Connect Home Assistant to existing Wireguard VPN

Xexanos · September 9, 2021, 12:23pm

Hello there,

I am trying to configure Home Assistant (on a raspberry Pi) with Wireguard to connect to my existing Wireguart VPN. I succeded in connecting Home Assistant to the VPN and successfully pinged the raspberry pi from my Notebook, but when I try to access Home Assistant over the VPN I don’t get a Connection. My Setup is as followed:

Home Assistant:

server:
  host: homeassistant.local
  addresses:
    - 10.0.0.2
  dns: []
  private_key: <my-key>
peers:
  - name: andor
    addresses:
      - 10.0.0.1/24
    public_key: <root-server-public-key>
    endpoint: <root-server-ip>:51820
    allowed_ips: []
    client_allowed_ips: []

Root-Server:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <private-key>

#Home Assistant (RPi)
[Peer]
PublicKey = <public-key>
AllowedIPs = 10.0.0.2/32

#Phone
[Peer]
PublicKey = <public-key>
AllowedIPs = 10.0.0.128/32

#Notebook
[Peer]
PublicKey = <public-key>
AllowedIPs = 10.0.0.129/32

Notebook:

[Interface]
PrivateKey = <private-key>
ListenPort = 51820
Address = 10.0.0.129/32

[Peer]
PublicKey = <public-key>
AllowedIPs = 10.0.0.1/24
Endpoint = 152.89.104.59:51820
PersistentKeepalive = 25

Log on Startup of wireguard Addon:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: WireGuard
 Fast, modern, secure VPN tunnel
-----------------------------------------------------------
 Add-on version: 0.5.1
 You are running the latest version of this add-on.
 System: Home Assistant OS 6.3  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2021.9.5
 Home Assistant Supervisor: 2021.09.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[12:15:41] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Warning: AllowedIP has nonzero host part: 10.0.0.1/24
[#] ip -4 address add 10.0.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Does anyone have any Idea, why I get a connection refused, while trying to connect to http://10.0.0.2:8123/ ?

Xexanos · September 11, 2021, 7:06am

Furter Information after tinkering with my setup:
The Problem seems to be related to the forwarding of the request from the vpn to the docker network. I tried to configure the wiregurad container with different post_up commands but nothing seems to work. Unfortunatelly I don’t have much experience with iptables so I’m not sure if the commands even do what I think they do. At the Moment I’m thinking about routing the traffing to my router and configure the router to redirect it to home assistant, but that seems to be a little indirect. Do you think I’m on the right track or should I try something different?

jensenbln · April 24, 2022, 10:22am

Any progress on your problem? I want to do the same.

Oscar_Calvo · April 29, 2022, 9:07pm

Me too
I have beeing trying to add a route from client ip to 172.30.33.10 (wireguard server)
nmcli does not work

jensenbln · May 2, 2022, 8:04am

i tried tailscale and it works fine. will keep using that.

bwb · May 16, 2024, 3:50pm

Hello.

I had the same problem, I solved it with a minimal add-on and made a tutorial: