Just wanted to say a huge thank you to @brenner-tobias for this awesome add-on! When I saw about this in one of the YT channels, I felt I would give it a try. All went smooth, now even able to get into my router through an additional sub-domain, all is lightning fast and I could get rid of port forwarding.
Super job, thank you!
I just discovered that addon, it works very well, I disabled nginx proxy and use it for all my subdomains. Thanks for your work.
Short question:
Is the main difference to the official cloudflare integration (Cloudflare - Home Assistant) that this one here would create a tunnel without ports 80 and 443 being open?
But with the drawback that you would need these ports anyways for the NGINX Proxy Manager as reverse proxy for multiple domains, something that you therefore also started to build into your add-on?
If you have Nginx Proxy Manager add-on you dont need any open ports open. The tunnel is created to Cloudflared then it would pass the stream to NPM already inside your network, then NPM can do further routing if needed (for example if you setup subfolders).
For those wondering how to set up Cloudflare Zero Access, here is a guide.
Cloudflare Zero Access is an authentication deployed by Cloudflare that users have to do before they get to your tunnel.
You don’t even need Cloudflared add-on installed as long as you are using Cloudflare dns and routing traffic to your network through them you can use this. This is a great option since Cloudflare will also provide a firewall and block bots etc automatically before that bad traffic even gets to your network.
Ok let’s do it…
Thats it, you are all done!
Open an incognito tab and go to your subdomain that you setup under application settings. You should get a prompt to enter email to send a one time pin. If you used the email from step 4 you should get an email with the code.
Now is a good time to add other authentication methods (if you want). Repeate step 5 but this time add Github. It is the second easiest to set up, just make sure you add the email that you used in your GitHub account to the authorized list (step 4) and you should be all set. Google is a bit more involved but their guide on Cloudlfare when you are adding it as authentication method is easy to follow.
You might have to go back to your app and under Authentication toggle your newly added one.
Now that you verified that it’s working you can go back to your app and add additional policies as needed. For example if you know you won’t be logging in from Africa, you can block that country all together etc.
Hope this helps!
This doesn’t work with the HA companion App for IOS. Any ideas?
I did a quick search through but perhaps it was missed. Does Cloudflare no longer support the freenom.com domains. The error listed is below when trying to create the tunnel:
Error: You cannot use this API for domains with a .cf, .ga, .gq, .ml, or .tk TLD (top-level domain). To configure the DNS settings for this domain, use the Cloudflare Dashboard.
If you are using Zero Trust with IOS App then yes it won’t work since iOS doesn’t expect a Cloud Flare firewall with authentication to be there.
iOS companion app works fine for me, just displays the Cloudflare Access screen and after authentication proceeds.
Are you sure? It redirects and proceeds further with zero trust enabled?
Yes. Would you like to provide more details on what doesn’t work for you?
It’s not perfect by any means. I imagine the iOS app could be improved to better accommodate setups like this. But I was able to e.g. request an access code by email, fill it in and I haven’t seen the Cloudflare Access screen since.
interesting, ill have to try it via email. I use Google as my identity provider where it needs to be redirected to google for authentication. That might be the issue.
Did you manage to get Wireguard working with this addon?
The sub domain is live on Cloudflare and working. Wireguard is up and running on my HA instance. Wireguard app on my phone claims that it’s connected…no bueno.
It’s not a deal breaker for me, I only use it to circumvent work’s wifi so I can listen to Spotify there but if I can get it back up and running with this addon I’d love to. If not, it’s back to Cryptostorm/Mullvad for me.
Google works on a browser nicely, but not in the app on iOS. Either use email auth, or create a bypass rule for the warp app and use that on your phone. Works even better then as you never need to authenticate just turn on the warp
Regarding Cloudflare Access in the App. For me, Google Login is not working, while login with GitHub is working fine. Sometimes, I have to kill and restart the app after authenticating but thats really it. I also increased the lease time to maximum so I only have to login every couple of weeks (or months? not sure)
The app does work at least with the email identity provider. To fully use sensor data and notifications, several API endpoints need to be whitelisted (i.e. no identity check for those URLs) as there is no way to provide authentication tokens for iOS background tasks.
Nah stopped trying. Apparently anything else than HTTP is not allowed, unless you have a subscription. Sometimes TCP still works if the bandwith is low.
Since wireguard uses UDP and not TCP, really doesn’t work…
I stopped using this addon entirely since I use wireguard and Cloudflare security firewall for the country, IPs and all
I got the Add-On enabled and working; so far it’s great.
Question: Do I still need to keep my Dynamic DNS entry updated at all with Cloudflare? Will this tunnel work even if my home IP address changes? I was previously using the built-in Cloudflare integration, but it’s unclear if I need this anymore with this custom add-on.
You dont need to keep your Dynamic DNS entry if all you were using it for was remote access.
CloudflareD communicates from your HA install to Cloudflare and sorts out all the required IP type things internally.