Wireguard VPN on HA configure through Cloudflare

Configuration
,
1

Hi folks!

I recently moved the remote access to HA from duckdns+SSL to cloudflare+own domain. The main reason to move is that I wanted google assistant commands to be fulfilled locally - which is now working.

From time to time I need to use a straight VPN on my mobile so that all the traffic gets routed as if I am at home (mostly used when I’m working abroad and need to watch content only available in my country).
Before I had the wireguard addon on HA configured with the HA external URL as server.host (let’s say it was mydomain.duckdns.org) and had the port UDP 51820 in my router pointing to HA IP.
Now I’ve created a subdomain on my cloudflared addon (e.g. wire.mydomain.com) which gets properly registred at Cloudflare in terms of DNS record. When I test accessing the url on chrome wire.mydomain.com, I see on cloudflared log that the traffic gets in, but then it never gets properly routed to my wireguard instance running in the same HA install. I’ve tested pointing cloudflared to several internal IPs alternatives (as below) but none trigger anything in wireguard:

PS - if I configure wireguard server to 192.168.1.2 and access locally with my phone everything works, but as soon as I get off the wifi it stops
PS2 - if I point wire.mydomain.com to my external IP address and then keep the port UDP 51820 routed to 192.168.1.2 it works but I was trying to avoid to keep ports forwarded to HA instance - and my external IP changes when the ISP wants.

Anyone could help me with the right configuration between cloudflared and wireguard addons?

Kind regards,
HS

1 Like
2

Hi everyone,

After digging (quite) a lot I was able to get Cloudflare WARP service working, properly routing the requests to my local network through my tunnel. So through this I have access to my local resources but the rest of the traffic is routed by Cloudflare to the internet directly (i.e. it does not work as a pure VPN where all the traffic goes through my private tunnel - therefore it does not cover my intended use).

To anyone that wants to explore the WARP route, please find below some resources i found useful:

So considering that me intention is to tunnel all my traffic to my home through VPN, I’m still stuck in getting wireguard working through my cloudflare domain.

Any clues?

Thanks in advance,
HS

1 Like
4

I was interested in doing the same thing and using a Wireguard VPN routed through a cloudflared tunnel and had the same results.

I took a look at tailscale, it seems to provide the same functions and took all of 10 minutes to set it up and have it running.

5

I read some about Tailscale, and I didn’t find anything that allows it to operate as a generic VPN to the HA local network. Do you have an online guide that supports this capability?

6

Hi all,

A bit late maybe, but I was trying to do the same thing. After setting up cloudflared, with a domain within Cloudflare, I did not want to use duckdns again, only to use it for Wireguard.

Creating a subdomain in the Cloudlfare dashboard is easy, but my public IP can change off course.
So I went ahead and created a plugin for Home Assistant, that automatically updates the DNS record in Cloudflare.

You can find the repo here: GitHub - jeroenvdw/hassio-cloudflare-update: Home Assistant add-on, to update a DNS record within Cloufdlare with your publc IP address
It’s my first plugin, so any feedback is welcome!

1 Like
7

This is great! Just installed it and had it up and running in a minute. Great stuff!
I particularly love how simple the code is and easy to verify.

A couple suggestions from me:

Thanks!

Later edit: I also found the official Cloudflare - Home Assistant integration which seems to do the exact same thing, but that too lacks IPv6 support

8

Small update, for those reading along: the addon has been updated.
Now it’s possible to update your Cloudflare DNS records for both IPv4 and IPv6. Just choose in the settings :slight_smile: