New Add-On: Cloudflared

In the configuration.yaml you always have to enter the following:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

There is no need to change anything here as described in the documentation. The Cloudflare add-on will run within the internal Docker network, which is 172.30.33.0/24. Therefor, the connections from this network need to be answered by Home Assistant, which is defined in the code-block above.

2 Likes

Hey everyone, I’m currently using duckdns and I wanted to try cloudflared out in order to avoid openning ports.

However I still wanted the SSL certificates from Let’s Encrypt and well it isn’t really working. Indeed the HTTP test doesn’t work in NPM and I don’t really know how to make it work (I didn’t test it since the latest update for SSL though). My ports are still open for this to work though, so I need to close them just after getting good certificates.

Another thing is the DNS. On my router I added a DNS entry so that at home my phone and all directly connects to my NUC instead of going in the cloud and going back down. With this, is it still possible? I only add my domain name and that’s it like when using duckdns?

Thanks for your help!

Hi All,

I see those errors. Is this ok or not?

2022-02-09T22:02:26Z INF Unregistered tunnel connection connIndex=0
2022-02-09T22:02:26Z INF Lost connection with the edge connIndex=0
2022-02-09T22:02:26Z WRN Serve tunnel error error="connection with edge closed" connIndex=0
2022-02-09T22:02:26Z INF Retrying connection in up to 1s seconds connIndex=0
2022-02-09T22:02:27Z INF Connection ca454518-<REMOVED>-cea5137f2ef4 registered connIndex=0 location=AMS
2022-02-09T22:41:04Z INF Lost connection with the edge connIndex=1
2022-02-09T22:41:04Z INF Unregistered tunnel connection connIndex=1
2022-02-09T22:41:04Z WRN Serve tunnel error error="connection with edge closed" connIndex=1
2022-02-09T22:41:04Z INF Retrying connection in up to 1s seconds connIndex=1
2022-02-09T22:41:04Z INF Lost connection with the edge connIndex=3
2022-02-09T22:41:04Z INF Unregistered tunnel connection connIndex=3
2022-02-09T22:41:04Z WRN Serve tunnel error error="connection with edge closed" connIndex=3
2022-02-09T22:41:04Z INF Retrying connection in up to 1s seconds connIndex=3
2022-02-09T22:41:05Z INF Connection ff356313-<REMOVED>-f31757f94c5b registered connIndex=1 location=HAM
2022-02-09T22:41:06Z INF Connection 26be9356-<REMOVED>100037a2aa2f registered connIndex=3 location=HAM

I suggest that you update to the newest stable version and try again with the certificates, should work now.

Regarding the local DNS: This should also still work, you can have your router resolve home.example.com to a local IP and bypass Cloudflare altogether.

1 Like

Yes, looks alright. I have the same sometimes, since the tunnel reconnects. As long as it is running, it’s all good.

1 Like

Hey thanks for your input, I tried using the latest version but getting strange error in the let’s encrypt challenge through NPM:

Domain: XXXX.tk
Type: unauthorized
Detail: Invalid response from http://XXXXX.tk/.well-known/acme-challenge/XXXXX [XXXXX]: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

Here is what I did:

  1. Disable duckdns addon and NPM addon (not the one with GUI, the other one)
  2. Disable let’sencrypt
  3. Install your addon and NPM (gui version)
  4. Launch NPM + configure my domain in it (domain name XXX.tk, http, NUC IP, Port, Websockets Support)
  5. Launch your addon after configuration (added the npm true inside), no issues there it seems
  6. Launch NPM and try to add SSL on the proxy ==> Internal Error

Thanks for your help!

As far as I understand, you want to use the add-on to remotely connect to HA and also some other hosts managed by NPM.
A couple of general things first, let’s say you are using matssa.tk. This means you have to configure some sort of subdomain to access HA, so you config could look like this:

external_hostname: "ha.matssa.tk"
tunnel_name: "homeassistant"
additional_hosts: []
nginx_proxy_manager: true

This would route all traffic from ha.matssa.tk to home assistant and everything else to NPM. Of course, you also have to add respecting DNAME records for all subdomains and the domain itself that you want to use in NPM, pointing to the tunnel.

Now regarding SSL: Using the add-on and renewing / getting SSL certificates does not work together in the normal set-up. The reason is, that the Cloudflare proxy is answering the requests and not really your local server. Having that said, this also means that Cloudflare takes care of your cdrtificates for all subdomains. So everything up to the NPM connection is encrypted anyways. Going from there, you can also use HTTPS with the clients with a self-signed certificate. So there is no need to use Let’s encrypt at all in this set-up.

Side note: if you only have a couple of hosts in NPM, I suggest getting rid of NPM completely and defining the hosts directly in the additional_hosts array in the Cloudflared add-on as described in my documentation.

Hi,

Thanks for your input. I don’t have any subdomains, I only want HA to accessible as of right now so it eases the process :slight_smile:

I’m using NPM in order to force all my requests towards my HA instance to HTTPS and use my certificate made using the Let’s Encrypt addon, would the source come from the internet (my phone on 4G for example) and on my home network (my PC for example). I want to avoid HTTP which isn’t secure.

The idea here is to avoid using duckdns and use the cloudflare tunnel so that I can avoid opening ports on my router.
So I followed what you said and I can indeed force SSL in the cloudflare dashboard. This makes everything in SSL when outside my home network.
However for the home network, if I don’t have any certificate, I can’t do SSL.

Since when making the Let’s Encrypt through the tunnel it isn’t my HA instance but the cloudflare stuff that answers, I don’t know how to make a self signed certificate without using the Let’s Encrypt addon. Maybe I need to put my home IP in cloudflare for it to work (with the tunnel off) and open the ports on my router so that the request comes back and remove my IP just after and remove the ports (and do this process every 90 days)?

Dunno if it’s understandable ^^

EDIT/// Forgot but I also have bitwarden to publish ^^

Hi again,

Soooo after a couple of testing I managed to make the SSL on the home network work (I fowarded my CNAME in cloudflare towards my real IP, opened the HTTP port so that the ACME worked. I then used your addon so that it changes the IP to the tunnel). Only bummer is that I need to do that work again every time I want to refresh my certs…

I also managed to make HA and bitwarden work using the tunnel and without NPM. So that’s nice.
However I can’t seem to make wireguard work. I managed to open the connection but I can’t see my devices on my home network… Last thing I need then I can call it a day and go do other HA stuff xD

Thanks for sticking with me :slight_smile:

I got it working but could not get google assistant integration to work

I had same issue with Alexa. I did a reconnection procedure and that worked for me. Maybe it work for you also

Hi,
glad it worked out. Regarding the SSL certificates, I still suggest that you look at self signed certificates for the local connections, so get rid of the hassle.
Regarding Wireguard: There is no need at all to use a VPN connection. That’s the beauty of this solution. A VPN does not help you, since you have the Cloudflare reverse proxy that answers the connections, so no need to VPN into your home network.

Hi,

Yeah just need to see the impact on my different browsers and stuff but that might be the way to go.

For the VPN, the idea isn’t to use wireguard to access HA but more to access my local network so that I can make some ssh into other home devices or even make some remote desktop with my home computer.
Since I need a domain / IP, I was thinking of using the cloudflare tunnel in order to access wireguard so that it gives me access to my local network like 192.168.x.x

Just in case, I’m using a NUC with Proxmox on it with a debian VM with HA supervised in docker ^^

I tried many times with no luck but did not try Alexa

Hi,

Been using Cloudflare for DNS for a long while, and had briefly looked at zero trust. So just want to say thanks @brenner-tobias, add-on works fine so far. No probs with Alexa.

:slight_smile: Amanda

I tried alexa integration and im getting 404 error
Have you done any configuration to your cloudflare SSL setup?

What i did only install the addon
Get a domain
Register domain at cloudflare and make sure it is active
Add the domain into cloudflare addon in HA
Start the addon and authorize it through the URL from addon log

Do i need to configure anything else ?

i tried quick_tunnel: true
it worked
not sure whats wrong when i use the free domain

I had Alexa working fine before and after Cloudflare, no changes required when I switched over. Alexa just carried on working.

My setup is;
Domains registered in AWS R53
DNS in Cloudflare
Alexa custom integratiaon

Previous config was duckdns/letsencrypt with 443 open externally on my router which port forwarded to another router, then on to HA (I’ve always had HA running on 443).

I’m receiving the following messages in the log and I would like to know what it means and if something is wrong.


2022-02-14T20:57:31Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 172.30.32.1:8123: connect: connection refused" cfRay=6dd935910dbd6b56-AMS ingressRule=0 originService=http://homeassistant:8123
2022-02-14T20:57:37Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 172.30.32.1:8123: connect: connection refused" cfRay=6dd935b6feea4bef-AMS ingressRule=0 originService=http://homeassistant:8123
2022-02-14T20:57:43Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 172.30.32.1:8123: connect: connection refused" cfRay=6dd935dc989dfa8c-AMS ingressRule=0 originService=http://homeassistant:8123
2022-02-15T16:00:54Z INF Unregistered tunnel connection connIndex=2
2022-02-15T16:00:54Z INF Lost connection with the edge connIndex=2
2022-02-15T16:00:54Z WRN Serve tunnel error error="connection with edge closed" connIndex=2
2022-02-15T16:00:54Z INF Retrying connection in up to 1s seconds connIndex=2
2022-02-15T16:00:56Z INF Connection b42f9c41-b928-4ab8-82e5-80ad1bb2c8c6 registered connIndex=2 location=AMS

You are running the latest version of this add-on.
 System: Home Assistant OS 7.4  (armv7 / raspberrypi3)
 Home Assistant Core: 2022.2.6
 Home Assistant Supervisor: 2022.01.1

This happens from time to time. As long as the connection is working, everything is fine.