Using Cloudflare's Argo Tunnels for Remote Access

dcnoren · April 22, 2021, 10:14pm

Hey folks, here’s a guide I wrote up for using Cloudflare’s Argo Tunnels for remote access to your Home Assistant instance. If you’re looking for something other than port forwarding, VPN, or Nabu Casa - this might be worth considering.

I use this and Nabu Casa. Full guide on how to set it up using a test domain as an example. Argo Tunnels do cost $5 a month, but they can be used to tunnel other things as well, such as Proxmox, etc. Use it in conjunction with Cloudflare for Teams (I’ll write another guide later) and you’ll have your own authentication in front of it as well, using Gmail or other things.

123 · April 23, 2021, 5:27pm

They recently announced the availability of a free tier for Argo Tunnel. Can that be used with your guide?

dcnoren · April 23, 2021, 5:39pm

Thanks for posting that. I started writing the content before that announcement. I did try it recently, but the tunnels on the free one, for me at least, were still randomly-named with new names each time, and not UUID-based. So based on my testing - not quite yet.

However, I’d assume in the coming days or weeks, this will be fixed and then this can be used with no cost. I’ll try again early next week and update the content if that works.

shmookles · May 1, 2021, 5:35pm

Please keep us updated. This sounds really interesting.

latic · June 2, 2021, 7:03pm

Just saw this. Argo is really great. Just spent the best part of a day updating my hassos Cloudflare plugin to support the new Named tunnel.

shmookles · June 4, 2021, 3:47am

Awesome @latic, when will it be out with the updates on github?

kylehase · June 11, 2021, 6:32am

You mentioned avoiding “Cloudflare for Team” authentication for remote access as the HA app wouldn’t know how to deal with that authentication. I assume the same would be true for any incoming API requests into your HA instance, for example Google Assistant manual setup.

Cadish · June 21, 2021, 5:46pm

I’m also using Cloudflare tunnels, together with Access as an extra layer of security. Everything is free now, so no worries about any costs.

There is indeed an issue with using the iOS app, but I disable Access when initialising the iOS app, and then I enable it once it’s working.

shmookles · June 21, 2021, 6:02pm

it just sucks that the iOS app can’t natively deal with it? Should be pretty simple to fix.

Cadish · June 21, 2021, 6:07pm

I don’t know. I don’t know the details of why it fails…

welna9 · August 21, 2021, 7:23am

Hello. Thanks for the tutorial. Good job! HA works great but I’m having trouble connecting to Proxmox. I added lines to the config.yml file with a subdomain added in Cloudflare and IP Proxmox but unfortunately it doesn’t work. In Cloudflare, I added a new subdomain and assigned the same tunnel UUID to it. What may be the problem?

dcnoren · September 11, 2021, 2:57am

Does proxmox load but the login fails? Or is proxmox not loading entirely?

russellevans72 · September 23, 2021, 5:55pm

Hi, the guide solve getting promox working for me…thanks
The issue I have is home assistant does not work.

All I gets is a 400 : bad request on the website

I am running the free version of cloudflared.

My HA config has these line in it…

homeassistant:
  external_url: "https://ha.binky-lab.com"
  auth_providers:
    - type: homeassistant

Also.
Can you advise what the issue might be with running running cloudflared in the proxmox host OS. I am asking because you put it in VM and there must be a good reason I am missing.

russellevans72 · September 23, 2021, 7:07pm

Ok adding this to the config solved the issue

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.10  #ip of PC making the proxy request

I am still interested in comments so I understand why running cloudflared directly in Proxmox is not such a great idea?

dcnoren · September 24, 2021, 2:09am

I ran it as a VM inside Proxmox. I’m sure other options work well as well.

zoom · September 27, 2021, 4:58am

There should be way to access HA from native app on mobile. Yo can use Cloudflare warp as part of Access policy definition and make your mobile trusted device without additional auth as you will be auth in to the warp.

bedson · December 15, 2021, 2:02pm

It works great. I just wonder if with the HA only tunnel you need to set up a firewall on the host machine itself? Currently, I have not set it because it only works in the local network.
Second question - I set up my cloudflare firewall to block IP from outside my country (not US). What IP range should I unblock for Google Assistant to work?

What else to set for HA security? 2FA already set

nemiro-TECH · June 24, 2022, 2:07pm

Made it up and running.

Solved my problem with nginx conection.

Problem> Anyone manage to expose extra ports over Cloudflare Tunnels ?

I am trying to install Google Assistant SDK but can’t finish the API call to the necessary ports.

dcnoren · June 24, 2022, 2:31pm

You should be able to add another entry in the config file, something like:

ingress:
  - hostname: homeassistant.stringcheesefactory.com
    service: http://10.10.3.1:8123
  - hostname: service2.stringcheesefactory.com
    service: http://10.10.3.1:1234

The IP can be the same (to route to the same Home Assistant server), or something completely different… like a web server, etc.

nemiro-TECH · June 24, 2022, 8:02pm

Thanks, partially worked.

It seams that the addon tutorial is missing some steps.