New Add-On: Cloudflared

deanfourie · February 22, 2023, 7:28pm

Has anyone found out how to make this work to create a VPN like tunnel rather then just allowing HTTP(S) access?

Im trying to use it within the app, running the stock cloudflared tunnel I am able to make this work.

Thanks

Piero87 · February 23, 2023, 11:16pm

Hello, I installed cloudflared successfully, I wanted to know if it is necessary to configure let’s encrypt anyway (or for more security) or if there is no need because the connection is already secure with the cloudflared addon, thanks

k8gg · February 24, 2023, 3:53am

there is no need

Lionboy · March 1, 2023, 10:20am

At me from last night after login can’t connect via cloudflare:

LOG:

2023-03-01T10:17:58Z INF Unregistered tunnel connection connIndex=3
2023-03-01T10:17:58Z WRN Failed to serve quic connection error=“failed to accept QUIC stream: timeout: no recent network activity” connIndex=3 ip=198.41.200.73
2023-03-01T10:17:58Z WRN Serve tunnel error error=“failed to accept QUIC stream: timeout: no recent network activity” connIndex=3 ip=198.41.200.73
2023-03-01T10:17:58Z INF Retrying connection in up to 1s connIndex=3 ip=198.41.200.73
2023-03-01T10:17:58Z INF Unregistered tunnel connection connIndex=0
2023-03-01T10:17:58Z WRN Failed to serve quic connection error=“failed to accept QUIC stream: timeout: no recent network activity” connIndex=0 ip=198.41.200.43
2023-03-01T10:17:58Z WRN Serve tunnel error error=“failed to accept QUIC stream: timeout: no recent network activity” connIndex=0 ip=198.41.200.43
2023-03-01T10:17:58Z INF Retrying connection in up to 1s connIndex=0 ip=198.41.200.43
2023-03-01T10:17:58Z WRN Connection terminated error=“failed to accept QUIC stream: timeout: no recent network activity” connIndex=3
2023-03-01T10:18:00Z WRN Connection terminated error=“failed to accept QUIC stream: timeout: no recent network activity” connIndex=0
2023-03-01T10:18:13Z WRN Failed to create new quic connection error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=0 ip=198.41.200.43
2023-03-01T10:18:13Z INF Retrying connection in up to 4s connIndex=0 ip=198.41.200.43
2023-03-01T10:18:13Z WRN Failed to create new quic connection error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=3 ip=198.41.200.73
2023-03-01T10:18:13Z INF Retrying connection in up to 4s connIndex=3 ip=198.41.200.73
2023-03-01T10:18:13Z WRN Connection terminated error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=0
2023-03-01T10:18:13Z WRN Connection terminated error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=3
2023-03-01T10:18:47Z WRN Failed to create new quic connection error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=3 ip=198.41.200.233
2023-03-01T10:18:47Z INF Retrying connection in up to 8s connIndex=3 ip=198.41.200.233
2023-03-01T10:18:47Z WRN Failed to create new quic connection error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=0 ip=198.41.200.33
2023-03-01T10:18:47Z INF Retrying connection in up to 8s connIndex=0 ip=198.41.200.33
2023-03-01T10:18:49Z WRN Connection terminated error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=3
2023-03-01T10:18:51Z WRN Connection terminated error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=0
2023-03-01T10:19:26Z WRN Failed to create new quic connection error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=0 ip=198.41.200.43
2023-03-01T10:19:26Z WRN Failed to create new quic connection error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=3 ip=198.41.200.113
2023-03-01T10:19:26Z INF Retrying connection in up to 16s connIndex=0 ip=198.41.200.43
2023-03-01T10:19:26Z INF Retrying connection in up to 16s connIndex=3 ip=198.41.200.113
2023-03-01T10:19:31Z WRN Connection terminated error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=0
2023-03-01T10:19:35Z WRN Connection terminated error=“failed to dial to edge with quic: timeout: no recent network activity” connIndex=3

Buddinski88 · March 1, 2023, 10:39am

There seems to be an error with me as well. I have been running the addon since December. I did a few things today and started Home Assistant a few times.
Since 3 hours I try to find out what the problem is.

-----------------------------------------------------------
 Add-on: Cloudflared
 Use a Cloudflare Tunnel to remotely connect to Home Assistant without opening any ports
-----------------------------------------------------------
 Add-on version: 4.0.10
 You are running the latest version of this add-on.
 System: Home Assistant OS 9.5  (amd64 / qemux86-64)
 Home Assistant Core: 2023.2.5
 Home Assistant Supervisor: 2023.01.1
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
....
Defaulting to protocol: quic
2023-03-01T10:33:01Z INF Initial protocol quic
2023-03-01T10:33:01Z INF ICMP proxy will use 172.30.33.3 as source for IPv4
2023-03-01T10:33:01Z INF ICMP proxy will use :: as source for IPv6
2023-03-01T10:33:01Z INF Starting metrics server on [::]:36500/metrics
2023-03-01T10:33:01Z WRN Your version 2023.2.1 is outdated. We recommend upgrading it to 2023.2.2
2023-03-01T10:33:01Z ERR Failed to serve quic connection error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73
2023-03-01T10:33:01Z ERR Register tunnel error from server side error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73
2023-03-01T10:33:01Z INF Retrying connection in up to 2s connIndex=0 ip=198.41.200.73
2023-03-01T10:33:02Z ERR Failed to serve quic connection error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73
2023-03-01T10:33:02Z ERR Register tunnel error from server side error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73
2023-03-01T10:33:02Z INF Retrying connection in up to 4s connIndex=0 ip=198.41.200.73
2023-03-01T10:33:03Z ERR Failed to serve quic connection error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73
2023-03-01T10:33:03Z ERR Register tunnel error from server side error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73
2023-03-01T10:33:03Z INF Retrying connection in up to 8s connIndex=0 ip=198.41.200.73
2023-03-01T10:33:09Z ERR Failed to serve quic connection error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73
2023-03-01T10:33:09Z ERR Register tunnel error from server side error="Unauthorized: Failed to get tunnel" connIndex=0 ip=198.41.200.73

Lionboy · March 1, 2023, 10:51am

maybe was an update to cloudflare site and we need to wait update for addon to fix problem

Buddinski88 · March 1, 2023, 11:00am

That is also my assumption. There is also the hint that the used version is no longer up to date. @brenner-tobias can you have a look at this?

prenazol · March 1, 2023, 2:02pm

Hi,
same problem here. Cannot connect from remote using Cloud Flare tunnel.

What does the wrn

Your version 2023.2.1 is outdated. We recommend upgrading it to 2023.2.2

actually means?
It seems we are all on 2023.2.5 already.
Thanks

EDIT: it seems it fixed itself right now.

wildekek · March 1, 2023, 2:39pm

Same issue here since today, did not even update anything. When I route traffic via an external box running cloudflared 2023.2.2 things work properly, but when using the add-on, somehow I get these “connection refused” errors.
Edit: Unfortunately it seems to work intermittently, sometime when I refresh it does work. Super weird.

monaco · March 1, 2023, 6:35pm

Hm… It does not work. On my office instance I already had cloudflared configured with another domain, but now I wanted to put it to my main domain.

My main instance has in configuration

additional_hosts:
  - hostname: router.mydomain.pro
    service: http://192.168.1.1
  - hostname: unifi.mydomain.pro
    service: https://192.168.1.200:8443
external_hostname: mydomain.pro
tunnel_name: HA_pro

My second instance:

additional_hosts:
#external_hostname: myprevouscloudflaredomain.org
external_hostname: office.mydomain.pro
tunnel_name: HA_pro

The issue is that after reload of cloudflared addon in office, old domain gives Argo tunel error 1033 (as expected), but when entering office.mydomain.pro I get

This site can’t be reached
office.mydomain.pro’s server IP address could not be found.

When I go to couldflare dashboard under DNS record, I do not even see “office” CNAME.

On my third location I do not even have cloudflare tunnel yet, but I was expecting that I will just do the same setup as for any new instance and just put in the configuration.
external_hostname: home.mydomain.pro

monaco · March 7, 2023, 12:31am

It was my mistake, forgot to do authorization again and new tunnel name

I created also one totally new instance, but I can not connect it from outside. I get:
400: Bad Request

What can be wrong and what is different from another instances???

flobidan · March 8, 2023, 2:28pm

Question:
I have this add-on successfully up and running for a long time now. All Cloudflare subdomains are routed via cloudflared to the nginx proxy manager and from there to the respective service (including home assistant).
So war I was only using the proxied mode of Cloudflare. Now for some bandwith-intensive services (e.g. Plex for video streaming) I wanted to switch to DNS only:

(in the content column, I have everywhere the same cryptic ID that was given to the overall main domain).

However, when doing so, I cannot reach anything via this domain at all anymore. Chrome says “DNS_PROBE_FINISHED_NXDOMAIN”, and a ping to that domain does not find any host. Any idea, why proxied works, but DNS only does not?

Tovrin · March 13, 2023, 12:31am

Silly question … or maybe I’ve done something wrong.

When I go to the link to authorise the tunnel, I get the following message:

Your browser has downloaded the certificate required to configure the cloudflared client on your machine.

Copy the certificate to your home directory or manually configure Cloudflare Tunnel with the path to the certificate using the --origincert option.

And it downloads a .pem file.

What do I do now?

pwwiebe · March 13, 2023, 1:03am

Thanks for the Add-on! But I’ve been having trouble getting it running, likely my inexperience with Domain name setup. I got a real domain name yesterday, and it looks like it’s available. I’ve configured the Cloudflare DNS nameserver entries in the Custom DNS nameservers on the registrar site. I’ve downloaded and configured the Add-on, and when I start it up and go to the link in the logs to Authorize the Cloudflare tunnel, I get this error message:

Blockquote
Failed to validate requested hostname *.example.com: This zone is either not part of your account, or you do not have access to it. Please contact support if using a multi-user organization. (Code: 1010)

I’ve uninstalled and reinstalled the Add-on, and tried to configure A or CName entries for DNS in Cloudflare; I’ve tried my best here, but I can’t find info identifying exactly how this should look, besides the tutorials referenced here don’t show anyone doing any of that to start with. Here’s the Log detail:

> -----------------------------------------------------------
> Add-on: Cloudflared
> Use a Cloudflare Tunnel to remotely connect to Home Assistant without opening any ports
> -----------------------------------------------------------
> Add-on version: 4.0.12
> You are running the latest version of this add-on.
> System: Home Assistant OS 9.5 (amd64 / qemux86-64)
> Home Assistant Core: 2023.3.3
> Home Assistant Supervisor: 2023.03.1
> -----------------------------------------------------------
> Please, share the above information when looking for help
> or support in, e.g., GitHub, forums or the Discord chat.
> -----------------------------------------------------------
> [19:31:03] INFO: Checking add-on config…
> [19:31:03] INFO: Checking for existing certificate…
> [19:31:03] NOTICE: No certificate found
> [19:31:03] INFO: Creating new certificate…
**> [19:31:03] NOTICE: **
> [19:31:03] NOTICE: Please follow the Cloudflare Auth-Steps:
**> [19:31:03] NOTICE: **
> Please open the following URL and log in with your Cloudflare account:
> https://dash.cloudflare.com/argotunnel?callback=https[deleted]
> Leave cloudflared running to download the cert automatically.
> 2023-03-13T00:31:57Z INF Waiting for login…
> 2023-03-13T00:32:50Z INF Waiting for login…
> 2023-03-13T00:33:43Z INF Waiting for login…
> 2023-03-13T00:34:36Z INF Waiting for login…

Does the A entry in Cloudflare DNS have to point to my WAN IP address? Or my local HA server address? Or should the Cloudflare Add-on be able to figure this out and set it up?

I’m assuming this has something to do with my Cloudflare setup of my new domain name, and not something with the Add-on? Can anyone suggest something?

chunk · March 16, 2023, 11:17am

Hey all,
Okay, so I have read alot of the messages here, and I have got Cloudflared working no problem at all

My question is…How/ Where do I set up Homekit. I have the integration installed and I am just at the stage where I am scanning a barcode to add entities into HomeKit. However, I feel it is getting blocked by a firewall. I could be wrong.

Anyone run into a similar issue, whay YAML have you used or settings in Cloudflare?

Noob to using Cloudflare so any clarity would be super helpful

Cheers

kaandorp · March 17, 2023, 9:59am

The add-on is working great. What I’m wondering is: Is it also possible to use a certificate on the client device as Zero Trust authentication instead of email pin or Github for example? Or certificate as the primary authentication and if that’s not present you can always use the email pin. That way you can simply install a certificate on your Macbook, iPhone and iPad and it should work flawlessly with the native apps.
It should be possible. My work laptop from my employer is actually working exactly like this.

pwwiebe · March 17, 2023, 11:57pm

I realize I had screwed up my setup, I mixed up instructions for the move of the DNS records to cloudflare so it didn’t work properly, so my question above is invalid. I also had mixed up config instructions separately. In the meantime I figured this out and since changed to setting up cloudflare on my NAS in Docker so I can access more of my infrastructure through the tunnel. My main problem was that I had to find better instructions for identifying the IP address of Trusted Proxies - I found what I needed in this thread.

duceduc · March 18, 2023, 12:10am

Is it also possible to use a certificate on the client device as Zero Trust authentication instead of email pin or Github for example?

Is this setup for vpn? I have softether VPN setup at home and use it to login to my servers and block ads while using my mobile outside of my network. Since I moved and am now behind double nat, I have no control pass my router as the company has block all ports.

Softether VPN is hosted on 192.168.1.10. When I tried to setup a domain and point to it via cloudflared using my native iphone vpn, it doesn’t work.

kaandorp · March 18, 2023, 2:25pm

Uhm. No. Why would you use vpn if you have created the cloudflare tunnel? The reason I’m using the tunnel is that I don’t want to wait for a vpn connection to start.

duceduc · March 18, 2023, 3:37pm

Mainly to block ads when I’m outside