Setting up Cloudflare tunnel to access Home Assistant

If you don’t want to use the service from Home Assistant cloud, the other option that is free is to setup the Cloudflare tunnel that will allow you access to your Home Assistant. It is acting as the reverse proxy to your Home Assistant that is sitting on your home network without the need to open up ports in your router. Just be mindful that you are still exposing your Home Assistant to the outside world so it is imperative to setup all the security such as the 2FA to ensure that no unauthorised access to your HA. Also make sure you that you updated all the latest security patches as you will still be prone to zero day attack and any vulnerability that might be discovered in the future.

Step 1. Install required software on the Raspberry Pi

This can be done by installing the cloudflare repository to your Raspberry Pi using the following command

sudo apt update 
sudo apt upgrade
sudo apt install curl lsb-release
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee  /etc/apt/sources.list.d/cloudflared.list
sudo apt update
sudo apt install cloudflared

Step 2. Authenticating the Cloudflare service

Create the association with the Cloudflare service with the following command

cloudflared tunnel login

Please open the following URL and log in with your Cloudflare account:

https://dash.cloudflare.com/argotunnel?callback=https%3A%2F%2Flogin.cloudflareaccess.org%2FXXXXXXXXXX

Leave cloudflared running to download the cert automatically.

Once you have issued the above command, you will be presented with the above message and you can copy and paste it to your browser and login to your Cloudflare account, this will allow the certificate to be downloaded, and you should see the following message

You have successfully logged in. 
If you wish to copy your credentials to a server, they have been saved to: /home/pi/.cloudflared/cert.pem

Step 3. Create the Cloudflare tunnel

Use the following command to create your tunnel, and make sure you replace the “MYTUNNEL” with your tunnel.

cloudflared tunnel create MYTUNNEL

Tunnel credentials written to /home/pi/.cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json. cloudflared chose this file based on where your origin certificate was found. Keep this file secret. To revoke these credentials, delete the tunnel.

Created tunnel MYTUNNEL with id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The message above shows that your tunnel have been created successfully.

Step 4. Routing the Tunnel to a Domain Name

For this step you will need to have registered a Domain Name and have changed the DNS server of your domain to point to the Cloudflare domain. For information on how to change your DNS server please follow the instruction from your domain service provider.

Make sure you replace “MYTUNNEL” with your tunnel name created in the previous step and “MYDOMAIN” with your registered domain name.

cloudflared tunnel route dns MYTUNNEL MYDOMAIN

2025-08-18T04:54:54Z INF Added CNAME MYDOMAIN which will route to this tunnel tunnelID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

The message above shows that the Clouldflare have created the CNAME for your domain which will route to your tunnel.

Step 5. Port forward your Home Assistant port through the tunnel

Use the following command to port forward your Home Assistant through the tunnel. The following command assumed your Home Assistant is running on port 8123, and also make sure you replace the “MYTUNNEL” with your tunnel name.

cloudflared tunnel run --url localhost:8123 MYTUNNEL

2025-08-18T09:34:40Z INF Starting tunnel tunnelID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
2025-08-18T09:34:40Z INF Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.clouddflare-warp /etc/cloudflared /usr/local/etc/cloudflared]
2025-08-18T09:34:40Z INF Version 2022.10.0
2025-08-18T09:34:40Z INF GOOS: linux, GOVersion: go1.18.6, GoArch: arm
2025-08-18T09:34:40Z INF Settings: map[url:localhost:8123]

You will see the above message which means that your tunnel have been re-routed successfully. At this stage you should be able to open the Home Assistant by pointing to your domain name.

Step 6. Connecting your tunnel on Boot

To connect your tunnel at boot time you can do the following setup. Create the config.yml using the following command. Make sure you change “MYTUNNEL” with your tunnel name and “MYDOMAIN” with your domain.

sudo nano ~/.cloudflared/config.yml

tunnel: MYTUNNEL
credentials-file: /home/pi/.cloudflared/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.json

ingress:
  - hostname: MYDOMAIN
    service: http://localhost:8123
  - service: http_status:404

Save the above file and then install the cloudflare as a service using the following command, then enable and start the tunnel.

sudo cloudflared --config ~/.cloudflared/config.yml service install

sudo systemctl enable cloudflared
sudo systemctl start cloudflared

There is one additional step for Home Assistant as the is some trick to do the reverse proxy as Home Assistant doesn’t want to play nicely.

Step 7. Edit Home Assistant Configuration

Open the Home Assistant configuration.yml and add the following line

nano homeassistant/configuration.yaml

# allow reverse proxy for cloudflared
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - ::1

Save and close the configuration, then restart the Home Assistant.

If you encounter any error related to the memory you can run the following command

sudo sysctl -w net.core.rmem_max=7500000
sudo sysctl -w net.core.wmem_max=7500000

I hope you like this post and it helps you in accessing your Home Assistant security from anywhere through the Cloudflare tunnel.