Securing Home Assistant with Cloudflare

Community Guides
22

Hi @igoramadas , I stumbled upon this tread, after having the x time of unavailability of DuckDNS DNS servers.
Would like to try Cloudflare, and noticed that you planned to make a tutorial for this.

Hopefully did you manage to do so?
Kind regards Bert

23

Hello,

I used your guide and everything works fine. Thank you!

However, I needed a VPN so I set up WireGuard for Home Assistant and it won’t work with my domain name if Cloudflare is set to proxy it.

I am unsure what to do. I don’t think I want to disable the Cloudflare proxy because it’s an added protection, right? But I also need to be able to connect back home from both phones and TV’s and more.

24

wish to know it too.
Try to use wireguard as vpn to scan network request via my local adguard home instance but now cant to do that with cloudflare.

Anyone know how to run wireguard to reach my target?

25

According to this posting I found a short time ago on Cloudflare, supposedly, there seems to be a workaround using Cloudflare Tunnels and WARP client (Wireguard).

https://community.cloudflare.com/t/help-with-wireguard-and-cloudflare-tunnel/518438

I’m new here, still trying to determine what permanent setup I’m going to go with, so, for now, I’m just collecting links to put the puzzle together later on. If I get a final answer, one way or another, and no one responds back before me, I’ll try to post my results since I would like to do the same thing. :+1:

Cheers

26

can someone please post a video step by step on how to get https?
i got it working with cloudfare from another video but im not getting https as seen here:
image

27

@MattHodge wouldn’t it now be easier and more secure to use Cloudflare WARP client and cloudflared tunnel instead? That wouldn’t expose HA to the internet at all - neither directly via your router (because it doesn’t need any ports being forwarded on your router), nor via Cloudflare. Only authenticated WARP client would be able to route traffic from your phone to your HA instance. You do still need a domain name (to be publicly resolvable) and point it to your.private.HA.IP.at.home (e.g. my-ha.example.com -> 192.168.1.9).

Here’s how it can be done:

  1. Login to Cloudflare > Zero Trust
  2. Create a team, e.g. my-team
  3. Go Access > Tunnels
  4. Create tunnel my-tunnel > Docker
  5. Copy tunnel token to docker-compose.yml:
    version: "3.7"
services:
  my-tunnel:
    container_name: my-tunnel
    restart: unless-stopped
    image: cloudflare/cloudflared:latest
    command:
      - tunnel
      - --no-autoupdate
      - run
      - --token
      - <TUNNEL TOKEN>
  6. Add Private Network in the created tunnel
    • CIDR: 192.168.0.0/24
    • Description: my net
  7. Go Settings > WARP Client
  8. Add Device enrollment:
    • Add Policy rule:
      • Name: by email
      • Selector: email
      • Rule action: Allow
      • Value: your@email
    • Add Device settings > Create profile:
      • Service mode: Gateway with WARP
      • Split tunnels > Include IPs and domains (instead of the default exclude):
        • Selector: IP Address
        • Value: your.private.HA.IP.at.home/32
        • Description: hass-private
    • Save profile
  9. Run docker compose up -d using the docker-compose.yml
  10. On phone, install > 1.1.1.1 WARP (Cloudflare), then in that app go Settings > Account > Log into my-team.cloudflareaccess.com
  11. Enable VPN > install suggested VPN profile (on iOS, or whatever pops up in Android)

With that setup, only traffic to your.private.HA.IP.at.home would go via WARP, and the rest would go directly to where it did before WARP. Then you’ll be able to access your HA in the HA app (or browser) using http://my-ha.example.com:8139.

To eliminate the possibility of accidentally connecting to a malicious service instead of your HA, you’d have to set up SSL on HA using your domain (see Set up encryption using Let's Encrypt - Home Assistant), then use https://my-ha.example.com instead (recommended). I have SSL set up to cast to Nest Hub anyway.

28

SSL/TLS → Edge Certificates → Always Use HTTPS - Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.