Cloudflare Argo Tunnel - llamafilm/tesla-http-proxy-addon GitHub Wiki

Setting up Tesla HTTP Proxy through cloudflare involves the following steps (all the steps are made with the available addons in home assistant, nothing external. Also it avoids the necessity to open ports on the router):

  1. Install Cloudflared addon. Then configure like this and start the addon.
external_hostname: ha.example.com
additional_hosts:
  - hostname: tesla.example.com
    service: https://homeassistant-internal.example.com
  1. Check on the Cloudflare dashboard that the two CNAME DNS Records appeared. If not read the cloudflared logs for errors. image
  2. Create an A type record with name homeassistant-internal and IPv4 address pointing to the LOCAL IP ADDRESS of the machine hosting the homeassistant instance. Disable proxied.
  3. Install Let's Encrypt addon. (can be done with other addons, check discussions on the repo for alternatives). Then configure like this and make sure to configure the cloudflare_api_token. Make sure the keyfile and certfile aren't already been created. If so, delete them and proceed starting the addon. Read the logs to see when the files are created (takes more than 60 seconds).
domains:
  - ha.example.com
  - "*.ha.example.com"
  - tesla.example.com
  - homeassistant-internal.example.com
email: [email protected]
keyfile: privkey.pem
certfile: fullchain.pem
challenge: dns
dns:
  provider: dns-cloudflare
  cloudflare_api_token: redacted
  1. Install SSL Proxy addon. (can be done with other addons, check discussions on the repo for alternatives). Then configure like this and make sure the paths to certfile and keyfile are correct. Start the addon. Make sure no errors appear in the logs.
domain: homeassistant-internal.example.com
hsts: max-age=31536000; includeSubDomains
certfile: fullchain.pem
keyfile: privkey.pem
cloudflare: true
customize:
  active: true
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

  1. Install Tesla HTTP Proxy addon. Configure it making sure the domain is tesla.example.com and then follow all the steps in the DOCS making sure to fill the client_id and client_secret.

  2. Check on the Cloudflare dashboard that in the SSL/TLS Edge Certificates there's an active universal certificate for both example.com and *.example.com. Make sure that in the SSL/TLS Overview page the encryption mode is set to Flexible.

  3. Check your Cloudflare WAF Security to ensure that tesla.example.com is not blocked such (e.g. Geofence rules). This will cause error 403 Forbidden during oAuth generation due to public key not accessible from blocked regions. When adding key to your vehicle in the Tesla app you may get the error "Unable to Share Vehicle - This third party isn't registered with Tesla. We can't grant them access at this time." Refer to discussion topic here for details.

  4. Verify that the name "homeassistant-internal.example.com" can be resolved from your local network. If it doesn't work, start of Tesla HTTP proxy will end up in a "FATAL: Fix Public Key before proceeding" error. In this case check if "DNS rebind protection" is activated in your internet access router. If it's active add "homeassistant-internal.example.com" as an exception.