I’m kind of desperately reaching out here since I’m running out of options.
For a couple of months I’ve been having this issue where I cannot remotely access my local Home Assistant installation from the Home Assistant App on my iPhone through the Cloudflare Access Tunnel (with WARP client installed on my iPhone).
- Local home setup:
- Home Assistant installed on a RaspberryPi
- Cloudflared Docker Container running on a separate Server
- Cloudflare Zero Trust Configuration:
- Access Tunnel established between local home and Cloudflare (showing HEALTHY)
- Application: Home Assistant
- BYPASS if connected to WARP gateway (i.e., “Include Gateway”)
- ALLOW if user is member of certain Azure AD group and is not connected to gateway (i.e. “Include Azure Groups” and “Exclude Gateway”)
- Authentication: Azure AD configured as identity provider
- Settings > Authentication: Azure AD configured as login method
- Settings > WARP Client:
- Service mode: Gateway with WARP
- Split Tunnels: Include domain for Home Assistant
- *Settings > Network:
- TLS Decryption enabled
- Whenever I’m home in my WiFi, the connection to Home Assistant from the app works flawlessly
- Whenever I’m not home, I open a browser and I try to access Home Assistant remotely, I’m presented with the Azure AD sign-in page and after authenticating there I’m properly routed to Home Assistant. This is independently of whether I’m connected to the WARP tunnel or not through the 18.104.22.168 app.
- Whenever I’m not home, I’m connected to the WARP tunnel and I open the Home Assistant app I’m also presented with the Azure AD sing-in page. The problem is, the app cannot handle this scenario. This is why I put the BYPASS rule described above in place → to my understanding this should bypass the Azure AD sign-in page and lead me directly to Home Assistant.
- I’ve tried looking at the logs produced by the cloudflared container, the ones produced by the Home Assistant app and by the 22.214.171.124 app. I was not able to find anything “obvious” - I’m also no VPN expert however.
- What I’ve seen is that the connection settings part of the Home Assistant app on the iPhone the “WebSocket” status would intermittently switch quickly between “Disconnected” and “Connecting”. The error shown in the details is: The operation couldn’t be completed. (Starscream.HTTPUpgradeError error 0.)
- I’ve also tried un-enrolling the iphone from 126.96.36.199 app and setting it up anew. Still not working.
- Also, access to all configured applications work when accessing from the Browser (after signing in with Microsoft SSO), so the Tunnel itself and the Domain-Setup should be ok in my opinion.
My guess: Cloudflare is not properly recognizing when I’m connected through WARP/188.8.131.52 and therefore the BYPASS rule is not executing.
Do you have any suggestions how I could further troubleshoot or what settings to check?
P.S. Sorry for the rather lang post