HOWTO: Secure Cloudflare Tunnels remote access

Ahh I read that as saying you couldn’t re-authenticate after the 1 month period was up-- thanks for the correction.

Anyway, at this point I would recommend using Tailscale to access Home Assistant remotely. Nobody needs third parties to login interactively, and the source IP constraints I have in the OP let Google Assistant connect. Or Alexa, if someone finds those source IPs.

1 Like

I went through the setup guide, during the first start it created a random Hostname, fine. I then went into configuration tab and set up a subdomain hostname and restarted. Only then did I think to look at the log. I copied and pasted the url in the log and authenticated with cloudflare. It proceeded to do this:

If you wish to copy your credentials to a server, they have been saved to:
[10:09:53] INFO: Authentication successfull, moving auth file to the '/data' folder
[10:09:53] INFO: Checking for existing certificate...
[10:09:53] INFO: Existing certificate found
[10:09:53] INFO: Checking for existing tunnel...
[10:09:53] NOTICE: No tunnel file found
[10:09:53] INFO: Creating new tunnel...
Tunnel credentials written to /data/tunnel.json. Keep this file secret. To revoke these credentials, delete the tunnel.
Created tunnel homeassistant with id [REDACTED]
[10:09:55] INFO: Checking for existing tunnel...
[10:09:55] INFO: Existing tunnel with ID [REDACTED] found
[10:09:55] INFO: Checking if existing tunnel matches name given in config
[10:09:56] INFO: Existing Cloudflare Tunnel name matches config, proceeding with existing tunnel file
[10:09:56] INFO: Creating config file...

I can see the new hostname in my dns records panel on Cloudflare, and in the Zero Trust I see Status: “INACTIVE”:

And the logs keep showing this:

2023-09-12T08:24:40Z ERR Failed to create new quic connection error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=0 event=0 ip=[REDACTED]

When I try to open the new sub-domain DNS record I get this:

Error 1033

Argo Tunnel error

What happened?

You’ve requested a page on a website (REDACTED) that is on the Cloudflare network. The host (REDACTED) is configured as an Argo Tunnel, and Cloudflare is currently unable to resolve it.

What can I do?

If you are a visitor of this website:
Please try again in a few minutes.

If you are the owner of this website:
Ensure that cloudflared is running and can reach the network. You may wish to enable load balancing for your tunnel.

What am I doing wrong? I using the standard Home Assistant install on a Raspberry Pi, and the “addon-cloudflared” from the brenner-tobias repo. On the Cloudflare Zero Trust, it says it’s “locally configured” and is asking if I want to migrate it:

EDIT (35 minutes later): I manually configured the tunnel and now I see a healthy status. When I visit the URL I get “400: Bad Request” anything else I have to do on the homeassisant (LAN) side?

EDIT (2 hours later): I finally got the tunnel to work. Changed some firewall settings and restarted home assistant seemed to fix that issue. Now I’m trying to setup “Smart Things” and it’s trying to use an incoming web hook but the url it trying to use is my internal IP address “” instead of the external DNS tunnel hostname I’m using. Is there somewhere to configure this?

EDIT (2.5 hours later): Found a setting in Settings → System → Network to set an external hostname. That fixed the incoming web hooks issue. Still trying to work through the Samsung Smart Things API. But getting there. Leaving this here for anyone that might run into similar issues.

I’d be interested to know how to achieve this with Tailscale? I use HAOS and was using the Tailscale add on for a while. Then desired to add Google Assistant into my setup and ended up creating a Tailscale Funnel to give me an external URL I just don’t see a way of securing it like with Cloudflare authentication.

I thought you need an external domain to integrate with Google Assistant. Thanks!

You do need an external domain yes. Tailscale funnels get that for free, cloudflare you need your own, which costs a couple dollars a year if you don’t already have one.

My understanding is tailscale funnels can’t be secured on their end, which is the key point I address in the OP.

FYI, your IP address ranges have a duplicate.

1 Like

Thanks, fixed.

I have a list of AWS us-east-1 IP addresses that I extracted via Excel from this link and it’s working well for me for my Alexa Smart Home Skill. It’s a lengthly list (896 IP ranges).

I tried for several hours to get a Cloudflare WARP client tunnel on my phone to work but to no avail and ended up using the HA Tailscale Add-on with Tailscale for Android.

*** Update ***
I ditched Tailscale for Android as it was killing my battery. Normal 2+ day battery life consumed in less than 10 hours! I first went with OpenVPN to my pfSense firewall which I got working but had to configure the OpenVPN for Android app to exclude the Android Auto app. I then re-attacked Cloudflare WARP and managed to find a way to get it working by configuring Split Tunnels in Coudflare to include only for the WARP client plus enabling Proxy under Settings > Network.

Is that range Alexa-specific? Don’t want to allow all of US-east.

No, there’s no published IP ranges for just Alexa, and I’m pleased that Alexa continues to work with just that region since there are other US regions (us-east-2, us-west-1, us-west-2, us-gov-east-1, us-gov-west-1 and GLOBAL) Alexa could be running on. There’s a total of 9,787 ranges in that JSON list so limiting to 896 is substantial (only 9%)!
AWS us-east-1 is where my home-assistant custom skill is hosted and so is as narrow as I can make it and still have that skill work.
I’m happy to report that the occassional failed login attempts have ceased since narrowing my firewall to those Ip ranges!

Glad that works for you but I wouldn’t recommend it for others as it’s trivial to spin up a VM in US-East and bypass authentication. Certainly better then leaving everything open though!

Also, ensure you have a minimal number of user accounts configured in HA who can log on outside the local network and also configure 2FA for those accounts!

I just didn’t like seeing the failed logins occuring so I locked it down as best I could!

I’m no longer using Cloudflare tunnels and instead use OpenVPN to my pfSense firewall for Home Assistant and Vaultwarden. Port 443 on my firewall is open to AWS us-east-1 for the purpose of Alexa Media Player integration and Alexa custom skill for Home Assistant. I only have one HA user account with a 12 character complex password plus 2FA which can log into HA from outside the local network.

My concern is less brute forcing logins than a 0day vulnerability allowing attackers in. Every application sees 0days, nothing against home assistant. The only real defense is not allowing connections in the first place.

I keep a WireGuard VPN open to my LAN on my phone etc all the time anyway for adblocking so I access home assistant that way when required remotely.

I also have home assistant on an untrusted IoT VLAN with no access to my main LAN.