Using for remote access to home assistant

Tags: #<Tag:0x00007fc415589478>

The Problem

At the moment, configuration for remotely accessing your home assistant installation requires that you either pay for Home Assistant Cloud or perform a rather complex setup to get a domain name, a SSL certificate, and forward ports from your home router to your home assistant installation.

Some of you might be unable to forward ports, or don’t want to mess with the complexities of things like DuckDNS and LetsEncrypt for certs.

This guide is designed to describe how you can use a free service offered by cloudflare to get your home assistant installation online.

What is

It is a completely free service (doesn’t even require an account) that allows you to create a tunnel from a service (in our case Home Assistant) running on your home network to a randomly generated domain name provided by Cloudflare. The service is completely free to use, but it does not have guaranteed uptime and is often used to test new features. However, in my testing it has been rock solid and I’ve had zero issues.

Feel free to checkout the Cloudflare blog post for more info on how it works:

The Advantage

The major advantage is that you do not need to open ports on your firewall or have a public IP address from your ISP. This allows your to with a single command get remote access to your home assistant installation regardless of how you get internet.

The Disadvantage

Each time the add-on starts you will get a new URL from Cloudflare, at the moment this is unavoidable, so please be aware that you may need to update the URL you use each time the add-on restarts.

Home Assistant OS Addon

I’ve created an add-on which you can add to Home Assistant OS at the link above. You’ll need to install it (for now installation make take a while as it does local builds).

Installation steps-

  1. Read Installing third party add-ons. Repository URL can be found at addon
  2. Click on the install button
  3. Once installed configure the URL in to point to your local HTTP URL for Home Assistant, e.g.,
  4. Start the add-on
  5. Go to the Logs and you should see a URL for That will be your new External URL to access Home Assistant.
  6. Try to connect and log in using the External URL. It should not work - see next step
  7. Starting HA 2021.7, you need to configure reverse proxy by adding the following lines in your configuration.yaml-
  use_x_forwarded_for: true
  1. Change with the IP Address that are being blocked by Home Assistant - this can be found by looking at Configuration --> Logs
  2. Restart Home Assistant through Configuration --> Server Control --> Restart (Server Management)
  3. Try to use the External URL to connect to Home Assistant - now it should work!

The Manual Setup

This is entirely dependent on your installation method, but regardless of your how you have Home Assistant installed you’ll need to download the cloudflared binary.

  1. Download the latest cloudflared binary for your system. (You can even run it on your computer)
  2. Once downloaded you’ll need to open your command line or terminal on your computer.
  3. You’ll navigate to the folder from your download of cloudflared.
  4. Run the command ./cloudflared tunnel --url http://<home assistant local ip>:8123
  5. Wait for the cloudflared app to give you a domain name.
  6. Access your home assistant installation by going to that URL.

Note: you’ll need to keep the cloudflared app running in the background to keep things operational.

Security Concerns

Since home assistant using this method will be running and backed by Cloudflare there are some protections they provide out of the box that will already be better than just raw port forwarding. However, is is strongly recommended to enable IP banning in your home assistant installation for failed login attempts to ensure things are kept secure, see: HTTP - Home Assistant for more info on how to setup a login attempt threshold and enable IP banning.


Don’t like subscription and I am behind double NAT. This looks interesting. Will give this a try.

Made a couple of minor edits to remove outdated information (Hassio has been called Home Assistant OS for over a year). Also it can run on more than just a Raspberry Pi (NUC, Tinkerboard, Odroid, etc…).

1 Like

Thanks for this guide. I’ve managed to got this running on one of my rpi3 and setup as a service to keep it running in the background. I also created a short link using my domain so I don’t have to remember that long impossible url cloudflare provided.

The only downfall to this is when the pi reboots or the service fail, you will need to update the url.

I imagine this is deliberate because it’s only supposed to serve as a demonstration of their paid service. It’s still handy as long as one doesn’t need 100% uptime for remote-access.

I’ve actually got a solution for making the URL more permeant, but absolutely is one of those things that they likely do to ensure that you are not just hosting something through their service 24/7

I would be interested to know how you do it.

BTW, would it be possible to use this to expose port 443 for use with Amazon Alexa routines and skills? I suspect that if you use cloudflared to expose 8123 via one host name then it doesn’t support exposing port 443 via the same host name or a second one.

Cloudflare proxies requests from the edge network on port 443 to the home assistant instance on port 8123 via the cloudflared app. It should work wonders for those wanting to setup Alexa and using the trycloudflare url.

1 Like

Nice tip! But I think you mean As doesn’t seem to work.

1 Like

Just to let you know that you don’t need to use trycloudflare anymore, as Argo Tunnels just went free. I’m using it for a couple of months now. It’s just great. On top of the Tunnel, I’ve set Access to not disclose my origin HA instance to the public…

More information:

1 Like

I skimmed through the Argo Tunnel configuration process and, prior to beginning, there are three prerequisites:

Before you start

  1. Add a website to Cloudflare
  2. Change your domain nameservers to Cloudflare
  3. Enable Argo Smart Routing for your account

Given that the goal is to take advantage of this free tunneling service, how does one get a free domain name in order to satisfy the first prerequisite?

The instructional video in this link demonstrates adding an existing domain name to one’s CloudFlare account:

I’m confused because I thought the original offer supplied a random domain name by default. Is it possible to get a free domain name from CloudFlare as well?

Guessed most of us have a domain name already…

If not, you can try this (never did it myself, nor can I recommend it… just googled it): Freenom Domain: Get a free domain with Freenom and Cloudflare - DEV Community

same setup here, I’ve been tempted to write a guide, but its always turned out to be pretty complex for newcomers.

I’ve set Access to not disclose my origin HA instance to the public…

Is this a setting within cloudflare?

This is awesome and works as advertised.
As an idea is there anyway to setup that url as a sensor?
We have our own discord so HA sends messages to it.

If I am away and our Pi restarts for whatever reason then at least over discord I could get the url send to me.

Is there anyway to use this for a wireguard setup?

Awesome idea getting the URL as a sensor! Did you get any further implementing it?

I haven’t looked into at all but something on my to do list if someone else doesn’t beat me to it

is anybody else having trouble connecting since a couple of days?
only respond:

400: Bad Request

log seems fine to me:

2021-07-12T16:53:06Z INF Each HA connection’s tunnel IDs: map[0:xxx 1:xxx 2:xxx 3:xxx]
2021-07-12T16:53:06Z INF ±-----------------------------------------------------------+
2021-07-12T16:53:06Z INF | Your free tunnel has started! Visit it: |
2021-07-12T16:53:06Z INF | |
2021-07-12T16:53:06Z INF ±-----------------------------------------------------------+
2021-07-12T16:53:06Z INF Route propagating, it may take up to 1 minute for your new route to become functional

Yes, same error. Have been using for over a year now without any problems.