Connecting ESPHome node to Home Assistant across a Wireguard VPN

BuddyCasino · March 28, 2023, 6:20pm

I have two routers with built-in Wireguard capability, and they are connected. The HA server is in the 192.168.10.x network, and the ESPome node is in the 192.168.20.x network. I know mDNS is not routed across, but I naively thought I could just specify the static IP address of the HA server on the ESPHome node and that would be it. It seems there is no way to do that? Could I patch the sources, or is it not that simple?

I also manually added the ESPHome node in HA, and it recognised something, but still it is not displayed as being online. I know I could use MQTT as a workaround, but that seem rather unnecessary?

orange-assistant · March 29, 2023, 1:04am

No, simply because a esphome node is the server and HA connects (as a client) to it.

Any logs?

As a side-note I expect mDNS can’t cross your subnets?

BuddyCasino · March 29, 2023, 7:45am

No, simply because a esphome node is the server and HA connects (as a client) to it.

But then I would expect it to work when I manually add the device via its IP?

As a side-note I expect mDNS can’t cross your subnets?

As mentioned, no. I’m not sure if its possible to configure it in a way that will allow that.

k8n · March 29, 2023, 9:33am

github.com/hassio-addons/addon-wireguard

Wireguard network unreachable from HA

opened 06:30PM - 25 Aug 22 UTC

closed 08:17AM - 25 Dec 22 UTC

github-k8n

stale

# Problem/Motivation Multiple devices within the local network should be access…ed via wireguard (from home assistant) Therefore a corresponding configuration with IPs in the 10.84.x.x range (local network does use 192.168.x.x) was created. I can verify that the wireguard connection is up and running, ICMP echo requests (ping) from the device to the "server" wireguard IP get a reply and logs show that the peer is connected. However when trying to add an rtsp camera on that IP I get a timeout and the following error: Error from stream worker: Error opening stream (ERRORTYPE_101, Network unreachable) rtsp://10.84.0.2:1935/cam/1 ## Expected behavior Possible to have connectivity between devices and HA via wireguard. ## Actual behavior Error, wireguard network seems to be unreachable from HA

LCL · March 29, 2023, 10:28am

Have you added the AllowedIPs on both routers?

Router 1 (192.168.10.x) should have: AllowedIPs 192.168.20.0/24
Router 2 (192.168.20.x) should have: AllowedIPs 192.168.10.0/24

What that will do is add a route from router 1 to addresses in Router 2 and vice versa.

Now you don’t have to route the whole network, if Router 2 is only communicating with home assistant then you can just use ex. 192.168.10.100/32 (use the correct IP for HA).
Then all traffic from Router 2 to HA should be routed and all traffic back from HA to the node(s) should be routed back to Router 2

orange-assistant · March 29, 2023, 12:16pm

You should be able to make use of esphome as mDNS is not mandatory but mainly a comfort feature.

But due to the lack of logs (already requested) probably nobody will able without poking in the dark

Telling us

is like “my car works somewhat” and asking “what is wrong”?

BuddyCasino · March 29, 2023, 3:57pm

Thanks for your suggestion, this is the current config for each router:

Router at 192.168.10.1:

[Interface]
PrivateKey = XXX
ListenPort = 50525
Address = 192.168.10.1/24
DNS = 192.168.10.1,192.168.20.1
DNS = fritz.box

[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 192.168.20.0/24
PersistentKeepalive = 25


Router at 192.168.20.1:

[Interface]
PrivateKey = XXX
ListenPort = 55977
Address = 192.168.20.1/24
DNS = 192.168.20.1,192.168.10.1
DNS = fritz.box

[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 192.168.10.0/24
Endpoint = XXX.myfritz.net:50525
PersistentKeepalive = 25

According to your description, that should be correct?

I noticed that I can reach 192.168.10.1 from 192.168.20.x, but I can’t reach 192.168.20.1 from 192.168.10.x. This explains why Home Assistant, which lives in 192.168.10, gets no updates from the ESPHome node in 192.168.20.x. The WireGuard Tunnel is basically unidirectional, and I don’t understand why.

Update: I think my ISP uses CGNAT, maybe this is causing issues.

LCL · March 29, 2023, 4:53pm

ok,

I checked how I have set up my wireguard from my phone to my router.
On the router I have
10.10.1.1/24
and all peers has one ip each in the same net for allowIPs
10.10.1.20/32

On the phone I have address 10.10.1.20/32
And allowedIPs 0.0.0.0/0 as all traffic will go to my VPN.

Looking at your config, maybe your main router (Router 1) should have one extra AllowIPs set to ex. 192.168.10.250/32

Then your Router 2 under interface have address = 192.168.10.250/32 instead of 192.168.20.1/24
under peer you leave it as it is.

Your Router 2 will have its own dhcp under the LAN with 192.168.20.1/24.
then all traffic from 192.168.20.x will be routed into Router 2 and there it will find the route though the WG interface.

Maybe test this?
You may need to set firewall rules also. so check that too.

BuddyCasino · March 30, 2023, 9:06am

I’ll first try if I can get rid of CGNAT and then will experiment further. Thanks for your suggestions, its been really helpful!

BuddyCasino · March 30, 2023, 5:13pm

So I’ve changed the IP from CGNAT to a proper one, and now it seems to work. I can’t tell for sure if this is what did it, but the main takeaway is that you don’t need mDNS to add an ESPHome device, its just convenient - you can always add it manually by its IP address.

orange-assistant · March 30, 2023, 7:11pm

Beside mDNS hostname or IP address the normal/traditional hostname is also allowed and often makes sense when working with different (sub)nets and domains

We might never know what this something was