-
Notifications
You must be signed in to change notification settings - Fork 57
How tos
Please find below the most important How-Tos regarding accessing HomeAssistant via your Cloudflare tunnel.
If you do not already have a domain name, get one. You can get one at Freenom following this article.
For general and latest information on Cloudflared, please revise the official Cloudflare documentation.
Create a free Cloudflare account at cloudflare.com and follow the tutorial Getting started with Cloudflare.
The add-on downloads after authentication a cert.pem
file to authenticate
your instance of cloudflared against your Cloudflare account.
You can not revoke access to this file from your Cloudflare account!
The issue
still persists.
Workaround:
- Create a new Cloudflare account and invite it to your Cloudflare account
that manages your domain:
Cloudflare Dashboard -> Manage Account -> Members -> Invite Member
- Instead of using your primary account to authenticate the tunnel, use your secondary account.
If your cert.pem
file is compromised, you can revoke your
secondary account from your primary account.
After your tunnel is setup and working, you may wish to add additional security measures.
For example you could add a WAF rule in Cloudflare which blocks requests outside your country.
You can also use Cloudflare Access to present an authentication page before users are able to access Home Assistant, see the self-hosted applications docs.
Check the following information if you are unsure which tunnel type to use with this add-on.
In general you can use both tunnel types (remote or local) with this add-on.
If you like to configure your tunnel from within the add-on configuration page and are happy with the given options, the local tunnel is what you are looking for. Take a look at the add-on docs, to see what options can be used.
If you want to set up a more sophisticated tunnel with full flexibility and maintain it from the Cloudflare Zero Trust Dashboard, you should go for the remote managed tunnel. Have a look at this how-to.
Keep in mind, when using remote tunnels, you will need to configure all hosts (including Home Assistant) by yourself.
Follow the next steps to create a Cloudflare Tunnel with the Cloudflare Zero Trust Dashboard and connect the Cloudflared Home Assistant add-on to use this tunnel.
- Open https://one.dash.cloudflare.com/ and login.
- Search for the
Tunnels
section in theAccess
menu and create a new tunnel. - Name the tunnel (choose whatever you like) and hit save.
- The tunnel will be created and a code snippet will be displayed. Extract the token out of the code and copy it somewhere safe. (Depending on your OS the picture will vary)
- Add your first
Public Hostname
to proxy through the tunnel. - The pictures below shows how to configure Home Assistant with default HA config. (HTTP = SSL disabled, default port 8123)
- The corresponding DNS entry will be automatically added to your Cloudflare DNS Zone. If the entry is already exists, you will see a corresponding error message.
- The dashboard will show your newly created tunnel.
- You can
Configure
more hosts (e.g. your NAS, Code Studio add-on, ...) or continue with the next step. - Open your Home Assistant instance and open the Cloudflared add-on configuration
page. Search for the
tunnel_token
field, named Cloudflare Tunnel Token. - Copy in your token from step 4 of this guide.
- All other configuration options will be ignored.
- Start the add-on and check the logs.
- If everything went well, you should be connected to your tunnel.
- Check the Cloudflare Zero Trust Dashboard again to see that your tunnel is connected.
- You may add additional hosts from there. (Changes will be replicated to your tunnel without the need to restart the tunnel/add-on)
- Make sure to adapt your Home Assistant configuration.yaml to allow proxying traffic from this add-on.