I have a Raspberry Pi 3 with the latest Home Assistant OS installed and an Ubuntu Server on a VPS with a static IP assigned to it. What I want is a tunnel from the Ubuntu server to Home Assistant with something like Wire Guard and access to its Web UI. I tried installing Wire Guard on both and the connection seems OK but I can’t get any data from Home Assistant on port 8123. Is there any other software that can work self-contained or any way to make Wire Guard work?
If the 2 devices can ping each other on the wireguard interface, then it does work.
Now, what are you trying to achieve, exactly? Do you use your VPS Ubuntu as a cloud desktop?
Stating the obvious (too little information to know what you already tried), but you’d have to use the wireguard address, here, not something like “homeassistant.local”
Andreas Spiess Zerotier
Try this link. It seems to make things easier than configuring Wireguard. I have been using wireguard for few years on my router. Any problems I had setting it up was due to firewall rules.
They can ping but when I send curl to the 8123 port, I get nothing.
I want to forward incoming connections from the Ubuntu server to Home Assistant and access the Home Assistant via the public static IP of the Ubuntu server.
I configured the Ubuntu server as 10.0.0.1 and Home Assistant as 10.0.0.2
bash~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 12:c2:2a:05:e7:d5 brd ff:ff:ff:ff:ff:ff
inet 172.31.95.41/20 metric 100 brd 172.31.95.255 scope global dynamic eth0
valid_lft 3352sec preferred_lft 3352sec
inet6 fe80::10c2:2aff:fe05:e7d5/64 scope link
valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8921 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
bash~$ ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=142 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=142 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=142 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=142 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=142 ms
64 bytes from 10.0.0.2: icmp_seq=6 ttl=64 time=142 ms
^C
--- 10.0.0.2 ping statistics ---
7 packets transmitted, 6 received, 14.2857% packet loss, time 6009ms
rtt min/avg/max/mdev = 141.628/141.809/142.029/0.145 ms
bash~$ curl -I 10.0.0.2:8123
curl: (7) Failed to connect to 10.0.0.2 port 8123 after 142 ms: Connection refused
HA doesn’t support HEAD, but that’s another story.
❯ curl -I ha.lan:8123
HTTP/1.1 405 Method Not Allowed
Content-Type: text/plain; charset=utf-8
Allow: GET
Content-Length: 23
Date: Sun, 02 Jul 2023 09:38:52 GMT
Server: Python/3.11 aiohttp/3.8.4
Assuming HA works from your network, smells like a firewall issue.
How is HA installed? Is 8123 opened/forwarded for wg0?
I installed the system using Raspberry Pi Imager with a ready-to-use Home Assistant OS image. And for Wire Guard, I just installed the addon and applied my own configuration.
UFW is disabled on the Ubuntu server. So Home Assistant needs a firewall config, right?
Wire Guard addon doesn’t configure this automatically? Do I need to set up forwarding manually?
IDK if it helps but here is my config for the Wire Guard addon:
server:
host: homeassistant.local
addresses:
- 10.0.0.2/32
dns: []
private_key: <HASS private key>
public_key: <HASS public key>
peers:
- name: ubuntu-server
public_key: <Ubuntu server public key>
endpoint: 44.203.119.30:51820
addresses:
- 10.0.0.1/24
allowed_ips: []
client_allowed_ips:
- 10.0.0.1
And here is the config for the Ubuntu server:
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <Ubuntu server private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <HASS public key>
AllowedIPs = 10.0.0.2/32
I removed the keys just before posting, they work without problem.
Ok, so it should just work.
Maybe check the HA logs for errors.