Not if you add a self hosted application in the zero trust dashboard too, add some rules, and then no one can then even see what your app is or get to the login page. They then get presented by whatever you specify:
I have used google auth so get a cloudflare login page that needs a google login.
I ban countries I don’t want. I specify that you need the cloudflare warp client and be part of my zero trust team.
Seems pretty secure to me. Once past the cloudflare login stuff you then have 2fa into ha.
I can only second that. Cloudflare Zero Trust offers you a great variety of possibilities to further secure your HA instance (see documentation). For me, I am using GitHub as login and 2FA provider and it is working great, also with my iOS App (though I have red some comments about this being more problematic with the Android App).
Yes as a default, but as the author has said, the cloudflare zero trust service offers numerous ways to secure this further, with logins, splash pages, 2fa, country blocks, and numerous others. It’s simple to follow and easy to do.
I installed the add-on and everything works like a charm! I added some sub domains to route traffic to my Nas as well. I also want to expose the mosquito add-on but i cant get it to work yet. is it even possible to route mqqt messages through the cloudflared tunnel? tried different ports with mqqt and websockets but i can not connect to mosquitto.
Hi and first of all THANK YOU so much for your work and effort put into this add-on! I have used the Duck dns add-on at home. Recently I decided to SMART up my cabin and decided to go with HA. With only mobile access I couldn’t get Duckdns to work, probably because of CGNAT. (I´m just a bit over entry level experienced, so this is just my assumption). After several hour reading and looking at youtube I found this add-on. Followed the steps and its works perfect with 4G mobile access!
Naturally, the next step was to get rid of Duckdns at home and replace it with Cloudflare. Created new domain and installed same way. But this time I get an error saying I have an existing tunnel, see below.
The link in the error message doesn’t work and I can’t figure out where to find the error. That’s why I’m asking the experts here for advice. Thank you in advance!!
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service init-banner: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
Add-on: Cloudflared
Use a Cloudflare Tunnel to remotely connect to Home Assistant without opening any ports
Add-on version: 4.0.5
You are running the latest version of this add-on.
System: Home Assistant OS 9.3 (aarch64 / raspberrypi4-64)
Home Assistant Core: 2022.11.5
Home Assistant Supervisor: 2022.11.2
Please, share the above information when looking for help
or support in, e.g., GitHub or forums.
s6-rc: info: service init-banner successfully started
s6-rc: info: service init-log-level: starting
s6-rc: info: service init-log-level successfully started
s6-rc: info: service init-cloudflared-config: starting
[14:55:54] INFO: Checking config for legacy options…
[14:55:54] INFO: Checking add-on config…
[14:55:56] INFO: Checking for existing certificate…
[14:55:56] INFO: Existing certificate found
[14:55:56] INFO: Checking for existing tunnel…
[14:55:56] NOTICE: No tunnel file found
[14:55:56] INFO: Creating new tunnel…
failed to create tunnel: Create Tunnel API call failed: tunnel with name already exists
[14:55:57] FATAL: Failed to create tunnel.
Please check the Cloudflare Teams Dashboard for an existing tunnel with the name homeassistant and delete it: https://dash.teams.cloudflare.com/ Access / Tunnels
s6-rc: warning: unable to start service init-cloudflared-config: command exited 1
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
prog: fatal: stopping the container.
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service init-log-level: stopping
s6-rc: info: service init-log-level successfully stopped
s6-rc: info: service init-banner: stopping
s6-rc: info: service init-banner successfully stopped
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
Thx for you reply Alec! You’re probably right, but the link doesn’t take me to the right place it seems. (https://dash.teams.cloudflare.com/ Access / Tunnels). Is there a “how to explanation” for setting up another tunnel in Cloudflare? Do I need to do something in HA or is the domain input sufficient?
Which link are you referring to? I linked to the documentation for the add-on tunnel_name option.
Don’t set up the tunnel within Cloudflare. The recommended installation method as-per the docs is “local tunnel” which is managed by the add-on running within Home Assistant, instead of managed by you within the Cloudflare UI.
So for example, it sounds like you want a setup something like this:
hi all, just about to move over to cloudflared for remote access from nabu casa. I use duck dns to scan for external IP changes on my dual WAN setup. So ideally i’d like to retain Duck DNS for this purpose. This is mainly so I can wireguard into my router if things go wrong with HA.
I did read somewhere that DuckDNS needs to be removed before cloudflared is setup?
If thats the case then, can I use cloudflared to access whole subnets on my network? and is that safe?
I moved from DuckDNS to Cloudfare few months ago, and it was the best decision ever. I believe CF is way more secure than DDNS. I bought custom domain from CF and it is managed by them. I put my domain behind CF firewall like I can only access HA from USA, no other country can access my domain and as someone suggest before I’ve enabled email 2FA to access my domain thhrough CF Zero Trust. So even if someone has my domain they don’t know what kind of application is it.
Hi guys, does anyone know if its possible to use rdp as an added host service?
or if its possible to use the Cloudflare setup on my HA to RDP on to my PC.
if so can somebody point me into the right direction so i can get it set up.
am very very new to HA
Yes, RDP is supported by the Cloudflare tunnel, you can find a specific documentation here.
The high-level steps would be:
Enable RDP on your windows machine, define a static IP address for your local machine (e.g. 192.168.2.10).
Create a Cloudflare tunnel (if not already happened, I suggest to use the set-up via the Cloudflare dashboard (see here) and start it.
Decide, if you want to “route” complete networks via Cloudflare Warp of if you only want to create some public hosts (I will go with the second option for now)
Create a public hostname. Enter whatever (sub)domain and optionally path you want to expose for the RDP connection in the Public hostname section. In the Service section, select “RDP” as Type and enter your PCs internal IP (defined in step 1), including the port (default port for RDP is 3389.
Store the settings, the config of your HA add-on will be updated automatically.
Create a Cloudflare Zero Trust Application for the RDP connection (I suggest to also do so for the HA connection, you can follow this documentation, for me, GitHub as identity provider works best).
This should do the trick, including an additional layer of security. If you have any problems or questions, feel free to start a new discussion around RDP connections using Cloudflare tunnel here.
I have been unable to figure out how to configure this to use a subdomain. I was able to follow the documentation and successfully setup the cloudflare tunnel on my domain “example.com”, but I would like only traffic from “homeassistant.example.com” to be routed to my server. Any ideas on how I can accomplish this?
How did you set-up the tunnel (remote or local)?
Either way, it is quite simple. If you use the local tunnel, simply enter your subdomain as the external_hostname variable.
If you are using a remote tunnel, managed in the Cloudflare dashboard, then you also have the option to define the public hostname as a subdomain.
I am sorry to not be of more help, but there really is no difference between defining a subdomain and or a “normal” domain.
Sorry, rereading my question I realize it was not very clear. My issue is that using the subdomain “homassistant.example.com” does indeed work, but using the parent domain “example.com” brings the browser to a page saying “Unable to connect to Home Assistant.”. I would like this page not not resolve to anything at all (ie 404 status code) … in the future it will redirect to a website I own which is completely unrelated to the server running my HA
Ok got it. I assume there is an old DNS entry in your Cloudflare DNS overview for the domain “example.com”. So I suggest you go to dash.cloudflare.com, then to your website, on the left to “DNS” and look for any entries where the name is your main domain (example.com). It will probably be a CNAME record pointing to the tunnel, which you can delete.
Can you connect to HA locally? If so, please have a look at the Cloudflare Add-On logs and post what you see there.
Continuing the discussion in this issue on GitHub.
Due to performance concerns on the older Raspberry Pi I am running PiHole on I wonder if it is possible to use the Home Assistant cloudflared for the same purpose.
This is done by starting the cloudflared service with the following command:
The addon configuration only allows specific configuration options, so I think it would require change to the code to allow the option. I’m not sure if it is possible to run cloudflared both as tunnel and dns-proxy at the same time. Does this seem like a good idea?
Thanks a lot for the suggestion, I have thought about implementing that myself a couple of times. If you do not mind, please open a discussion for that feature on GitHub, so we can debate there if and how to implemented that in the best way.