Home Assistant app fails to connect through Cloudflare Access Tunnel

Hi,

I’m kind of desperately reaching out here since I’m running out of options.

Short Description:
For a couple of months I’ve been having this issue where I cannot remotely access my local Home Assistant installation from the Home Assistant App on my iPhone through the Cloudflare Access Tunnel (with WARP client installed on my iPhone).

My Setup:

  • Local home setup:
    • Home Assistant installed on a RaspberryPi
    • Cloudflared Docker Container running on a separate Server
  • Cloudflare Zero Trust Configuration:
    • Access Tunnel established between local home and Cloudflare (showing HEALTHY)
    • Application: Home Assistant
      • Policies:
        • BYPASS if connected to WARP gateway (i.e., “Include Gateway”)
        • ALLOW if user is member of certain Azure AD group and is not connected to gateway (i.e. “Include Azure Groups” and “Exclude Gateway”)
      • Authentication: Azure AD configured as identity provider
    • Settings > Authentication: Azure AD configured as login method
    • Settings > WARP Client:
      • Service mode: Gateway with WARP
      • Split Tunnels: Include domain for Home Assistant
    • *Settings > Network:
      • TLS Decryption enabled

Details:

  1. Whenever I’m home in my WiFi, the connection to Home Assistant from the app works flawlessly
  2. Whenever I’m not home, I open a browser and I try to access Home Assistant remotely, I’m presented with the Azure AD sign-in page and after authenticating there I’m properly routed to Home Assistant. This is independently of whether I’m connected to the WARP tunnel or not through the 1.1.1.1 app.
  3. Whenever I’m not home, I’m connected to the WARP tunnel and I open the Home Assistant app I’m also presented with the Azure AD sing-in page. The problem is, the app cannot handle this scenario. This is why I put the BYPASS rule described above in place → to my understanding this should bypass the Azure AD sign-in page and lead me directly to Home Assistant.

Troubleshooting:

  • I’ve tried looking at the logs produced by the cloudflared container, the ones produced by the Home Assistant app and by the 1.1.1.1 app. I was not able to find anything “obvious” - I’m also no VPN expert however.
  • What I’ve seen is that the connection settings part of the Home Assistant app on the iPhone the “WebSocket” status would intermittently switch quickly between “Disconnected” and “Connecting”. The error shown in the details is: The operation couldn’t be completed. (Starscream.HTTPUpgradeError error 0.)
  • I’ve also tried un-enrolling the iphone from 1.1.1.1 app and setting it up anew. Still not working.
  • Also, access to all configured applications work when accessing from the Browser (after signing in with Microsoft SSO), so the Tunnel itself and the Domain-Setup should be ok in my opinion.

My guess: Cloudflare is not properly recognizing when I’m connected through WARP/1.1.1.1 and therefore the BYPASS rule is not executing.

Do you have any suggestions how I could further troubleshoot or what settings to check?

P.S. Sorry for the rather lang post :slight_smile:

I’ve got the same setup, which is working. You need to set your rule for “Include Gateway” from BYPASS to SERVICE AUTH instead. That should do the thing imho.

Hi Cadish,

Thanks for that hint! I didn’t even know there was another option :sweat_smile:

I switched my BYPASS rule to SERVICE AUTH but it still seems to not be working.
So I have now these 2 policies in place:

  • SERVICE AUTH for WARP gateway (i.e., “Include Gateway”)
  • ALLOW if user is member of certain Azure AD group and is not connected to gateway (i.e. “Include Azure Groups” and “Exclude Gateway”)

Do you have other settings set that I might be missing?

Hey, did you manage to find a solution? I’m in the same boat as you and can’t get the app to work.

Thanks

1 Like

Not really unfortunately.
With the configuration described by @Cadish it now more frequently detects/reports location changes in the background to Home Assistant (triggering the automation to set the Alarm to away). However, still not reliably.
What has not changed and is still equally bad ad before is the actual app - there I‘m still not able to do open the app and do actually something when I‘m not at home.

Did you find a solution? I fiddled around with some settings some more but to no avail. Most of the time when opening the HA app it‘s still asking me to log into Azure AD instead of bypassing it.

I found a solution for my HA although not elegant it works for me.
My solution was to uninstall my HA app from my Android and then install it again fresh. After re-installation the multifactor authentication worked fine and I am using Gitlab as well.
The caveat is that after session timeout you will have to repeat this process.
Considering extending the session timeout period from 24hours to something longer may do the trick but not sure if there is any security risk involved in increasing the session timeout …