I ended up having some free time this weekend and placed my openHAB server behind a Cloudflare Tunnel for remote access. The Cloudflare Tunnel allows for remote access to my server similar to Tailscale, ZeroTeir, and other VPN like platforms. The only difference is you don’t need to be running a battery guzzling VPN app on your mobile device to access your server.
With a Cloudflare Tunnel you install a somewhat small application on the server. This application creates a connection between the openHAB server and the Cloudflare’s network. With the connection established I then created a Zero Trust application. This Zero Trust application just points to the openHAB interface running on my server. I then limited access to the openHAB Zero Trust application to my specific Google account and used Google as the authentication service. Now when I want to access my openHAB server when I’m away from open I just open up a web page (my own custom domain), log in with my Google Account credentials which include multi factor authentication, and then I have access to the openHAB web interface. Note you can not use the openHAB app with this setup.
The Cloudflare Tunnel is is part of Cloudflare for Teams which also offers a nice set of bundle products including a personalized DNS, Gateway, Access, and a VPN for up to 50 users.
To me this appears to be the best remote access setup. No third party app running on my phone draining the battery, multi factor authentication via an existing oauth2.0 account, the ability to set my own custom domain for the openHAB server (no more 100.x.x.x ip addresses).
Has anyone else tried to place their openHAB server behind a Cloudflare Tunnel for remote access? I’m trying to figure out the pitfalls with then setup (more than just losing the native phone application access).