Because /24 will only match the last octet and you need it to be a 16 bit /16 mask not /24 with those 2 addresses.
I try but still not working:
Here is my whole client config:
server:
host: ha-mp-lasko-dn-sp
addresses:
- 172.27.66.6
private_key: wg-private-key
post_up: >-
iptables -t nat -A PREROUTING -j DNAT --to-destination 192.168.11.1;
iptables -t nat -A POSTROUTING -j MASQUERADE
post_down: >-
iptables -t nat -D PREROUTING -j DNAT --to-destination 192.168.11.1;
iptables -t nat -D POSTROUTING -j MASQUERADE
dns: []
peers:
- name: rimske
addresses:
- 172.27.66.1
public_key: wg-public-key
allowed_ips:
- 172.27.66.0/24
- 192.168.0.0/16
client_allowed_ips: []
persistent_keep_alive: 25
endpoint: 'my-external-ip:51820'
Hi,
does it possible to mask the public IP, like a paid VPN ?
Thank you !
Hi Franck,
Working like a charm. One PI less for the OpenVPN solution i was running. 
Thanks for all your amazing addons! 
Cheers!
Hello, i just installed this add-on to compare it to my current OpenVPN setup on my firewall. But can you please give me a hint. I can succesfuly join my LAN from a Wireguard Client, but how do i ping a Wireguard Client from my LAN ?
If i put a static route on my firewall to route all traffic for my wireguard Ip’s (172.27.66.0/24) to the LAN adress of my Home assistant Server (lets say 192.168.1.100) would it work ? Or do i need to put another static route on the host computer that is hosting my Hassio docker install ? Or am i completly wrong ?
Setting the route won’t be enough. You’ll also have to tell home assistant to route traffic through the wireguard device by setting up some iptables rules. Also you’ll have to disable NAT for wireguard.
Hi,
I’m using WireGuard combined with AdGuard as documented (172.30.32.1 as DNS IP). I have the following WireGuard Config.
I want to filter some content on Kids_Phone and not on Dads_Phone. I can’t see the difference between these two devices in AdGuard because they both show up as a0d7b954-wireguard.local.hass.io (172.30.33.8) in the AdGuard Query Logs.
server:
host: example.host.com
addresses:
- 172.27.66.1/32
dns:
- 172.30.32.1
peers:
- name: Dads_Phone
addresses:
- 172.27.66.2/32
allowed_ips:
- 172.27.66.2/32
client_allowed_ips:
- 172.30.32.1/32
- name: Kids_Phone
addresses:
- 172.27.66.3/32
allowed_ips:
- 172.27.66.3/32
client_allowed_ips:
- 172.30.32.1/32
Cheers, Niels
1 Like
Hi,
I’m using wireguard addon as VPN to access some local devices.
If the VPN client is my phone (android) I can access devices on the local network, and the internet goes through my phone network instead of VPN. That’s exactlly want I want.
But if the VPN client is the wireguard windows client, I can access the local devices, but I have no internet at all.
Anyone experienced this?
Anyone know if it is possible to use this add-on to connect using the HA side as a client and connect to an external server? I am behind CG-NAT but have VPS server that I could connect to on the GCE (Google Cloud Engine). Here I have a public IP and I would like to forward any request going to the GCE to the HA LAN IP. If anyone has any idea on how to do this? How do I convert the config-file to the format used in the plugin?
HA Side:
[Interface]
PrivateKey = <myprivkey>
Address = 10.66.66.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <mypubkey>
Endpoint = gce-ip-address:1194
AllowedIPs = 0.0.0.0/0
GCE-side (running standard Debian manual config):
[Interface]
Address = 10.66.66.1/24
ListenPort = 1194
PrivateKey = <myprivkey>
PostUp = iptables -t nat -A PREROUTING -p tcp -i ens4 '!' --dport 22 -j DNAT --to-destination 10.66.66.2; iptables -t nat -A POSTROUTING -o ens4 -j SNAT --to-source 10.164.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp -i ens4 '!' --dport 22 -j DNAT --to-destination 10.66.66.2; iptables -t nat -D POSTROUTING -o ens4 -j SNAT --to-source 10.164.0.2
[Peer]
PublicKey = <mypubkey>
AllowedIPs = 10.66.66.2/32, 172.17.0.0/16, 192.168.1.0/24
I have tried the above with docker container but it does not work properly… I stil have issues traversing from the GCE to the HA host LAN. I can ping 172.17.x.x but not 192.168.1.x. If this plugin could be used to simplify?
1 Like
Hi, First of all, thanks for this wonderful work. I am using it with synology (918+) docker.
When I try to connect, it connects but I can not go to the internet or access local network. I am getting this warning message.
IP forwarding is disabled on the host system! You can still use WireGuard to access Hass.io,
however, you cannot access your home network or the internet via the VPN tunnel. Please consult the add-on documentation on how to resolve this.
I was searching all around to find a solution. Unfortunately, I didn’t find a workaround. For your information, my network adapter is not eth0 but Bond1. I don’t know if my issue is linked to this.
Thanks for your help.
Hey Guys, I’m just curious if I could combine WireGuard with VPN on Demand? This would be awesome for location updates etc. And I wouldn’t be forced to be conncected 24/7 if I’m on cellular. 
In addition you may could turn VPN on if you’re in public wifi. (EDIT: Ok, what you can do for the wifi is use the On Demand Feature in the App and put your wifi on “Except these SSIDs”, still curious for domain/app specific activation)
Another awesome add-on! Dead simple to set up and working great.
One question: is there anything that can be done to make the add-on logs less spammy? I set the log_level all the way to fatal and there is still logging quite frequently, it seems, even if no clients are connected.
In case anyone else does not want to see the status updates in the add-on log every 30 seconds, here’s a quick and dirty way to get rid of them. Add the following to the server section of the configuration:
pre_up: s6-svc -wD -d -T2500 "/var/run/s6/services/status"
In my testing, it hasn’t appeared to affect the performance of the add-on at all.
Hi guys!
I’m using Wireguard addon combined with AdGuard and everything works fine for basic use.
I would like to allow this addon to ping an IP in the lan of a client, is that possible?
What i really want to do is to let my hassio handle any device in my client network where there is a second hassio as a backup, unfortunately this second hassio is behind a 4G network without a public ip
If this kind of connection is possible i will share the configurations and what I have tried to do.
This is my networks:
server network (main)
hassio on docker with wireguard addon and adguard on the same machine (Synology NAS) -> 192.168.8.39
router 192.168.8.1 (192.168.7.2)
internet provider modem 192.168.7.1
client network:
modem LTE 192.168.55.1
OpenWrt with wireguard 192.168.5.1 (192.168.55.2)
hassio on raspberry 192.168.5.2
thank you so much
Cheers!
Can I use WireGuard to encrypt Internet traffic without port opening?
I do not want to have remote access to LAN. I just need traffic encryption while staying at home.
Hi all,
I setup a wireguard on a vpn and I installed wireguard addon. All works and connection is estabilished between vpn adn HA wireguard ip
ubuntu@ip:/$ sudo wg show
interface: wg0
public key: hidden
private key: (hidden)
listening port: port
peer: hidden
endpoint: hidden
allowed ips: 10.9.0.2/32
latest handshake: 1 minute, 58 seconds ago
transfer: 11.32 KiB received, 4.91 KiB sent
ubuntu@ip:/$ ping 10.9.0.2
PING 10.9.0.2 (10.9.0.2) 56(84) bytes of data.
64 bytes from 10.9.0.2: icmp_seq=4 ttl=64 time=28.5 ms
64 bytes from 10.9.0.2: icmp_seq=5 ttl=64 time=56.6 ms
64 bytes from 10.9.0.2: icmp_seq=6 ttl=64 time=27.3 ms
but if i try to access to ha i receive connection refused
ubuntu@ip:/$ curl http://10.9.0.2:8123
curl: (7) Failed to connect to 10.9.0.2 port 8123: Connection refused
This is my addon config:
server:
host: hassio.local
addresses:
- 10.9.0.2
dns:
- 8.8.8.8
- 8.8.4.4
peers:
- name: vps
addresses:
- 10.9.0.1
allowed_ips: []
client_allowed_ips: []
public_key: pubkey
persistent_keep_alive: 25
endpoint: 'vps_pub_ip:port'
My goal is to use vps as nginx proxy to expose my ha behind nat
Thanks
1 Like
I solved myself, I allow my ha private ip and now it works
Okey, I was struggling a lot to get this work. I could access my local devices. But had no Internet Connection.
This config is now working for me:
I’m running hass.io on a windows server with VirtualBox (network bridged mode)
My Router is an Apple Airport Extreme (don’t think it matters).
But what actually made this work was when I configured the DNS to use my default gateway ip.
server:
host: my.external.hostname
addresses:
- 10.10.10.1
dns:
- 192.168.1.1
peers:
- name: mypc
addresses:
- 10.10.10.2
allowed_ips: []
client_allowed_ips:
- 192.168.1.0/24
1 Like
Recently I changed my home router and ISP provider.
I configured again the redirected port but after some days my Windows client is not working but my Android client does. Any ideas what to check?
“Handshake did not complete after 5 seconds”
Hello every body.
I’m new in home-assistant forum and I don’t know how to use it very much. Let’s see if I can do it.
I have installed hassio in a rpi 4 and proxied my cloudflare domain through nginx proxy manager which in in another rpi 4. I installed wireguard and AdGuard in home assistant and configured this way
log_level: info
server:
host: ha.example.com (cloudflare domain)
addresses:
- 10.10.10.1
dns:
-172.30.32.1 (AdGuard)
peers:
- name: my iPhone
addresses:
- 10.10.10.2
allowed_ips: []
client_allowed_ips: []
The configuration works well because I can access my LAN when I type for example the local pi of nginx proxy manager. I can search the web to, but if I am with 4G my ip is not my home pi, instead is the ISP ip. Can someone tell me if it’s correct? I would like to config the VPN to use my home ip when I’m outside. Like comercial VPN.
Thank you
I have solved the problem. My cloudflare domain was proxied and it couldn’t find my home ip. Now works perfect