is correct. The public hostname and service target (http://yourip:8123) must be right. Verify that remote access to that domain still works.

  3. Go to Cloudflare’s dashboard, Zero Trust > Access > Access Groups. Create a new group, named whatever you like. I used “Google Assistant IPs”.

    Under Group Configuration > Include, selector IP ranges, add the following ranges.

    This is a list of all the IP ranges Google Assistant queries currently originate from. No guarantee they won’t change in the future, thems the breaks.

    Note: If anyone has IP ranges for Alexa ingress, please let me know and I’ll update this post.

    Google Assistant Source IPs
    108.177.0.0/17
    192.178.0.0/15
    66.102.0.0/20
    74.125.0.0/16
    66.249.80.0/20

    You will want to add your home IP address also, so it works from your home for testing purposes. If you have any other people that you want to grant remote access you will need to add their IPs also, or just set them up with Tailscale for local access (which would be my recommendation).

    If your home IP address is 12.24.48.96, you would use 12.24.48.96/32.

    Note: You could also setup Cloudflare’s authentication to allow specific email addresses to access the site, or even authenticate with via Github or other sites but that’s beyond the scope of this HOWTO.

  4. Go to Cloudflare’s dashboard, Zero Trust > Access > Applications. Add an application.

    Under Overview:

    • Application name: Whatever you want, I used “HomeAssistant”
    • Session duration: 15 minutes
    • Domain: your domain

    Under Policies:

    • Add a policy
    • Name: Whatever you want, I used “Bypass CF auth from Google IPs”
    • Action: Bypass
    • Session duration: Same as app timeout
    • Assign a group: choose your group name from above
    • Click Add Policy to save it

    Under authentication:

    • Accept all available identity providers: enabled

    Under settings:

    • Default
  5. Validation

    • Verify access to your hostname still works from your home IP
    • Verify access to your hostname does NOT work from an external IP. Turn off wifi on your phone, etc.
  6. At this point, we should be done! Google Assistant should work and random internet attackers should be unable to access it at all, instead seeing an “access denied” page from Cloudflare.

16 Likes

I don’t use the Cloudflare HA add-on but use the native instead. I setup an Application to “Protect your Self-Hosted, SaaS and Private applications with Zero Trust policies”. I use my GitHub credentials. Doesn’t that protect you from attackers? Is that not available in add-on? I have only been using it about two months.

1 Like

Should work the same way, sure. Until you authenticate with your github login Cloudflare won’t let you through. Very easy to test, just use an incognito browser window. You can allow the google IPs to bypass authentication as documented above also, if you need it.

I didn’t configure any authentication at all, so everything is blocked unless it’s in that IP list to bypass it entirely. I did mention allowing specific email addresses and of course CF has a bunch of other options too, but the guide was already getting really long.

Personally I’m on a wireguard VPN to my home LAN 100% of the time anyway.

The addon doesn’t let you setup authentication “applications”, no.

@Stephenn - did you have to play around with timeouts at all? I’ve just setup an external IDP to add an additional layer and it works just fine… for about 60 seconds and then I’m logged out and have to re-auth through my identity provider. Thoughts?

I did not. I have had cases when I access HA remotely that it fails and waits 60 seconds before trying again.

1 Like

You can set the timeout in the CF dashboard. I picked 15 minutes in the OP because I don’t actually use any of their authentication mechanisms, I just set Google IPs to bypass them. If you use CF auth you can set it to ask people to reauthenticate after like a month.

1 Like

This is huge thanks for posting!

1 Like

Hi. What about accessing from the HA app? Is it still possible?

4 Likes

Adding oauth breaks the HA app. Still finding a workaround.

1 Like

If you figure it out, please post here and I’ll edit the OP. I connect to my home LAN through a locally-hosted wireguard VPN so I don’t experience the problem. The HA app works fine through CF tunnels without authentication.

1 Like

Any resolution to this problem where turning on authentication for cloudflare tunnels breaks the Home Assistant app from working. I am blown away that this problem exists and has not been solved yet…

Hm, followed the instructions and getting the following error in cloudflared logs when running it. Evidently some config file is missing?

I would double check the secret you are pasting from CF Tunnels.

Looks like this is pending an update from the HA app side. It doesn’t support this feature yet.

Technically that should be 12.24.48.96/32.

2 Likes

Right, the HA app would need to support authenticating to cloudflare as there’s no way to authenticate in your browser then copy the cookie over to the app. Maybe on android if you’re rooted, certainly not iOS. The apps are open-source and I bet they’d accept a pull request if anyone wants to add that feature.

@flyize thanks, fixed.

2 Likes

@dshokouhi is very active and may have some comments.

there is an existing PR but there are a few considerations that may not make it entirely possible. Check the open PRs for the current status

3 Likes

Wow, yes indeed, people have been seriously looking at this for some time now. The real blocker seems to be the 1-month maximum authentication lifetime, which would cause push notifications to silently fail.

They have thoughts on a fix but it looks like it wouldn’t work as an addon or HACS, it needs a code change and Nabu Casa has a clear incentive not to support additional authentication options to enable secure remote access as that is their primary revenue source.

No the bigger blocker is that the headers simply wont work in the WebView which means parts of the app won’t work. Check this comment https://github.com/home-assistant/android/issues/2650#issuecomment-1533732560

1 Like