Wireguard VPN on HA configure through Cloudflare

Hi folks!

I recently moved the remote access to HA from duckdns+SSL to cloudflare+own domain. The main reason to move is that I wanted google assistant commands to be fulfilled locally - which is now working.

From time to time I need to use a straight VPN on my mobile so that all the traffic gets routed as if I am at home (mostly used when I’m working abroad and need to watch content only available in my country).
Before I had the wireguard addon on HA configured with the HA external URL as server.host (let’s say it was mydomain.duckdns.org) and had the port UDP 51820 in my router pointing to HA IP.
Now I’ve created a subdomain on my cloudflared addon (e.g. wire.mydomain.com) which gets properly registred at Cloudflare in terms of DNS record. When I test accessing the url on chrome wire.mydomain.com, I see on cloudflared log that the traffic gets in, but then it never gets properly routed to my wireguard instance running in the same HA install. I’ve tested pointing cloudflared to several internal IPs alternatives (as below) but none trigger anything in wireguard:

• service : http://172.27.66.1:51820 (internal IP of wireguard server as I configured)
• service : http://172.27.66.1 as well as https://
• service : http://192.168.1.2:51820 (the IP address of my HA)
• service : http://192.168.1.2 as well as https://

PS - if I configure wireguard server to 192.168.1.2 and access locally with my phone everything works, but as soon as I get off the wifi it stops
PS2 - if I point wire.mydomain.com to my external IP address and then keep the port UDP 51820 routed to 192.168.1.2 it works but I was trying to avoid to keep ports forwarded to HA instance - and my external IP changes when the ISP wants.

Anyone could help me with the right configuration between cloudflared and wireguard addons?

Kind regards,
HS

Hi everyone,

After digging (quite) a lot I was able to get Cloudflare WARP service working, properly routing the requests to my local network through my tunnel. So through this I have access to my local resources but the rest of the traffic is routed by Cloudflare to the internet directly (i.e. it does not work as a pure VPN where all the traffic goes through my private tunnel - therefore it does not cover my intended use).

To anyone that wants to explore the WARP route, please find below some resources i found useful:

• Securely access home network with Cloudflare Tunnel and WARP | Simply Explained
• Connect private networks · Cloudflare Zero Trust docs

So considering that me intention is to tunnel all my traffic to my home through VPN, I’m still stuck in getting wireguard working through my cloudflare domain.

Any clues?

Thanks in advance,
HS

I was interested in doing the same thing and using a Wireguard VPN routed through a cloudflared tunnel and had the same results.

I took a look at tailscale, it seems to provide the same functions and took all of 10 minutes to set it up and have it running.