New Add-On: Cloudflared

I haven’t tried it, but surely you must be able to create a policy that checks for a particular certificate? And if it find it allow the traffic to the tunnel.

I have it setup like this for the warp client so any device with the client turned on and logged into my zero trust team gets instant access to the tunnel.

Surely it would work for a cert too

1 Like

I installed Cloudflared Add-on 4 or 5 months ago and it was working fine. A few weeks back I noticed I could not access remotely. Upon inspection on Cloudflare’s site, it showed my tunnel as down.
Reviewing the addon logs, I noted the following error:

Failed to add route: code: 1003, reason: An A, AAAA, or CNAME record with that host already exists. For more details, refer to https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/.
FATAL: Failed to create DNS entry XXXX.XXXXXXX.ca
s6-rc: warning: unable to start service init-cloudflared-config: command exited 1

I don’t understand why its trying to recreate the CNAME entry, that it setup previous, nor do I see a way to delete the entry.

Not sure where to start.

Thanks

1 Like

I uninstalled the add-on and reinstalled, and everything worked again, however after restarting it failed again with the same warnings. I did find out how to delete the cname record. After which I could restart the add-on and it would work. If I restarted it again after, the same problem returns!!!

1 Like

I configured cloudflared with Local tunnel add-on setup, if I visit the new remote domain outside my local network it works, instead if I visit inside my local network I see home assistant login for 1 second and then this with this error

anyone can help me? this is my second installation of this plugin, because I change the ISP provider so I have to reconfigure all things, and I uninstall cloudlfared and also all settings on cloudflared and start again, but now I am stuck with this problem, any idea?

1 Like

400: Bad Request when I want to access the domain name from the outside world.

I have followed all the instructions. All of the install went really well. Created a new domain name example.com, Used that domain name in the config. Tunnel looks great on the Cloudflare side and no errors in the logs on the HA side. Logs say successfully connected to tunnel. Everything looks fine. Just returns 400 when I want to access the domain name from the outside world.
I have added this to the yaml as instructed:
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24

In the HA Cloudflare add on configuration for External Hone Assistant Hostname I put in the new example.com domain name. Is this correct?
When testing in the browser I have tried example.com and also example.com:8123
IS there anything I need to do with ports?
When I receive 400 I see nothing in the Add On logs. No error. But no success either.
I have a 4g router, with the usual CGNAT issies, so that is why I have gone down this cloudflare path.
What have I done wrong?
Any suggestions.
Many thanks in advance.

are you using http or HTTPS?

Everything seems to be working well, with the exception of the sensor updating from the iPhone and Macbook. They are not updating and they throw an error in the companion log, It seems similar to the issue @brenner-tobias described in the wiki.

2023-04-01 15:32:29.587 [Error] [main] [WebhookManager.swift:633] urlSession(_:task:didCompleteWithError:) > failed request to befd9876cbf04b1bafcd00a80028df63 for WebhookResponseUpdateSensors: Error Domain=NSCocoaErrorDomain Code=3840 "Invalid value around line 1, column 0." UserInfo={NSDebugDescription=Invalid value around line 1, column 0., NSJSONSerializationErrorIndex=0}

In the wiki it says: To mitigate this problem you can create an explicit firewall pass rule for traffic related to your HA sub-domain. For that, navigate to Cloudflare / Security / WAF / Create firewall rule and create the rule:

(http.host eq "ha.example.com")

The option ‘allow’ is not available anymore in Cloudflare. I think it has been replaced with skip. I activated the rule, but in the events I don’t see any blocking. Only skipping. Any idea how to proceed debugging?

Cloudflare Zero Trust option is required.
When I select the free version, I need to fill-in a payment option.
My creditcard information for example.
But I don’t want to add this information.

When I see YouTube movies, users aren’t required to fill-in these information?
Is this changed in Cloudflare?

I used a prepaid card for payment information.

You do not need to set-up a Cloudflare Zero Trust account necessarily, if you are only using the “normal” tunnel that is configured through the add-on using “external_hostname” and potentially “additional_hosts”.
Only the remote managed tunnel and further security features like an additional login layer by Cloudflare requires a Zero Trust account. For that is and always was a requirement to enter payment information, though they do not charge you anything if you only use the free tiers (which are very generous and cannot really be overstepped by accident). So I quire like @duceduc suggestion to simply use a prepaid card.

@brenner-tobias ,
Good afternoon,
I’ve had my Cloudflared instance running since last October. It’s been rock solid.

This morning, I noticed that my wife was showing as home, when she was away. This made me look into my remote URL, and I found I could no longer connect. I’ve been trying to troubleshoot for the past few hours. I even uninstalled Cloudflared and reinstalled it, used the URL in the logs, and all indications are that it should be up, but I’m getting 400: Bad Request from wherever I try (iPad on cellular, work laptop on VPN), and local.

Logs seem to indicate that it’s up.

Add-on version: 4.0.14
 You are running the latest version of this add-on.
 System: Home Assistant OS 9.5  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2023.3.5
 Home Assistant Supervisor: 2023.03.3
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[13:20:25] INFO: Checking add-on config...
[13:20:26] INFO: Checking for existing certificate...
[13:20:26] INFO: Existing certificate found
[13:20:26] INFO: Checking for existing tunnel...
[13:20:26] INFO: Existing tunnel with ID 4a8c1ddf-50c8-4654-8253-c1ef7e5c1116 found
[13:20:26] INFO: Checking if existing tunnel matches name given in config
[13:20:30] INFO: Existing Cloudflare Tunnel name matches config, proceeding with existing tunnel file
[13:20:30] INFO: Creating config file...
[13:20:32] INFO: Validating config file...
Validating rules from /tmp/config.json
OK
[13:20:32] INFO: Creating DNS entry remote.morgenthaler-tech.org...
2023-04-04T17:20:33Z INF remote.morgenthaler-tech.org is already configured to route to your tunnel tunnelID=4a8c1ddf-50c8-4654-8253-c1ef7e5c1116
[13:20:34] INFO: Finished setting up the Cloudflare Tunnel
[13:20:34] INFO: Connecting Cloudflare Tunnel...
2023-04-04T17:20:34Z INF Starting tunnel tunnelID=4a8c1ddf-50c8-4654-8253-c1ef7e5c1116
2023-04-04T17:20:34Z INF Version 2023.3.1
2023-04-04T17:20:34Z INF GOOS: linux, GOVersion: go1.19.3, GoArch: arm64
2023-04-04T17:20:34Z INF Settings: map[config:/tmp/config.json cred-file:/data/tunnel.json credentials-file:/data/tunnel.json loglevel:info metrics:0.0.0.0:36500 no-autoupdate:true origincert:/data/cert.pem]
2023-04-04T17:20:34Z INF Generated Connector ID: 3c3d2d60-a04a-4cec-b595-b0e6a815ed1d
2023-04-04T17:20:36Z INF Initial protocol quic
2023-04-04T17:20:36Z INF ICMP proxy will use 172.30.33.7 as source for IPv4
2023-04-04T17:20:36Z INF ICMP proxy will use :: as source for IPv6
2023-04-04T17:20:36Z INF Starting metrics server on [::]:36500/metrics
2023-04-04T17:20:43Z INF Connection d2948853-95a0-4cfc-9581-f19c64134a98 registered with protocol: quic connIndex=0 ip=198.41.200.43 location=ORD
2023-04-04T17:20:43Z INF Connection 1357c3fc-16af-4262-8fd3-b6653a74d7d0 registered with protocol: quic connIndex=1 ip=198.41.192.167 location=IAD
2023-04-04T17:20:44Z INF Connection e32b8388-0fac-4aab-b719-1658ac91cd44 registered with protocol: quic connIndex=2 ip=198.41.200.53 location=ORD
2023-04-04T17:20:45Z INF Connection 793e31b3-a88c-43bc-b50a-6a75d7eb6262 registered with protocol: quic connIndex=3 ip=198.41.192.77 location=IAD

Any ideas what might be going on? Normally I would say it might be a CloudFlare problem, but numbered errors often come from the server, so I’m unclear what could be going on. Nothing has changed on my end that I’m aware of. I’ve restarted HA several times in an attempt to fix the issue, with no positive result.

The log shows this error:

failed to create tunnel: Create Tunnel API call failed: tunnel with name already exists
[22:45:32] FATAL: Failed to create tunnel.

  • Please check the Cloudflare Teams Dashboard for an existing tunnel with the name homeassistant and delete it:*
  • https://dash.teams.cloudflare.com/ Access / Tunnels*
    s6-rc: warning: unable to start service init-cloudflared-config: command exited 1

The link https://dash.teams.cloudflare.com/ Access / Tunnels doesn’t work.
message: Hmm… Looks like you’re lost.
The page you are looking for has moved or no longer exists.

How can I delete the existing tunnel?

Thanks a lot for raising this and sorry for the confusion, there is a new link to the Cloudflare Zero Trust Dashboard, which is: https://one.dash.cloudflare.com/

I just updated it in the error message as well, so this will be fixed in the next release.

1 Like

The link works, but does not solve the problem ‘Cloudflare Teams Dashboard for an existing tunnel with the name homeassistant and delete it’.

It does not show a tunnel, thus I can’t delete it.

After upgrade to the latest version and following the link I need to add zuro trust with creditcard information.
But the real problem is that cloudflared can’t be installed succesfull because the is an existing tunnel.
I don’t know how to delete this tunnel.

I removed and re-installed the cloudflared add-on and removed the website and add it again in Cloudflare.

The error log shows now:

[08:01:19] INFO: Checking for existing tunnel…
[08:01:19] NOTICE: No tunnel file found
[08:01:19] INFO: Creating new tunnel…
failed to create tunnel: Create Tunnel API call failed: tunnel with name already exists
08:07:41] FATAL: Failed to create tunnel.
Please check the Cloudflare Zero Trust Dashboard for an existing tunnel with the name homeassistant and delete it:
Visit https://one.dash.cloudflare.com, then click on Access / Tunnels

Now an API seems to be the problem.
Any recomendations?

Update:
Issue solved. The solution is to take a Zero trust monthly subscription…

There is definitely no need for a payed Zero Trust monthly subscription. If you set-up Zero Trust, you have to give them payment details, but everything you need is 100% free.
You can also avoid the need for Access to the Zero Trust dashboard at all by simply defining another tunnel name in the add-on configuration.

1 Like

Hello @brenner-tobias. I recently moved from NGINX and DuckDNS. Enjoying the CloudFlare setup but issue I seem to keep seeing in my log is

WRN Connection terminated error=“failed to dial to edge with quic: timeout: no recent network activity”

My connection through CloudFlare works fine. Wondering what causes this.

Thanks in advance

Hi all,

I’ve got an issue, hoping someone can point me in the right direction.

My current setup:

The problem is that Nginx keeps giving the following error:

400 Bad Request
Request Header Or Cookie Too Large
nginx

Does anybody have a suggestion? Thanks in advance!

The 400 error is from not adding the required information for configuration.yaml

Maybe someone else can speak to the use of NGINX because I got away from that and have no ports open offering better security and mines working.