Hi all, I’ve been in love with the idea of self hosting some essential services for my home and over the past year I’ve set up a domain, a thin client as a server and installed some docker containers that caught my eye.

Since I’m a bit paranoid about intrusion, and already didn’t manage to set up nginx for intranet use, I set up a cloudflare zeroTrust account, since there were a lot of youtube tutorials about that at the time.

So now I’ve set up zeroTrust with a google auth in between my homeserver and the internet, which suits me just fine and is simple enough my SO is willing to use the set up as well.

The one snag I’ve hit with this setup is that i can’t use companion apps (e.g. paperless, grocy, homeassistant) on my phone, since their API access doesn’t cope with coudflare’s routing.

Do you have any advice on how to get a set up that has access control and lets companion apps through to the service? I’ve seen alot of recommendations for wireguard and VPNs, but I’m not sure my wife’s company laptop and phone will play nice with those, since I assume I’d have to install a client.

  • Atemu
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I use Tailscale for secure access to my apps. Trivial to set up and no holes is the firewalls whatsoever.

  • rambos@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Im not using cloudflare, but I had to add docker container IP to trusted proxies in homeassistant config to allow connection from different domain. This might even not be related to your question, but might be helpful idk

    Wireguard client is so simple to setup, just scan QR code and you can toggle it on/off with a button. Or you can copy paste few lines of config if you cant scan. Just check wireguard app for whatever OS you need (iOS, Android, Windows, Linux), it cant be more simple IMO

    • polymachine@feddit.deOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      the main problem i have isn’t internal to my network, unfortunately, but that any call to my domain gets intercepted by cloudflare and sent to auth, which is good for security but kills API access to my services…

      Yeah, but wireguard has two problems for me: I do not have install privileges on company devices, and even if I did, if they use a VPN to access company networks, doesn’t that interfere with any VPN access to my home server?

      • rambos@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I believe you can have only 1 wg connection active at a time, but switching between them should be easy as toggling a button. Sorry mate, I cant help more than that, hopefully more experienced users will jump in with better answers

  • ArmoredCavalry@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    1 year ago

    You can use Service Tokens with Cloudflare Zero Trust (Access). Unfortunately, the companion App then has to support setting custom request headers, in order to send the token. Not many support this in my experience.

    The only other option would be to use Basic Authentication, instead of Cloudflare Access. This isn’t as secure, but would be supported by most Apps (since you can simply inline user:password in the API URL). You can even setup a Cloudflare Worker to add basic auth to any Route you want.

    Ideally, would love some hybrid of these approaches, where I can keep Access enabled, but override with basic auth for ‘legacy’ apps. Don’t know of a way to do this though.

    Edit: Forgot to mention a third option, if you just want access while home, you can setup a bypass in Cloudflare Access policies for your home IP address. Then if you really need access when remote, you could also use VPN, but not as seamless of course.

    • polymachine@feddit.deOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      You’re right about the spotty support for Service Tokens, so far i could only find a planned inclusion in paperless, and maybe a cludge for homeassistant? a PR in Home Assistant Companion.

      I’ve found a Reddit post recommending the usage of mTLS cert rules, but looking into that I just feel overwhelmed.

      • ArmoredCavalry@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’ve looked at mTLS certs as well, but think you’d run into the same issue there as Service Tokens (app needs to support it).

        It really is a shame, because Cloudflare Tunnels / Access is great otherwise. Just troublesome to have non-browser access.

      • boothin@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        homeassistant community store has a cloudflared add-on that works great to get it to easily work over cloudflare tunnels