Connecting ESPHome node to Home Assistant across a Wireguard VPN

I have two routers with built-in Wireguard capability, and they are connected. The HA server is in the 192.168.10.x network, and the ESPome node is in the 192.168.20.x network. I know mDNS is not routed across, but I naively thought I could just specify the static IP address of the HA server on the ESPHome node and that would be it. It seems there is no way to do that? Could I patch the sources, or is it not that simple?

I also manually added the ESPHome node in HA, and it recognised something, but still it is not displayed as being online. I know I could use MQTT as a workaround, but that seem rather unnecessary?

No, simply because a esphome node is the server and HA connects (as a client) to it.

Any logs?

As a side-note I expect mDNS can’t cross your subnets?

No, simply because a esphome node is the server and HA connects (as a client) to it.

But then I would expect it to work when I manually add the device via its IP?

As a side-note I expect mDNS can’t cross your subnets?

As mentioned, no. I’m not sure if its possible to configure it in a way that will allow that.

Have you added the AllowedIPs on both routers?

Router 1 (192.168.10.x) should have: AllowedIPs 192.168.20.0/24
Router 2 (192.168.20.x) should have: AllowedIPs 192.168.10.0/24

What that will do is add a route from router 1 to addresses in Router 2 and vice versa.

Now you don’t have to route the whole network, if Router 2 is only communicating with home assistant then you can just use ex. 192.168.10.100/32 (use the correct IP for HA).
Then all traffic from Router 2 to HA should be routed and all traffic back from HA to the node(s) should be routed back to Router 2

You should be able to make use of esphome as mDNS is not mandatory but mainly a comfort feature.

But due to the lack of logs (already requested) probably nobody will able without poking in the dark

Telling us

is like “my car works somewhat” and asking “what is wrong”?

Thanks for your suggestion, this is the current config for each router:

Router at 192.168.10.1:

[Interface]
PrivateKey = XXX
ListenPort = 50525
Address = 192.168.10.1/24
DNS = 192.168.10.1,192.168.20.1
DNS = fritz.box

[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 192.168.20.0/24
PersistentKeepalive = 25


Router at 192.168.20.1:

[Interface]
PrivateKey = XXX
ListenPort = 55977
Address = 192.168.20.1/24
DNS = 192.168.20.1,192.168.10.1
DNS = fritz.box

[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 192.168.10.0/24
Endpoint = XXX.myfritz.net:50525
PersistentKeepalive = 25

According to your description, that should be correct?

I noticed that I can reach 192.168.10.1 from 192.168.20.x, but I can’t reach 192.168.20.1 from 192.168.10.x. This explains why Home Assistant, which lives in 192.168.10, gets no updates from the ESPHome node in 192.168.20.x. The WireGuard Tunnel is basically unidirectional, and I don’t understand why.

Update: I think my ISP uses CGNAT, maybe this is causing issues.

ok,

I checked how I have set up my wireguard from my phone to my router.
On the router I have
10.10.1.1/24
and all peers has one ip each in the same net for allowIPs
10.10.1.20/32

On the phone I have address 10.10.1.20/32
And allowedIPs 0.0.0.0/0 as all traffic will go to my VPN.

Looking at your config, maybe your main router (Router 1) should have one extra AllowIPs set to ex. 192.168.10.250/32

Then your Router 2 under interface have address = 192.168.10.250/32 instead of 192.168.20.1/24
under peer you leave it as it is.

Your Router 2 will have its own dhcp under the LAN with 192.168.20.1/24.
then all traffic from 192.168.20.x will be routed into Router 2 and there it will find the route though the WG interface.

Maybe test this?
You may need to set firewall rules also. so check that too.

I’ll first try if I can get rid of CGNAT and then will experiment further. Thanks for your suggestions, its been really helpful!

So I’ve changed the IP from CGNAT to a proper one, and now it seems to work. I can’t tell for sure if this is what did it, but the main takeaway is that you don’t need mDNS to add an ESPHome device, its just convenient - you can always add it manually by its IP address.

Beside mDNS hostname or IP address the normal/traditional hostname is also allowed and often makes sense when working with different (sub)nets and domains

We might never know what this something was

I think I am in a similar situation.

When I configured wireguard addon and setup VPN in my iPhone or Mac or PC, everything works.
When I am trying to connect my ESP32, I do not see it, but I have handshakes:

LOG:

[00:11:08] INFO: Requesting current status from WireGuard…
interface: wg0
public key: Sdw…
private key: (hidden)
listening port: 51820
peer: s3ca…
endpoint: 35.156.18.25:49196
allowed ips: 192.168.4.4/32
latest handshake: 21 seconds ago
transfer: 11.28 KiB received, 171.20 KiB sent
persistent keepalive: every 25 seconds

esp32 yaml:

wireguard:
  address: 192.168.4.4
  private_key: "KGP.....
  peer_endpoint: radotin.biospace.xxx
  peer_port: 51820
  peer_public_key: "Sdw.....
  peer_allowed_ips:
    - 0.0.0.0/0
  peer_persistent_keepalive: 25s

addon yaml:

server:
  host: radotin.biospace.xxx
  addresses:
    - 192.168.4.1
  dns: []
peers:
  - name: cannondale
    addresses:
      - 192.168.4.4
    allowed_ips: []
    client_allowed_ips: []

Above that I added a static route to the destination 192.168.4.0 with gateway 192.168.1.250 (IP of my home assistant instance.

I run HA in virtual on Synology NAS.

I cannot even ping 192.168.4.4, traceroute ends at 192.168.1.250

Any ideas about what is wrong? Thank you…