New Add-On: Cloudflared

First, thank you for a plugin. I like what I see.

Second, sorry for the complete noob question. I googled, but can’t find an answer.

Installation instruction was very clear and easy until from Cloudflare I got the message: “Copy the certificate to your home directory or manually configure Argo Tunnel with the path to the certificate using the --origincert option.”

I’m using “Samba share” add-on, but can’t paste certificate to the root folder (“Operation not supported”). Can you please write an instruction how to overcome that? I suspect, that I’m not the only one.

Thank you!

I am glad you like the add-on (even though it is not working for you right now…).

I am not sure at which point you encounter this request from Cloudflare, so please provide more information on that.

If you set-up the add-on in HomeAssistant, you have to configure a hostname (a subdomain of your domain name) and a tunnel name (whatever you want). If you then start the add-on, it will show you a link in the log are that you have to copy+paste into your webbrowser. This is used to authenticate at Cloudflare. By doing that, it automatically creates the certificate and stores it where it needs to be. After that, the add-on will do everything else in the background (creating the tunnel, creating the DNS entry and starting the tunnel) and you should be good to go.
Don’t forget to add the http:... are to your HomeAssistant though to tell HA to answer request from the add-on as described in the config as well.

Kindly let me know if this solves your problem.

Thank you very much for an answer!

This went smoothly, without problem and the instructions on the add-on page were very detailed and helpful. (Thank you one more time, really good job of describing how to install).

When Cloudflare creates certificate, it initiates a download of cert.pem file (I downloaded it to my computer) and in a pop-up writes an instruction:

“Upload your Argo Tunnel certificate
Your browser has downloaded the certificate required to configure the cloudflared client on your machine.
Copy the certificate to your home directory or manually configure Argo Tunnel with the path to the certificate using the --origincert option.”

The later part of Cloudflare’s instruction “Copy the certificate to your home directory or manually configure Argo Tunnel with the path to the certificate using the --origincert option” is a showstopper for me, because I don’t know a simple (read: suited for non-programmers) way how to copy the downloaded cert.pem file to my RPi’s root. Can’t do it with Samba share add-on (“Operation not supported”), the command line I can use only with detailed instruction. So, the question is how and where to past the cert.pem file in my RPi.

This is strange. Normally, Cloudflare will authenticate and then show you a pop-up stating that you can go back to your application. The add-on will automatically get the certificate and store it in your HA instance.
What is the status of your add-on in HomeAssistant after the download of the cert.pam file? Is it stuck and still showing the authenticate link?

So to clarify: There is no need for a manual step. If you have to manually upload the certificate, there was something wrong in the process to begin with.

I believe I was encountering the same symptoms - the link took me to a Cloudflare page that looked to be basically “the right one” but it did not authenticate automatically, instead offering a download of the cert once I selected a zone.

In my case, I am running NoScript script blocker on my browser and I missed unblocking one… several times I looked for this but did not see it… in my case the issue was resolved once I allowed scripts from all 4 of the domains listed (the final one that “did the trick” was cloudflareaccess.org - which certainly seems to make sense!)

Short version: Try to check, double-check, and triple-check that your browser allows scripts from cloudflareaccess.org

I hope this helps!!

Just came upon this add-on and looks super promising. Previously had a duckdns subdomain but had to open ports. If I went this route, would I still have Google assistant/home integration?

Yes, everything should work fine. Let me know if you have any problems.

Awesome. Is there a charge to use this option for remote access? Anything we have to pay cloudflare or is this considered the free tier?

No charge needed, this is part of the free tier Cloudflare plan.

Phenomenal. So Google home/assistant doesn’t play nice w/a vpn. I was able to have a static external url w duckdns and was able to get it to work w/Google. Bef9re I change things around just want to make sure it works. Will I get a fixed external url with this method?

yes, you will get a fixed URL

Just installed this awesome add-on. Everything working greet, but only homekit with my iPhone doesn’t work. Is there any solution for that ?

Hi,

Looks like something is not working with the “quick tunnel” option.
I’e been trying multiple times but I always end up with the auth URL but never nothing relating to quick tunnels.

My conf file is :

> external_hostname: ''
> tunnel_name: ''
> additional_hosts: []
> quick_tunnel: true

Actually “quick_tunnel: true” switch back to the end of the conf each timeI hit save.

Log showing :

-----------------------------------------------------------
 Add-on: Cloudflared
 Use a Cloudflared tunnel (formerly Argo Tunnel) to remotely connect to Home Assistant without opening any ports
-----------------------------------------------------------
 Add-on version: 0.2.4
 You are running the latest version of this add-on.
 System: Home Assistant OS 7.0  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2021.12.10
 Home Assistant Supervisor: 2022.01.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] cloudflared-config.sh: executing... 
[22:08:44] INFO: Checking for existing certificate...
[22:08:44] NOTICE: No certificate found
[22:08:44] INFO: Creating new certificate...
[22:08:44] NOTICE: Please follow the Cloudflare Auth-Steps:
Please open the following URL and log in with your Cloudflare account:
https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.cloudflareaccess.org%2FUbz***************
Leave cloudflared running to download the cert automatically.
2022-02-01T02:09:37Z INF Waiting for login...
2022-02-01T02:10:30Z INF Waiting for login...
2022-02-01T02:11:23Z INF Waiting for login...
2022-02-01T02:12:16Z INF Waiting for login...
2022-02-01T02:13:10Z INF Waiting for login...
2022-02-01T02:14:03Z INF Waiting for login...
2022-02-01T02:14:56Z INF Waiting for login...
2022-02-01T02:15:49Z INF Waiting for login...
2022-02-01T02:16:42Z INF Waiting for login...
2022-02-01T02:17:35Z INF Waiting for login...
Failed to write the certificate due to the following error:
Failed to fetch resource
Your browser will download the certificate instead. You will have to manually
copy it to the following path:
/root/.cloudflared/cert.pem
Failed to fetch resource
[cont-init.d] cloudflared-config.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] 99-message.sh: executing...

And I have this in server logs :

Option 'quick_tunnel' does not exist in the schema for Cloudflared

Any idea why it’s not playing with the trycloudfare thing ?

Thanks.

Yes, this is because the quick tunnel function was not released (up until now…). I just released v0.2.5, so it should work now. Make sure tu update the add-on to the newest release before you check again.

Let me know if there are any problems.

Wow dude, thanks for this addon, coming from nginx proxy manager + duckdns + godaddy paid domain, this is really game-changing!
It took me only a couple minutes to set up 10+ hosts to cloudflare with freenom.
Keep up the good work

btw I should report that in my tests i got freenom to work with cloudflare only with .tk domains

Working like a charm… I’m just wondering for how long the tunnel stays open, couldn’t find any informations on their website.

Really good job, thank you !

Thanks for putting this together. I had been running Cloudflared on Unraid but then I borked that server and it stopped working. That served as my impetus for hopefully migrating to a new domain name, so I am giving your add-on a go.

I have the tunnel set up and it works just fine with my extenal_hostname (HA instance). But I cannot get any other subdomains to connect, whether I set up in the add-on as additional_hosts or if I set up in Nginx Proxy Manager.

HA is running in a VM on my Unraid server with internal IP of 10.X.X.20. Other subdomain targets are in dockers on Unraid, so various ports on 10.X.X.133.

Any input is appreciated.

Glad it is working for you. I do not recommend using the quick tunnel for production use. Instead, you should get a domain name and set-up a proper tunnel.

This feels like a networking issue. Can you ping your other hosts from within HA (SSH into HA or use the SSH add-on)? Also, which error do you see in the Cloudflared Add-On log when connecting to one of your set-up additional_hosts?

Been trying 20 times since yesterday to get a temp name on freenom but I alwayd end up with the “technical issue” and my order is cancelled…

Will try again but the trycloudfare is pretty good way to try things.