Home Assistant behind 4G LTE Router

Hello and sorry if I’m in the wrong section.
Let me explain my problem to you (sorry for my English I am French).
I would like two sites to communicate with each other using WireGuard.

Site 1: my house. The network is managed with a Unifi router (UDM Pro). I have a fixed IP address.

Site 2: my country house. Internet is available through the 4G LTE router (Huawei B818-263). I tried to retrieve the IP with DuckDNS but it does not work. I am not retrieving the correct public IP. This is a priori a Carrier-grade NAT problem.

For practical reasons I installed Home assistant (Haos 10.3) on a raspberry Pi 4 for site 2. So I installed the Nginx Proxy Manager, Duck-DNS add-ons (but I will be able to remove it since it is useless) and Wireguard in HAOS. I would like to know how to configure Wireguard from Site 2 (HA add-on) and Wireguard in Unifi OS from Site 1 to communicate with each other.
The goal is that from site 1 (192.168.1.0/24), I can access site 2 as in a local network (192.168.2.0/24).
I had succeeded by installing wireguard in another Raspberry Pi (site 2) but it is broken and in a virtual machine with a Debian (site 1). I figured using the Wireguard add-on in HAOS would save me a machine.
Before, I simply had to do on each machine a “umask 077; wg genkey | tee privatekey | wg pubkey > publickey” to generate the public and private keys and fill my wg0.conf files with them.
There with the add-on I don’t see how to do it…
Optionally, I saw that in my UDM Pro I can create a Wireguard server too. I thought it could also allow me to delete this virtual machine.
If you think of another configuration I am ready to modify all that.
Thanks in advance !!

I do not know the unifi system, but you need a VPN server at your location with a fixed public IP and set that to accept connections from the internet on the correct port and with the correct protocols.
Then once that is up and running, then you need to setup a VPN client at the location with CGNAT and make that connect to the VPan server at your first location. Here you might have to pray a bit and try different types of VPN server setups, because CGNAT might not route all protocols needed for a successful connection.
Sometimes you might get a connection and then get disconnected a few minutes later, because the protocol used for keep-alive packets is blocked.

1 Like

You don’t necessarily need a VPN for this. You can have the 4G site establish a reverse SSH tunnel to your main house, as the latter has a static IP. You can NAT this reverse tunnel over your public IP to a dedicated port. SSH supports auto-reconnect if the tunnel goes down, including if the 4G site changes IP.

This also works with a hosted VPS if you don’t have a static IP.

I used to do this for a while with my own 4G connected home (with a Huawei B525 4G router and a SFR simcard). Worked very well for years. It’s not as safe as a real VPN though (as it still opens a port), but it’s more convenient and you can add some security on the tunnel server (like IP range blocks, only allowing incoming connections on IP ranges of your own ISP or port knocking).

Bonjour,
SFR ? Je peux supposer que tu es français ? (dis-moi si le tutoiement te dérange).
Puis-je avoir des précisions ? Ta solution m’intéresse. Pourrais-tu m’aider à mettre en place ta solution ?
Merci déjà de ta réponse précédente.
Cordialement.

I had implemented a solution that worked but was very resource intensive.
Location 1:

  • A Debian VM with Ngins Proxy Manager
  • A Debian VM with WireGuard
  • A static route in my Unifi router
    Location 2:
  • A Raspberri Pi with Wireguard
  • A static route on my router
    The two servers communicated very well with each other but I would like to be able to do without all his machines and group all this in a minimum of hardware.

You need a server and a client as minimum, so the minimal hardware would be if the Unifi router was able to act as a server in its firmware and the 4G router as a client in its firmware and that those setups provided a combination that would be compatible with each other and with your ISPs.

Firstly, this is advice that may not apply, but should be helpful for others looking into this:
some carriers allow you to use a different APN that puts you outside of the carrier grade NAT, or using different firewall settings if that is the issue.
Secondly, there are offerings where you have mobile data with a static IP. These offerings are generally more expensive than consumer options, but these days not that much more expensive than other business oriented offerings.

That being said, if this can not be avoided, here is a solution that can circumvent issues with NAT:

Something you could try, is a config that utilizes UDP hole punching.
This allows NAT traversal by establishing a UDP session from the client behind NAT, and using that port for the VPN connection.
Here’s a lengthy explanation with a specific solution at the end:

Netmaker seems like a solid off-the-shelf tool for this, it supports UDP hole punching and there is a community version (and free tier for the enterprise version if you make an account):

The following repo seems to be a bit more lean, but i haven’t looked into the specifics if it will fit your use case:

I don’t have much experience with your specific implementation, but i have used UDP hole punching in other VPN contexts before, including mobile networks with carrier grade NAT.

Breton pour être précis :wink: But this is an English language forum, so let’s keep it that way.

If this is only about opening a port into a single service behind CGNAT and you have access to a Linux server running on a public static IP, then a lot of the solutions presented here are a bit overkill. Just Google SSH reverse tunnel. It’s a standard approach for these kind of situations, there are literally tons of tutorials available.

The client will use SSH to create an outgoing encrypted connection to the server and keep it alive. The connection will be treated as a tunnel for data, so both ends will forward in and outgoing data to a configurable port. On the side of the client, that port would be your HA port (usually 8123). On the side of the server, you can map this to any available port, which would then be exposed to the internet. Optionally (and preferably) with a firewall inbetween.

Similar situation with yours

Home 1 - public ip, I could just portforward, setup nginx and host wireguard server.
Home 2 - 4g cgnat, reverse ssh tunnel (so I can still access ha without having to turn on vpn/wireguard) + wireguard client.
Recently I’ve started using cloudflare tunnel, so I just needed to get a free domain.

Do you know if there is an add-on for HA to create an SSH client because unless I’m mistaken I can’t install anything outside of HA. It’s HAOS and the terminal in HA is limited and doesn’t allow me to install what I want on the raspberry pi or I don’t know the syntax used.
Otherwise it would have been a long time since I would have installed Wireguard directly.

I have no idea, sorry, I don’t use HAOS.

@lafamillegregoire so what issues are you facing with Wireguard? I have been using wireguard client addon on HAOS just fine, and since UDM Pro does support Wireguard server, you should be good to just configure it and use it.
However personally, I would add “redundancy” to it - I get it, if you want to be able to only VPN in and connect to HA, okay. But if intent here is to have HA in second site publicly available, why not just use cloudflare tunnel on the remote site? You can still have wireguard sitting next to it to be able to connect directly if you want, but that could fail on second site and then you would have no access at all.
There are also other options - such as tailscale or zerotier. I used zerotier in one of sites - couldn’t be any easier.

Here is a very good explanation how to get it to work.

Best regards
Ole T