openHAB behind a Cloudflare Tunnel for remote access

I ended up having some free time this weekend and placed my openHAB server behind a Cloudflare Tunnel for remote access. The Cloudflare Tunnel allows for remote access to my server similar to Tailscale, ZeroTeir, and other VPN like platforms. The only difference is you don’t need to be running a battery guzzling VPN app on your mobile device to access your server.

With a Cloudflare Tunnel you install a somewhat small application on the server. This application creates a connection between the openHAB server and the Cloudflare’s network. With the connection established I then created a Zero Trust application. This Zero Trust application just points to the openHAB interface running on my server. I then limited access to the openHAB Zero Trust application to my specific Google account and used Google as the authentication service. Now when I want to access my openHAB server when I’m away from open I just open up a web page (my own custom domain), log in with my Google Account credentials which include multi factor authentication, and then I have access to the openHAB web interface. Note you can not use the openHAB app with this setup.

The Cloudflare Tunnel is is part of Cloudflare for Teams which also offers a nice set of bundle products including a personalized DNS, Gateway, Access, and a VPN for up to 50 users.

To me this appears to be the best remote access setup. No third party app running on my phone draining the battery, multi factor authentication via an existing oauth2.0 account, the ability to set my own custom domain for the openHAB server (no more 100.x.x.x ip addresses).

Has anyone else tried to place their openHAB server behind a Cloudflare Tunnel for remote access? I’m trying to figure out the pitfalls with then setup (more than just losing the native phone application access).

You don’t need your mobile to be part of the VPN when you access your server through myopenhab. That’s the recommended setup for this and a number of other reasons.

FWIW, openHABian comes with Tailscale. Proven to work for many OH setups.
Wireguard is also available if you don’t want to rely on any service provider.

For me personally the pitfall is relying on two third parties to make this all work, primarily from a privacy perspective, but also from a reliability prospective. Not that those two providers will suddenly go belly up, but these are free services which may disappear in the future.

I’m happy to run a Wireguard server in my network to alleviate both of the above issues. I’m never not near a charging point for my phone at least once per day, but to be honest I barely interact with OH on a day to day basis: most of it is automated.

Anyway, thanks for the write-up. It’s good to learn about other options, and other opinions!

I was using the Tailscale setup for some time now and just recently I noticed that their Android application was resulting in considerable battery drain. When looking at the network traffic on my phone I could see that the application was communicating with their DERP servers at regular intervals in order to keep the udp hole punch alive. In order to prevent this for the Tailscale remote setup I could

1. Open Tailscale and activate the connection just before opening the openHAB app
2. Open the openHAB app and do whatever it was I was going to do
3. Open Tailscale and close the connection

As you could guess I would usually forget the 3rd step and suffer the battery drain.

I did look at myopenhab in the past but I had some concerns at the time such as the lack of multi factor authentication, a possible attacks to the myopenhab server, and yet another username and password to remember. I will check it out again.

You are 100% true that this setup does rely on two third parties and I did take that into account regarding the setup. The Cloudflare Tunnel is a free service for now and most certainly could transition to a fee based service in the near or distant future.

That said from a security and somewhat convenience prospective I do like the fact that I can leverage my existing Google Account with Advanced Protection to sign in to my openHAB server (and this community website). This give me a hassle free multi-factor sign in configuration.

With regards to Wireguard I do wish that my ISP offered a static IP option as that would have been the most convenient setup. Right now I get a new IP address every time the network goes down or we lose power.

Same for me, with the addition that I get new IPs at random times outside these events! But that’s OK - dynamic DNS is a common thing, and there are many providers (including Cloudflare) who have an API that you can call to update your A record with your new IP address.

Agree, though, that static IP would be more convenient.

+1 to this. I vary rarely access my system when I’m not home.

And +1 to this.

MFA would definitely be great, and I could see that being added in the future. However, I don’t see any particular reason that someone would target our servers over higher-profile targets. I’ve no reason to think that the cloud-hosted myopenHAB servers are any more or less secure than Cloudflare’s (and they may even be on Cloudflare).

As for passwords…wIth all of your concerns about security, don’t you use a password manager? (I’m kidding)

I believe that for most people, myopenHAB is the best way to go. And by “most people”, I mean anyone who does not have a solid grasp of network security…which includes me. I could spend time learning about Tailscale, VPN, and reverse proxies, but the myopenHAB administrators and our providers will do a better job keeping things secure than I ever could.

That’s a roundabout way of saying that one of the pitfalls is having to spend more time and energy ensuring that your system is secure. However, it’s only a pitfall for some people who are largely clueless (me) and not for others who have the expertise to do it properly (you).

I’d also mention that integration with Alexa and Google Assistant are features of myopenHAB–whether or not that’s a benefit is up to the user. Suffice to say that anyone who does want Amazon/Google integration is probably better served by myopenHAB than setting up their own openHAB cloud server (separate from their cloud-hosted openHAB home server).

I make a lot of jokes at my own expense, but the reality is that I’m probably at the intermediate level with respect to network security…which means I know just enough to be dangerous. So, I try to focus on the things I can do to keep my network safe (MFA, password management), and rely upon others whom I trust to handle things that are beyond my comfort level. I recommend the same approach to anyone whom I think is at or below my level of expertise, while reading posts like this one with interest.

I had severe problems with myopenhab over the last years, bih loading times and so on.
Which is okay, it’s open source and free after all.

I also switched to cloudflare zero trust (completely free for up to 50 users, so perfect for me).

I have everything behind it, NAS, documents and so on. Do not have to worry about having security issues in my own systems, as they’re behind cloud flares access protection via Google login with 2FA in my case. In addition, you have bot protection, does protections and it’s as fast as being locally connected.
Also it allows for everything to be loaded (timeline picker).
It handles SSL. It’s super easy to setup. I could go on forever.

BUT. I can’t use the openhab app, which is a problem because it should push my devices status to items, which it only can while at home.

It seems as if it should only pass the login page so I can login; after that, cloudflare is like a local server.

Did anyone manage to make it work? Any possibilities from cloud flare side with API tokens or something?

For many, the reliance on not just one but two externally hosted cloud services is a big negative. What’s best is going to depend on what one’s requirements and desires are. For some, a little bit of battery drain is more than worth it to no have to depend on any third party cloud service.

Same here but I’ve a ton of other services that I interact with on a regular basis like Nextcloud, Calibre, Plex, etc. So a ZeroTrust approach is attractive.

However, the biggest reason I use Tailscale (previously used OpenVPN) is I can route all my traffic phone, even when out and about, through my AdGuard instance and I can connect to wifi hotspots and know my traffic is reasonably secure. I live in the mountains, cell service can vary drastically even within a single building. Connecting to wifi often is the difference between being able to make a call or not (with WiFi calling turned on).

Tasker is fantastic for handling stuff like this (assuming Android). Though last time I checked Tailscale doesn’t have any intents or Tasker plugin so I’ve had to use the AutoInput add-on to Tasker to manage this sort of thing.

First let me say that I believe that myopenhab.org is reasonably safe and secure. And I’d love it to implement TOTP and Yubikey support (the former is more likely than the latter).

That being said, it’s often not a matter of being a juicy target and more a matter of being an easy target. It’s like a car thief going down the line of cars and trying the doors. They are not going to skip past the 1992 Honda Accord with its doors unlocked even if there’s a brand new BMW right next to it. The BMW is worth more but the Honda is easy so the Honda gets stolen.

So we cannot rely on security by obscurity here.

But I’ve no reason to believe that the openHAB Cloud Service is unsafe or insecure. I wouldn’t use and recommend it’s use if I didn’t.

Cloudflare is a great option if you’ve the knowledge and expertise to set it up (it’s really not that hard), and you don’t have a need for other things that won’t necessarily work through it. Beyond the already mentioned problem with the phone apps (has anyone opened an issue?) you need the openHAB Cloud Service for Alexa and Google Assistant integration as well as to support openHAB native push notifications (which if you are not using the phone apps you are not using anyway). It’s also a good choice if you don’t mind relying on cloud services which is a deal killer for some.

I’d probably use it myself were it no for the fact that I have parental controls and filtering implemented in part through AdGuard and opnSense and I end up in a catch-22 if I need DNS to access the Cloudflare login page but I need to log in to Cloudflare to access the DNS server.

Agreed. I meant it more in the “why would anyone specifically target myopenhab?” way, on the assumption that it’s no more or less secure than any other server. That didn’t come across.

For a long time in the 90s/00s, the Honda Civic was the most stolen car in North America. That’s what you get when a best-selling compact car is very easy to break into.

There are clever people among marketers.
That’s what you get when you let them design your product. SCNR and yeah offffffff-topic.

I understood what you meant but am not sure you understand the relationship between yours and my point. Why would anyone specifically target myopenhab? Because it’s an easier target than something else.

Most attacks don’t work under that sort of motivation any more (if they ever did). Instead, the attacker has an exploit and they go looking for services vulnerable to that exploit. They don’t really care who those targets are. They are not going after specific organizations.

All that matters is the presence of the vulnerability. It doesn’t matter how obscure or benign the service it. So the size, obscurity, and relative benign nature of the myopenhab.org services (or your IP camera, or the port you’ve punched in your firewall, etc) is no protection from attack.

Sometimes the adversary is just looking to create general chaos as opposed to attack more strategic assets. They are also looking to attack the easiest target. I think is safe to say that openhab has a pretty wide user based (I don’t know the exact number), and out of the user base their are X% that use myopenhab, and Y% that have locks, garage doors, thermostats and other security controls or cost generating devices as part of their setup. I’m going to guess that the final number isn’t in the hundreds of thousands but I figure the number is probably also greater than a hundred. If an attacker was able to penetrate myopenhab they could open all the garage doors, unlock all doors, or even turn up all the thermostats to full blast. Yes an attacker could also try to penetrate Cloudflare’s tunnels but that will result in a diverse set of applications being compromised adding additional complexity for the attacker. I also agree with @rlkoshak that myopenhab.org is reasonably safe and security but this is a scenario I considered.

Very true statement. I did try to set up my own openHAB cloud server a while back but I gave up and was successful in placing openHAB in the cloud with a Raspberry Pi as a USB server.

What if the openhab server supported web notifications? That could probably alleviate the need to have the app completely as long as you set up the Cloudflare Zero Trust application to have no session duration. Web notifications would also enable desktop notifications.

It seems like we are all reliant on at least one more more externally hosted services either for dynamic DNS, VPN, or other services. But point taken any external dependance is something that most be considered.

I will have to check that out. Thanks for pointing out Tasker.

I did open an issue with Tailscale but it comes down to the fact that they use UDP hole punching and that they assume everyone is behind a NAT and that the port needs to be hit at a regular interval before it’s closed.

Definitely appreciate all the discussion on this topic.

A lot of people use Telegram, which mitigates the loss of native openHAB notifications, but introduces reliance upon another third-party service.

+1 to Tasker. I use it a lot.

If you already have your own domain presumably you paid for this with a provider? Usually that provider will have an API so you can dynamically update your IP. So no extra 3rd party services used here.

If you don’t already have a domain, then yes, you will rely on an extra service, though you’re not running any data through that service other than supplying your IP address (the privacy aspect).

As for VPN, as mentioned, you can easily run your own Wireguard server - no need to rely on 3rd party services. Tailscale is even easier, especially behind CGNAT, but there you are again relying on a 3rd party service (unless running headscale yourself).

I like that there are so many options around, as everyone has their own specific requirements!

That’s the wrong direction, via the app I can push my charging state to openhab. I base some automations on that.

My conclusion at the moment is:

Myopenhab:
-often unresponsive
-cannot direct everything (timelinepicker)
-have to find other solutions anyway for reaching other services

Opening ports:

• I am responsible for closing any security issues and keeping everything up to date
  -relying on the security of my router, my Nas and the software/reverse proxy I have to manage myself
  -quite hard to set up with login and so on
• have to fiddle with dyndns
  -need an ipv4 which I don’t have

VPN:
-quite safe
-still rely on security of my VPN server exposed to the internet
-still need ipv4
-have to connect to VPN. No access from work PC or anywhere else than my phone. Have to setup for others in the family too. Cannot restrict access to different services easily, have to rely on login methods of each of the services

Cloudflare:
-Zerotrust Approach
-free
-gold standard in security I would say
-restriction based on mail address possible
-2fa
-login and security of my local setup irrelevant
-can even block local access by devices in my network and tunnel everything through cloud flare
-can even see if there were access tries from other countries
-quite easy to setup
-supposedly even faster than direct access as cloudflares routes are quite fast…
-dont even need to login every time I visit the page
-dont have to fiddle with https and certificates
-ssh behind 2fa login with web based terminal possible, as well as vnc
-all traffic goes over cloudflare (negative)
-if you want services other than http vnc and ssh, it gets a little harder (Which I don’t have)
-OH app does not work

It’s worth noting that Tailscale at least does not require exposing your server to the internet. That’s what the headscale services that @hafniumzinc mentioned do for you.

One can also rent a VPS on Amazon or Alexa or where ever and put your VPN server there. Then your LAN and other devices will connect to that external server without needing to expose your LAN to the internet. Obviously security of the VPS is going to have to be watched out for.

I definitely understand the work PC since those often only allow one VPN, the work one (unless your work has moved to a Zero Trust type connection) but why “anywhere else but my phone”? When connecting to any open WiFi AP out there in the wild you really should be using some sort of VPN on just about all your devices, phones or computers regardless. It’s far to easy to man-in-the-middle someone on an open WiFi AP. There are VPN clients for all the technologies (OpenVPN, IPSEC, Wireguard, Tailscale which is built on Wireguard, etc.) for all the major computer OS’s (even Chromebooks). Whether you host your own VPN service or subscribe to one of the many VPN providers out there, you should be using a VPN anytime you are connected to an untrustworthy WiFi connection (e.g. any WiFi provided by a coffee shop, store, restaurant, especially hotels, etc.).

I do agree with you about Cloudflare as the best and fastest option for remote access, lightning fast, secure, ddos and bots fighting, but did you managed to configure CORS settings to provide authentification?

I am using CloudFlare tunnel to access my OpenHab system securely from the Internet. I am authenticating users with Azure AD. It works pretty good when accessing the GUI from my computer and it also works on my iPhone, that is at least until first time my session cookie expires. After that OpenHAB keeps prompting my phone for credentials, which I cannot get it to accept. I am pretty sure that it isn’t a general problem with CloudFlare as I am able to re-login when accessing other internal resources, but OpenHAB stops working on my iPhone after the first period has expired. Any idea?

Hey There, i just wanted to show my .things file and steps i took for an application behind Cloudflare Zero trust which i access via http binding.
At first i created the tunnel, the application, followed by a service Token and a rule for that app:

image2202×780 48.6 KB

curl "https://pihole.domain.tld/admin/api.php?summary&auth=<Pihole-APIKEY>" -H "CF-Access-Client-Id: <Client ID>" -H "CF-Access-Client-Secret: <Client Secret>"

    Thing http:url:pihole "Pihole" [
	baseURL = "https://pihole.domain.tld/admin/api.php?summary&auth=<Pihole-APIKEY>",
	headers="CF-Access-Client-Id=<Client ID>", "CF-Access-Client-Secret=<Client Secret>",
	refresh = "120",
	timeout ="5000",
	ignoreSSLErrors = "false"
]
{
	Channels:
		Type number : domains_being_blocked [
			mode = "READONLY",
			stateTransformation = "JSONPATH:$.domains_being_blocked"
		]
		Type number : dns_queries_today [
			mode = "READONLY",
			stateTransformation = "JSONPATH:$.dns_queries_today"
		]
		Type number : ads_blocked_today [
			mode = "READONLY",
			stateTransformation = "JSONPATH:$.ads_blocked_today"
		]
        ...
}