Solution to Google Home link error when using Cloudflare to expose HA

After spending hours trying to figure out why I wasn’t able to re-link my Home Assistant app to my Google Home, after looking at the error logs on Google Cloud Console, I figure the root cause was Cloudflare’s Bot Fight Mode, that I at some point turned on. This was sending a challenge after the authentication that was breaking the authentication flow.
Google is apparently recognized as a bot. After disabling the Bot Fight Mode, I was finally able to link Home Assistant and Google Assistant.

The more you know

10 Likes

I’ve been trying to troubleshoot this for almost 24 hours when my Assistant started giving errors around 7am yesterday. This was my issue too, thank you for posting. Almost did a full re-setup too!

1 Like

Thank you! This fixed my issue as well instantly.

Was on the same boat since last night… This helped me. Thank you!

1 Like

Same here,

  • turned off Bot Fight mode
  • re-linked account (via Google Home app)
  • told google to “sync my devices”
  • → All good now! Thanks folks!

Not sure why this started for me yesterday as well. I did not change anything in Cloudflare and it has been working without any issues. That being said bot fight was turned on. Not sure if it was by me or not but I know I didn’t change anything in Cloudflare yesterday. I tried re-creating the google link without success. Disabling bot fight restored google home link immediately and as a result saved my sanity and possibly my marriage. So thank you for posting and sharing with the rest of us. Really appreciate it.

heh :joy:

if anything makes it to a bot list, Google must be in that list.

Thank you so much for this!

Thank you for this. Is it safe to turn on Bot Fight Mode after synching? Does anyone know if it is possible to set some rules to exclude this traffic for the Bot Fight Mode with a free plan in Cloudflare?

Had the same problem for the past few days, I have other WAF rules. One specific to allow google auth. In theory you can tell the WAF to skip the bot fighting, but this seems to have stoped working

Ammending my last coment:

Well, seems that it’s no longer the case Get started with Bot Fight Mode

" You cannot bypass or skip Bot Fight Mode using the Skip action in WAF custom rules or using Page Rules. Skip, Bypass, and Allow actions apply to rules or rulesets running on the Ruleset Engine. While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not. This is why you can skip Super Bot Fight Mode, but not Bot Fight Mode. If you need to skip Bot Fight Mode, consider using Super Bot Fight Mode.

Bot Fight Mode can still trigger if you have IP Access rules, but it cannot trigger if an IP Access rule matches the request. For example, the IP Access rule matches the connecting IP."

I will take a look at creating an IP access rule with google ASN, this should be enough to bypass the bot protection

2 Likes

For anyone having this problem I can confirm that you can have bot protection enabled and filter google with a IP Rule. The dowside of this is that any google bot will be able to query you, but as cloudflare is flagging the auth request as a bot. Is a working workaround

2 Likes

Commenting to say thank you for this.

1 Like

THANK YOU for this!

1 Like

This seems like a bad idea. I’m not sure how you have the rest of your security configured but per cloudflare.

Allowing an IP, ASN, or country will bypass any configured custom rules, rate limiting rules, and firewall rules (deprecated).

You are basically letting anything in from any of the google IPs without any further restriction. I’d much rather disable bot mode and keep a more limiting rule.

To allow google in I have a separate subdomain just for voice control where I block everything that isn’t the following

  • An IP in the list below
    • 66.249.80.0/20
    • 108.177.0.0/17
    • 192.178.0.0/15
    • 66.102.0.0/20
    • 74.125.0.0/16
  • Google’s ASN: 15169
  • URI Path contains one of the following
    • /api/google_assistant
    • /auth/token

Cloudflare’s rule expression builder doesn’t let you make this logic normally so you have to click edit expression to put the rule in.

not ((http.request.uri.path contains "/api/google_assistant" or http.request.uri.path eq "/auth/token") and ip.geoip.asnum eq 15169 and ip.src in { 66.249.80.0/20  108.177.0.0/17  192.178.0.0/15  66.102.0.0/20 74.125.0.0/16}) and (http.host eq "voice-control.example.com")
2 Likes

As a said, not a perfect solution. At the end I rewrote a few rules that I had and made something similar to what you suggest.