Skip to content

How tos

Tobias Brenner edited this page Oct 6, 2023 · 15 revisions

Please find below the most important How-Tos regarding accessing HomeAssistant via your Cloudflare tunnel.

Get a Domain name

If you do not already have a domain name, you get one from Cloudflare Registrar, Namecheap, GoDaddy or any other registrar.

Cloudflare

For general and latest information on Cloudflared, please revise the official Cloudflare documentation.

Cloudflare Docs Picture

Creation of Account

Create a free Cloudflare account at cloudflare.com and follow the tutorial Getting started with Cloudflare.

Securing access to your Cloudflare account

The add-on downloads after authentication a cert.pem file to authenticate your instance of cloudflared against your Cloudflare account. You can not revoke access to this file from your Cloudflare account! The issue still persists.

Workaround:

  1. Create a new Cloudflare account and invite it to your Cloudflare account that manages your domain:
    Cloudflare Dashboard -> Manage Account -> Members -> Invite Member
  2. Instead of using your primary account to authenticate the tunnel, use your secondary account.

If your cert.pem file is compromised, you can revoke your secondary account from your primary account.

Securing access to Home Assistant

After your tunnel is setup and working, you may wish to add additional security measures.

For example you could add a WAF rule in Cloudflare which blocks requests outside your country.

You can also use Cloudflare Access to present an authentication page before users are able to access Home Assistant, see the self-hosted applications docs.

Local vs. remote managed tunnels

Check the following information if you are unsure which tunnel type to use with this add-on.

In general you can use both tunnel types (remote or local) with this add-on.

If you like to configure your tunnel from within the add-on configuration page and are happy with the given options, the local tunnel is what you are looking for. Take a look at the add-on docs, to see what options can be used.

If you want to set up a more sophisticated tunnel with full flexibility and maintain it from the Cloudflare Zero Trust Dashboard, you should go for the remote managed tunnel. Have a look at this how-to.

Keep in mind, when using remote tunnels, you will need to configure all hosts (including Home Assistant) by yourself.

How to configure remote tunnels

Follow the next steps to create a Cloudflare Tunnel with the Cloudflare Zero Trust Dashboard and connect the Cloudflared Home Assistant add-on to use this tunnel.

  1. Open the Cloudflare Zero Trust Dashboard and login.
  2. Search for the Tunnels section in the Access menu and create a new tunnel. Step 1
  3. Name the tunnel (choose whatever you like) and hit save. Step 2
  4. The tunnel will be created and a code snippet will be displayed. Extract the token out of the code and copy it somewhere safe. (Depending on your OS the picture will vary) Step 3
  5. Add your first Public Hostname to proxy through the tunnel.
  6. The pictures below shows how to configure Home Assistant with default HA config. (HTTP = SSL disabled, default port 8123)
  7. The corresponding DNS entry will be automatically added to your Cloudflare DNS Zone. If the entry is already exists, you will see a corresponding error message. Step 4
  8. The dashboard will show your newly created tunnel.
  9. You can Configure more hosts (e.g. your NAS, Code Studio add-on, ...) or continue with the next step. Step 5
  10. Open your Home Assistant instance and open the Cloudflared add-on configuration page. Search for the tunnel_token field, named Cloudflare Tunnel Token. Step 6
  11. Copy in your token from step 4 of this guide.
  12. All other configuration options will be ignored. Step 7
  13. Start the add-on and check the logs.
  14. If everything went well, you should be connected to your tunnel. Step 8
  15. Check the Cloudflare Zero Trust Dashboard again to see that your tunnel is connected.
  16. You may add additional hosts from there. (Changes will be replicated to your tunnel without the need to restart the tunnel/add-on) Step 9
  17. Make sure to adapt your Home Assistant configuration.yaml to allow proxying traffic from this add-on.
Clone this wiki locally