Breaking Boundaries: Elevating Home Assistant with Cloudflare Zero Trust Tunnels

In the realm of smart homes, Home Assistant stands as a beacon of versatility and control. By default, Home Assistant operates within the confines of the local network, offering users huge flexibility in orchestrating all connected devices in their homes. However, many users also seek remote access to their devices, to allow for different automations or to quickly check the status of things at home. While various options exist, from VPNs over the official Nabu Casa cloud access to port forwarding combined with dynamic DNS, today I’ll present an easy to configure but also quite secure option: Cloudflare Zero Trust Tunnels.

While most tutorials already out there focus on configuring tunnels for Home Assistant running Home Assistant Operating System (HAOS), I’ll show how to configure tunnels for basically any type of hosting. The example below was prepared using Home Assistant in a docker container.

Prerequisites: Your Gateway to Connection

Before you can follow any of the instructions ensure you have the following:

• A Cloudflare Zero Trust Account.
• A domain, configured through Cloudflare DNS.
  • I actually moved all my domains to Cloudflare to allow this use-case, and I’m very satisfied with the whole Cloudflare experience. Highly recommended!
• A host within your network capable of accessing the internet and running the cloudflared deamon (I am using a 9-year old!! Raspberry Pi 2 as our test subject, so basically anything will do).
  • That device doesn’t have to be the same as the device hosing the target service

Connecting Home Assistant to the outside world

Step 1: Creating a Remotely Managed Tunnel

Tunnel configuration is done using the Dashboard which makes setting up a new tunnel a matter of minutes. Here are the steps you need to take:

1. Create Tunnel: Go to Networks > Tunnels and click Create a tunnel

2. Service Install + Setup: Select “Cloudflared,” give the tunnel a name on the next screen, and then choose your OS and follow the given installation instructions.
   • For my old Raspi 2 (that uses a ARMv7 chip), I actually used a Debian package from the cloudflared GitHub Repository
   • Once installed I went back to the install instructions to execute the service as detailed there (The instructions already contain the token used to authenticate your tunnel host)
   • The cloudflared deamon sets itself up automatically: once it is connected, a new connector will show up

3. Mapping Our Route: Complete the Route-Traffic form, assigning the domain (+ subdomain and path) that should be routed through your tunnel.
   • Also configure the service to which all tunnelled requests should be routed to. In my case it is localhost:8123 because my Home Assistant instance is running on the same device. This can point to any host in the same network as the device running the deamon.
   • Configure additional settings if required (HTTP, TLS, Authentication settings, …), for this simple example the defaults are good enough
   • Note: you can add multiple service (e.g. the router webinterface) after the tunnel is configured

3. Go Live: With a click of the save button, our tunnel is ready. All requests to the specified route now securely traverse the tunnel, and are proxied to the configured service in our home network.
   • Quick Note on Security: While all traffic to and trough the tunnel is TLS-encrypted. Once the traffic leaves our tunnel at the cloudflared deamon, it is plain HTTP. For increased security, configure the service as HTTPS. Additionally, Cloudflare creates two separate connections: one to the client, one to the cloudflared daemon. This means Cloudflare could theoretically intercept and read all your traffic if you don‘t use application level encryption as well.
4. Step 2: Allow Proxies for Home Assistant

Our Home Assistant, though brilliant, may be wary of unfamiliar faces. To welcome proxied requests, we must tweak the default-settings slightly:

1. Edit configuration.yml: open configuration.yml and add the following code to allow proxied requests (In my case, both cloudflared and home assistant are running on the same host. Adjust the IP to the IP of the host running cloudflared as neccessary)

http:
use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1

Check out the Documentation for the HTTP integration for more info about other configuration options like TLS-encrypted traffic, login bans etc.

2. Open the Gates: Try to access your Home Assistant instance with the URL configured for the service, it should work seamlessly

For Advanced users, Cloudflare provides a myriad of configuration options. You could even protect your tunnel with Single-Sign-On for added security. See the official Documentation for all the details. You’ll also find more explanations on how all of this works there.

And there you have it! With Cloudflare Zero Trust Tunnels, you can expose your Home Assistant (or any other local service for that matter) securely to the internet with just a few clicks.