Hi, I just came through this thread and it seems a wonderful addon to try immediately.
in the last few days, I googled several posts around the net about home assistant secured with cloudflare, but I missed this thread and its addon.
So, I started from duckdns (since I wanted a full ssl within local network and outside), then I discovered cloudflare and I’m currently using it since few days with a namecheap domain associated with cloudflare in full (strict) ssl and certificate coming from cloudflare (origin is saying 15y duration, but when I installed locally with the key file too it is showing me only 3 months duration, so I hope it will be renewed automatically as I read somewhere :-(). I also tried to setup nginx, but I failed, so at the moment I created only a subdomain for hassio, using a specific enabled cloudflare port, enabled trusted proxies within hassio, and defined on my router a port forwarding rule that prevent direct access to my hassio server, specifying as incoming allowed ips only those ones from cloudflare proxies.
I found also some old threads were explaining how to enable a cloudflare tunnel but it was clearly specified that the created tunnel was not persistent changing its ID at every reboot of the server (at least for the free cloudflare plan), so I preferred not to pursue the tunnel option also if it would have been for me the preferred one, avoiding me to open additional ports on my router (as I’m currently doing to allow access through cloudflare only).
Now this thread is opening me a big light and I would like try to install this add on and test the tunnel, nevertheless, I would like to ask a couple of questions before starting it:
is it changed now from cloudflare the fact that the tunnel is persistent also when I use a free plan (nothing to pay)? If this is the case, it means I can create the tunnel once with a name/ID and then I can use it without problems all the times?
Do I understand that this addon also includes and allow to setup a local reverse proxy similar and alternative to nginx (I currently did not install ngnix and I would prefer not to do it since I was not able to setup it properly - my fault and inexperience)? I would really need a local reverse proxy (also embedded within this cloudflare tunnel addon), since I would like to define new subdomains / hosts in cloudflare and just manage locally in the reverse proxy forwarding inside my lan requests to the different servers exposing services (in addition to hassio).
Thank you in advance for your help.
Can you clarify a bit more the issue? I have a subdomain to my HomeBridge server through the tunnel created in home assistant, and setup a self hosted application on cloudflare, and with policies to restrict access to the tunnel to users who 1. Authenticate, and 2. Use the warp client. So all traffic is going from user via warp client to gateway through policies, and then down tunnel.
Works well and any other attempts to access are blocked by cloudflare unless you are an authenticated user with the warp client. All free and sweeet
Hmm I guess I’ve missed how to do authentication for the tunnel and I’ve not heard of warm client before now. Essentially my issue was that for example if we forget about this addon for a moment, I have my domain which through NPM I’m exposing into a subdomain Frigate. Now Frigate has no authentication itself meaning if one just goes to e.g. frigate.domain.com you’d have exposed Frigate’s interface. I got around that by using Access through Cloudflare’s Zero Trust service. So now when you hit that subdomain I need to authenticate; in this case with my Google Account which is set as the only accepted account.
So then I thought let’s do the same with this addon as well. As for HA itself I don’t care since it has it’s own logn page. But I was additionally exposing for example my router which does have a login but I would feel much better if a similar page to authenticate would be available on top of it.
From what you are saying I guess that’s possible for this too (potentially similar) but I missed how to.
P.S. In case you do realise the conflicting examples just to clarify that I use both NPM for my normal server/house (thus me explaining about Frigate) but also have a secondary HA and network connection in another house where I’m using this addon instead. I just use the same domain for both
If i turn off nabu casa , what would no longer work, that does work via nabu casa?
Also in Nabu Casa there is the option in the GUI to choose what elements to sync over to Google Assistant, having that would be really useful when using this cloudflared option, this would save a ton of time and remove loads of elements from the google home app that are not needed in there.
Yeah the extra service works. So I do have a subdomain for that which works fine.
I guess I need to revisit the self-hosted access application. You also do that through Zero Trust no? Because I essentially did the same for Frigate and the router subdomain. Perhaps I did something wrong between the two applications without realising
Update: OK so the old delete and redo application and policy fixed it Have been trying for months to work out why…
@brenner-tobias
I have faced this issue a second time, the only solution, login into the cloud-flare account and delete the domain and restart the add0on.
-----------------------------------------------------------
Add-on: Cloudflared
Use a Cloudflared tunnel (formerly Argo Tunnel) to remotely connect to Home Assistant without opening any ports
-----------------------------------------------------------
Add-on version: 2.0.3
You are running the latest version of this add-on.
System: Home Assistant OS 8.2 (aarch64 / raspberrypi4-64)
Home Assistant Core: 2022.6.7
Home Assistant Supervisor: 2022.05.3
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/01-log-level.sh
cont-init: info: /etc/cont-init.d/01-log-level.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service init-cloudflared-log: starting
s6-rc: info: service init-cloudflared-log successfully started
s6-rc: info: service init-cloudflared-config: starting
[23:03:19] INFO: Checking Add-on config...
[23:03:21] INFO: Checking for existing certificate...
[23:03:21] INFO: Existing certificate found
[23:03:21] INFO: Checking for existing tunnel...
[23:03:21] NOTICE: No tunnel file found
[23:03:21] INFO: Creating new tunnel...
failed to create tunnel: Create Tunnel API call failed: tunnel with name already exists
[23:03:23] FATAL: Failed to create tunnel.
Please check the Cloudflare Teams Dashboard for an existing tunnel with the name xxxxxxxxx and delete it:
https://dash.teams.cloudflare.com/ Access / Tunnels
s6-rc: warning: unable to start service init-cloudflared-config: command exited 1
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.
s6-rc: info: service init-cloudflared-log: stopping
s6-rc: info: service init-cloudflared-log successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
The error seems to occur sporadically (see here & here). Unfortunately, neither @brenner-tobias nor I can reproduce the error. Can you help us somehow to find this bug?
Generally, the error can only occur if the tunnel.json file is not present. The only question is why it disappears in some rare cases. This is the only constellation in which the add-on tries to create a new tunnel.
If the data_folder option is not set, the file should be found in the add-on under /data/tunnel.json. If the data_folder option is set, the file can be found (depending on configuration) under /{ssl, share,config}/cloudflared/tunnel.json.
If you have any additional information, please feel free to share them in one of the issues mentioned above.
Hey guys, thanks so much for this add-on, it really is game changing how easy it is to setup.
I just have one question, I have the AdGuard Home Add-on running on HA as well, but it seems like the DNS Rewrites to block ads etc are no longer working.
Is there any guidance, or ideas that you may have on how to get that to work?
This is strange, the add-on does not change anything about AdGuard, it only creates a tunnel to cloudflare for connections using the cloudflared reverse proxy servers. I installed AdGuard and it looks like it is working fine.
What is happening when you say that DNS Rewrites are not working anymore? Are your DNS requests from the clients not “blocked” anymore and therefor the blocking does not work anymore? Is the AdGuard dashboard working as usual?
Something else is going on, I’d say.
This add-on is only for outside talking to HA inside your LAN, via your own domain name, and thus would/should not impact any DNS rewrites happening on your phones/PCs that are on your local network, which your AdGuard is doing.
Hi is there a way to remote SSH through a cloudflare tunnel, and how do you set it up? For the moment I tried adding an additional host in the cloudflare config file like so:
However I receive this error in the ssh log when trying to access ssh.dunkaroos.ga:
banner exchange: Connection from 172.30.33.1 port 44088: invalid format
Connection from 172.30.33.1 port 44090 on 172.30.32.1 port 22 rdomain “”
kex_exchange_identification: client sent invalid protocol identifier “GET / HTTP/1.1”
-----------------------------------------------------------
Add-on: Cloudflared
Use a Cloudflared tunnel (formerly Argo Tunnel) to remotely connect to Home Assistant without opening any ports
-----------------------------------------------------------
Add-on version: 2.0.4
You are running the latest version of this add-on.
System: Home Assistant OS 8.2 (aarch64 / raspberrypi4-64)
Home Assistant Core: 2022.7.4
Home Assistant Supervisor: 2022.07.0
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/01-log-level.sh
cont-init: info: /etc/cont-init.d/01-log-level.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service init-cloudflared-log: starting
s6-rc: info: service init-cloudflared-log successfully started
s6-rc: info: service init-cloudflared-config: starting
[10:20:58] INFO: Checking Add-on config...
[10:21:02] INFO: Checking for existing certificate...
[10:21:02] INFO: Existing certificate found
[10:21:02] INFO: Checking for existing tunnel...
[10:21:02] NOTICE: No tunnel file found
[10:21:02] INFO: Creating new tunnel...
failed to create tunnel: Create Tunnel API call failed: tunnel with name already exists
[10:21:09] FATAL: Failed to create tunnel.
Please check the Cloudflare Teams Dashboard for an existing tunnel with the name xxxxxxxxxxx and delete it:
https://dash.teams.cloudflare.com/ Access / Tunnels
s6-rc: warning: unable to start service init-cloudflared-config: command exited 1
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.
s6-rc: info: service init-cloudflared-log: stopping
s6-rc: info: service init-cloudflared-log successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
I haven’t set the data_folder option. but I can’t find the /data/tunnel.json.
while the add-ons folder is empty
Home Assistant URL: http://homeassistant.local:8123
Observer URL: http://homeassistant.local:4357
➜ ~ ls
addons backup config media share ssl
➜ ~ cd addons
➜ addons ls
➜ addons ls
➜ addons
Edit: @brenner-tobias
When I choose SSL as custom Data folder, root\ssl\cloudflared folder was created but it only had one file cert.pem
when I deleted the existing tunnel from https://dash.teams.cloudflare.com/ Access / Tunnels a new tunnel.json file was created
This is working out of the box. Just make sure that the domain used to externally access HomeAssistant (add-on option external_hostname) is configured correctly in HomeAssistant network config.
Hi, thank you for this addon. I have been able to configure it and get it to work. I was also able to get Alexa to work with this as well, however if I try to set up access policies (e.g. using github as an authentication method) to put another layer of security over my instance it breaks my Alexa setup. Any suggestions on how to keep my access rules but still have Alexa continue to work? Thank you.
Hi
how I should create subdomain for homeassistant? I have registered my own domain with cloudflare let say example.com. should I put example.com in add on configuration and then add additional host ha.example.com and add local ip and port to homeassistant?
Have been trying for months to work out why…
