Securing Home Assistant with Cloudflare

Community Guides
22

Hi @igoramadas , I stumbled upon this tread, after having the x time of unavailability of DuckDNS DNS servers.
Would like to try Cloudflare, and noticed that you planned to make a tutorial for this.

Hopefully did you manage to do so?
Kind regards Bert

23

Hello,

I used your guide and everything works fine. Thank you!

However, I needed a VPN so I set up WireGuard for Home Assistant and it won’t work with my domain name if Cloudflare is set to proxy it.

I am unsure what to do. I don’t think I want to disable the Cloudflare proxy because it’s an added protection, right? But I also need to be able to connect back home from both phones and TV’s and more.

24

wish to know it too.
Try to use wireguard as vpn to scan network request via my local adguard home instance but now cant to do that with cloudflare.

Anyone know how to run wireguard to reach my target?

25

According to this posting I found a short time ago on Cloudflare, supposedly, there seems to be a workaround using Cloudflare Tunnels and WARP client (Wireguard).

https://community.cloudflare.com/t/help-with-wireguard-and-cloudflare-tunnel/518438

I’m new here, still trying to determine what permanent setup I’m going to go with, so, for now, I’m just collecting links to put the puzzle together later on. If I get a final answer, one way or another, and no one responds back before me, I’ll try to post my results since I would like to do the same thing. :+1:

Cheers

26

can someone please post a video step by step on how to get https?
i got it working with cloudfare from another video but im not getting https as seen here:
image

27

@MattHodge wouldn’t it now be easier and more secure to use Cloudflare WARP client and cloudflared tunnel instead? That wouldn’t expose HA to the internet at all - neither directly via your router (because it doesn’t need any ports being forwarded on your router), nor via Cloudflare. Only authenticated WARP client would be able to route traffic from your phone to your HA instance. You do still need a domain name (to be publicly resolvable) and point it to your.private.HA.IP.at.home (e.g. my-ha.example.com -> 192.168.1.9).

Here’s how it can be done:

  1. Login to Cloudflare > Zero Trust
  2. Create a team, e.g. my-team
  3. Go Access > Tunnels
  4. Create tunnel my-tunnel > Docker
  5. Copy tunnel token to docker-compose.yml:
    version: "3.7"
services:
  my-tunnel:
    container_name: my-tunnel
    restart: unless-stopped
    image: cloudflare/cloudflared:latest
    command:
      - tunnel
      - --no-autoupdate
      - run
      - --token
      - <TUNNEL TOKEN>
  6. Add Private Network in the created tunnel
    • CIDR: 192.168.0.0/24
    • Description: my net
  7. Go Settings > WARP Client
  8. Add Device enrollment:
    • Add Policy rule:
      • Name: by email
      • Selector: email
      • Rule action: Allow
      • Value: your@email
    • Add Device settings > Create profile:
      • Service mode: Gateway with WARP
      • Split tunnels > Include IPs and domains (instead of the default exclude):
        • Selector: IP Address
        • Value: your.private.HA.IP.at.home/32
        • Description: hass-private
    • Save profile
  9. Run docker compose up -d using the docker-compose.yml
  10. On phone, install > 1.1.1.1 WARP (Cloudflare), then in that app go Settings > Account > Log into my-team.cloudflareaccess.com
  11. Enable VPN > install suggested VPN profile (on iOS, or whatever pops up in Android)

With that setup, only traffic to your.private.HA.IP.at.home would go via WARP, and the rest would go directly to where it did before WARP. Then you’ll be able to access your HA in the HA app (or browser) using http://my-ha.example.com:8139.

To eliminate the possibility of accidentally connecting to a malicious service instead of your HA, you’d have to set up SSL on HA using your domain (see Set up encryption using Let's Encrypt - Home Assistant), then use https://my-ha.example.com instead (recommended). I have SSL set up to cast to Nest Hub anyway.

2 Likes
28

SSL/TLS → Edge Certificates → Always Use HTTPS - Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.

29

When it comes to securing Home Assistant, the safest option is using Tailscale or Cloudflare Warp since it keeps your instance off the open internet. The downside? You’ll need to run a VPN client, which can drain your device’s battery.

That said, with mTLS, you don’t need to run a VPN client, making it a solid option for Android users. Unfortunately, iOS doesn’t support mTLS natively, so it’s not as universal.

I decided to go with a middle ground: exposing Home Assistant to the internet but securing it with Cloudflare Access, using GitHub (or another login provider) for authentication. This way, I don’t need a client app running on my devices, and Cloudflare Access acts as the front door to my setup. Another benefit, I can also open the URL on my work computer in case I need to check something quickly.

For webhook integrations, Tailscale or Warp won’t work unless the sending device is running the VPN client. Cloudflare, on the other hand, offers a more flexible solution, you can use service tokens to bypass the initial login step when needed.

And there is a workaround (for now) for IOs to be able to connect the secured URL using the Home Assistant app Follow redirect during onboarding for external authentication ¡ Issue #1872 ¡ home-assistant/iOS ¡ GitHub

Thanks everyone, for sharing your perspectives, it was truly insightful!

1 Like
30

I’m going down a rabbit hole to get my hass install open to the web to see if I can get CoPilot working with code-server. A bit of a tangent but I’m curious if all I’m after is https if I can use Tailscale or I need to keep chugging along.