Securing Home Assistant with Cloudflare

benek984 · March 13, 2022, 6:14pm

@andynbaker how did you setup your pfsense to allow traffic only from cloudflare?

andynbaker · March 15, 2022, 2:00pm

First you need to be sure you set up cloudflare to proxy all traffic to your subdomain. Then you need to create an alias in pfsense that contains all ip addresses that cloudflare uses to proxy your traffic. Then last, on your NAT role in pfsense, where you are forwarding traffic to your server on site, you need to configure the rule to only allow traffic that originated from this new alias.

benek984 · March 15, 2022, 3:17pm

@andynbaker thanks for your post. I have applied rules as below and it works:
top one is to allow from Cloudflare and the second one it to block from the rest.

andynbaker · March 15, 2022, 4:51pm

Technically you don’t need the block all rule. There’s ‘hidden’ block all rule at the bottom of each interface. That is, all traffic is blocked by default, so you only need to limit who you allow through in this case. But leaving it there won’t hurt!

igoramadas · April 6, 2022, 7:08pm

If for whatever reason you don’t want to use VPNs (or can’t, like in my case), I created this small Node.js based service to manage an IP allow-list in Cloudflare:

The idea is that you setup your home firewall to allow request from Cloudflare only, and setup Cloudflare to allow connections from an allow-list only. Then let the service add and remove the IP addresses of your mobile devices / laptops automatically to this allow-list.

At the moment getting it running require 3 manual steps (setup Cloudflare, deploy a Docker container with the service, and setup your client devices to ping the endpoint to allow its IP address).

Eventually when I have enough time, I’ll create an online step-by-step setup guide to make it easier to get going.

Feedback appreciated

Igor

milutm · October 18, 2022, 1:01am

when configure like in Securing Home Assistant with Cloudflare got:
Unable to connect to Home Assistant.

Retrying in XX seconds…
or:

dunno how to fix that. help pls

NaduK · January 17, 2023, 10:00pm

Same happens to me did you figure out what to do?

miorba · January 21, 2023, 3:57pm

The same for me… I don’t know why.

I cann access using ip registered in cloudfare ddns subdomain (so the ddns works). bur using domain name not found… How to solve it?

bajwaHA · February 6, 2023, 8:37pm

anyone able to resolve the issue of “Unable to connect to Home Assistant.”
before installing the certificate everything worked via cloudflare
once I added the certificate and added the additional IP address in the config file and change the SSL/TLS encryption to Full strict its been unable to connect
I even changed the Full strict to flexible and still not able to connect

donparlor · February 21, 2023, 1:35pm

Same problem as @milutm, @NaduK and @miorba. I generated pem certificates from Cloudflare, replaced it in ssl folder with Samba Share, made sure the http section in configuration.yaml was set correctly, but HA won’t boot correctly. To get a proper boot I must remove newly added pem files with Samba Share, put the old ones back, and edit configuration.yaml through TextEdit app and revert Http section back to previous version.

@MattHodge, that would be great if you could help. ChatGPT cannot help and I have already tried a lot of things so far but still no luck.

NaduK · February 21, 2023, 11:14pm

What I had to do finally was to remove all pem files. Uninstall any add-ons I had like Duck-DNS, Let’s Encrypt (not just stop but remove all together), remove the lines from configuration.yaml to not use the pen files, reboot (need to access HASS from local http url now) then start from there to install Cloudflared

remlei · March 5, 2023, 12:14am

sounds like your homeassistant is running on https. if thats the case make sure that tunnel for homeassistant have noTLSVerify option enabled.

deltabert · March 9, 2023, 4:24pm

Hi @igoramadas , I stumbled upon this tread, after having the x time of unavailability of DuckDNS DNS servers.
Would like to try Cloudflare, and noticed that you planned to make a tutorial for this.

Hopefully did you manage to do so?
Kind regards Bert

nu1mlock · May 28, 2023, 10:35am

Hello,

I used your guide and everything works fine. Thank you!

However, I needed a VPN so I set up WireGuard for Home Assistant and it won’t work with my domain name if Cloudflare is set to proxy it.

I am unsure what to do. I don’t think I want to disable the Cloudflare proxy because it’s an added protection, right? But I also need to be able to connect back home from both phones and TV’s and more.

milutm · July 31, 2023, 7:12pm

wish to know it too.
Try to use wireguard as vpn to scan network request via my local adguard home instance but now cant to do that with cloudflare.

Anyone know how to run wireguard to reach my target?

AutomatedKid · August 26, 2023, 8:32pm

According to this posting I found a short time ago on Cloudflare, supposedly, there seems to be a workaround using Cloudflare Tunnels and WARP client (Wireguard).

https://community.cloudflare.com/t/help-with-wireguard-and-cloudflare-tunnel/518438

I’m new here, still trying to determine what permanent setup I’m going to go with, so, for now, I’m just collecting links to put the puzzle together later on. If I get a final answer, one way or another, and no one responds back before me, I’ll try to post my results since I would like to do the same thing.

Cheers

tung256 · November 8, 2023, 11:38pm

can someone please post a video step by step on how to get https?
i got it working with cloudfare from another video but im not getting https as seen here:

mux · January 3, 2024, 7:27pm

@MattHodge wouldn’t it now be easier and more secure to use Cloudflare WARP client and cloudflared tunnel instead? That wouldn’t expose HA to the internet at all - neither directly via your router (because it doesn’t need any ports being forwarded on your router), nor via Cloudflare. Only authenticated WARP client would be able to route traffic from your phone to your HA instance. You do still need a domain name (to be publicly resolvable) and point it to your.private.HA.IP.at.home (e.g. my-ha.example.com -> 192.168.1.9).

Here’s how it can be done:

Login to Cloudflare > Zero Trust
Create a team, e.g. my-team
Go Access > Tunnels
Create tunnel my-tunnel > Docker

Copy tunnel token to docker-compose.yml:

version: "3.7"
services:
  my-tunnel:
    container_name: my-tunnel
    restart: unless-stopped
    image: cloudflare/cloudflared:latest
    command:
      - tunnel
      - --no-autoupdate
      - run
      - --token
      - <TUNNEL TOKEN>

Add Private Network in the created tunnel
- CIDR: 192.168.0.0/24
- Description: my net
Go Settings > WARP Client
Add Device enrollment:
- Add Policy rule:
  - Name: by email
  - Selector: email
  - Rule action: Allow
  - Value: your@email
- Add Device settings > Create profile:
  - Service mode: Gateway with WARP
  - Split tunnels > Include IPs and domains (instead of the default exclude):
    - Selector: IP Address
    - Value: your.private.HA.IP.at.home/32
    - Description: hass-private
- Save profile
Run docker compose up -d using the docker-compose.yml
On phone, install > 1.1.1.1 WARP (Cloudflare), then in that app go Settings > Account > Log into my-team.cloudflareaccess.com
Enable VPN > install suggested VPN profile (on iOS, or whatever pops up in Android)

With that setup, only traffic to your.private.HA.IP.at.home would go via WARP, and the rest would go directly to where it did before WARP. Then you’ll be able to access your HA in the HA app (or browser) using http://my-ha.example.com:8139.

To eliminate the possibility of accidentally connecting to a malicious service instead of your HA, you’d have to set up SSL on HA using your domain (see Set up encryption using Let's Encrypt - Home Assistant), then use https://my-ha.example.com instead (recommended). I have SSL set up to cast to Nest Hub anyway.

dave-castle · February 4, 2024, 11:47am

SSL/TLS → Edge Certificates → Always Use HTTPS - Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.

d1egoaz · December 4, 2024, 5:37pm

When it comes to securing Home Assistant, the safest option is using Tailscale or Cloudflare Warp since it keeps your instance off the open internet. The downside? You’ll need to run a VPN client, which can drain your device’s battery.

That said, with mTLS, you don’t need to run a VPN client, making it a solid option for Android users. Unfortunately, iOS doesn’t support mTLS natively, so it’s not as universal.

I decided to go with a middle ground: exposing Home Assistant to the internet but securing it with Cloudflare Access, using GitHub (or another login provider) for authentication. This way, I don’t need a client app running on my devices, and Cloudflare Access acts as the front door to my setup. Another benefit, I can also open the URL on my work computer in case I need to check something quickly.

For webhook integrations, Tailscale or Warp won’t work unless the sending device is running the VPN client. Cloudflare, on the other hand, offers a more flexible solution, you can use service tokens to bypass the initial login step when needed.

And there is a workaround (for now) for IOs to be able to connect the secured URL using the Home Assistant app Follow redirect during onboarding for external authentication · Issue #1872 · home-assistant/iOS · GitHub

Thanks everyone, for sharing your perspectives, it was truly insightful!