Setting up internet access to Home Assistant in private network using Cloudflare

By | 17. March 2023

Home Assistant (HA)


  1. You need to set up your own domain
  2. Point domain DNS servers to Cloudflare DNS (You can register new domain name also Cloudflare to make all manageable in one web interface)

For secure HTTPS connections there are fixed port numbers you can use in Cloudflare, you can see list here

Chosen port chould not be already in use in your device.

If your Home Assistant is runnin in public IP address, choose one of those for HA. For doign so go to File Editor and click folder icon:

Open configuration.yaml

and add under http section setting server_port : {poert_number you choose}

For activating change HA must be restarted.

If your HA is in private network ip address, then no changes are needed. Just configure your router to forward selected port to internal address and port of HA

Next add subdomain in Cloudflare and point it to your public IP


Now connection between web browser and Clouldflare proxy is encrypted:

But connection from Cloudflare to your server is not yet encrypted. To ensure fully secure connection we need first of all create Origin certificate. Go to SSL/TSL section, choose Origin Server and click on Create Certificate button


Default settions are usually ok :

Click Create button and certificates are generated

Copy down private key and certifictate, both are needed. Do not share private key with anyone! Private key can not be downloaded again later.

Next step is installing certificate and private key to HA server. Open Terminal. If you do not have it then install Terminal add-on and add it to sidebar.

Verify that you are on root folder, commad ls should show you among others ssl directory.

Go to this directory using command cd ssl. With command ls you can see content of this directory (on this screenshot certificate files are already created).

Create file for public certificate with command nano origin.pem

In Nano editor right click (for me it takes clicking two times to avoid nano popup menu from appearing) and paste as plain text content of  Origin Certificate. Now hit Ctrl + X, then Y (Yes) and file is saved. Finally hit Enter key and Nano editor is closed.

Now create private key with command nano cfprivatekey.pem, copy private key content, save and exit in a same manner as in previous step. Veryfy with ls command that files are present.

Next We need to add those files to http configuration. Open again File Editor and configuration.yaml file. Add ssl_certificate: /ssl/origin.pem and ssl_key: /ssl/cfprivatekey.pem under http configuration.

Next step is to allow HA use proxies use_x_forwarded_for: true , and list all IP addresses Cloudflare uses

List of Cloudflare IP-s can be found here 

From same page you can also get list as text. Add this list under trusted_proxies: section.


Now restart HA.

On Cloudflare set under SSL/TSL overview encryption mode to Full (strict). Now the full path is secured and encypted.

For full security you should allow in your router only Cloudflare IP addresses to access HA port.


Leave a Reply