Setting the route won’t be enough. You’ll also have to tell home assistant to route traffic through the wireguard device by setting up some iptables rules. Also you’ll have to disable NAT for wireguard.
Hi,
I’m using WireGuard combined with AdGuard as documented (172.30.32.1 as DNS IP). I have the following WireGuard Config.
I want to filter some content on Kids_Phone and not on Dads_Phone. I can’t see the difference between these two devices in AdGuard because they both show up as a0d7b954-wireguard.local.hass.io (172.30.33.8) in the AdGuard Query Logs.
server:
host: example.host.com
addresses:
- 172.27.66.1/32
dns:
- 172.30.32.1
peers:
- name: Dads_Phone
addresses:
- 172.27.66.2/32
allowed_ips:
- 172.27.66.2/32
client_allowed_ips:
- 172.30.32.1/32
- name: Kids_Phone
addresses:
- 172.27.66.3/32
allowed_ips:
- 172.27.66.3/32
client_allowed_ips:
- 172.30.32.1/32
Cheers, Niels
1 Like
Hi,
I’m using wireguard addon as VPN to access some local devices.
If the VPN client is my phone (android) I can access devices on the local network, and the internet goes through my phone network instead of VPN. That’s exactlly want I want.
But if the VPN client is the wireguard windows client, I can access the local devices, but I have no internet at all.
Anyone experienced this?
Anyone know if it is possible to use this add-on to connect using the HA side as a client and connect to an external server? I am behind CG-NAT but have VPS server that I could connect to on the GCE (Google Cloud Engine). Here I have a public IP and I would like to forward any request going to the GCE to the HA LAN IP. If anyone has any idea on how to do this? How do I convert the config-file to the format used in the plugin?
HA Side:
[Interface]
PrivateKey = <myprivkey>
Address = 10.66.66.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = <mypubkey>
Endpoint = gce-ip-address:1194
AllowedIPs = 0.0.0.0/0
GCE-side (running standard Debian manual config):
[Interface]
Address = 10.66.66.1/24
ListenPort = 1194
PrivateKey = <myprivkey>
PostUp = iptables -t nat -A PREROUTING -p tcp -i ens4 '!' --dport 22 -j DNAT --to-destination 10.66.66.2; iptables -t nat -A POSTROUTING -o ens4 -j SNAT --to-source 10.164.0.2
PostDown = iptables -t nat -D PREROUTING -p tcp -i ens4 '!' --dport 22 -j DNAT --to-destination 10.66.66.2; iptables -t nat -D POSTROUTING -o ens4 -j SNAT --to-source 10.164.0.2
[Peer]
PublicKey = <mypubkey>
AllowedIPs = 10.66.66.2/32, 172.17.0.0/16, 192.168.1.0/24
I have tried the above with docker container but it does not work properly… I stil have issues traversing from the GCE to the HA host LAN. I can ping 172.17.x.x but not 192.168.1.x. If this plugin could be used to simplify?
1 Like
Hi, First of all, thanks for this wonderful work. I am using it with synology (918+) docker.
When I try to connect, it connects but I can not go to the internet or access local network. I am getting this warning message.
IP forwarding is disabled on the host system! You can still use WireGuard to access Hass.io,
however, you cannot access your home network or the internet via the VPN tunnel. Please consult the add-on documentation on how to resolve this.
I was searching all around to find a solution. Unfortunately, I didn’t find a workaround. For your information, my network adapter is not eth0 but Bond1. I don’t know if my issue is linked to this.
Thanks for your help.
Hey Guys, I’m just curious if I could combine WireGuard with VPN on Demand? This would be awesome for location updates etc. And I wouldn’t be forced to be conncected 24/7 if I’m on cellular. 
In addition you may could turn VPN on if you’re in public wifi. (EDIT: Ok, what you can do for the wifi is use the On Demand Feature in the App and put your wifi on “Except these SSIDs”, still curious for domain/app specific activation)
Another awesome add-on! Dead simple to set up and working great.
One question: is there anything that can be done to make the add-on logs less spammy? I set the log_level all the way to fatal and there is still logging quite frequently, it seems, even if no clients are connected.
In case anyone else does not want to see the status updates in the add-on log every 30 seconds, here’s a quick and dirty way to get rid of them. Add the following to the server section of the configuration:
pre_up: s6-svc -wD -d -T2500 "/var/run/s6/services/status"
In my testing, it hasn’t appeared to affect the performance of the add-on at all.
Hi guys!
I’m using Wireguard addon combined with AdGuard and everything works fine for basic use.
I would like to allow this addon to ping an IP in the lan of a client, is that possible?
What i really want to do is to let my hassio handle any device in my client network where there is a second hassio as a backup, unfortunately this second hassio is behind a 4G network without a public ip
If this kind of connection is possible i will share the configurations and what I have tried to do.
This is my networks:
server network (main)
hassio on docker with wireguard addon and adguard on the same machine (Synology NAS) -> 192.168.8.39
router 192.168.8.1 (192.168.7.2)
internet provider modem 192.168.7.1
client network:
modem LTE 192.168.55.1
OpenWrt with wireguard 192.168.5.1 (192.168.55.2)
hassio on raspberry 192.168.5.2
thank you so much
Cheers!
Can I use WireGuard to encrypt Internet traffic without port opening?
I do not want to have remote access to LAN. I just need traffic encryption while staying at home.
Hi all,
I setup a wireguard on a vpn and I installed wireguard addon. All works and connection is estabilished between vpn adn HA wireguard ip
ubuntu@ip:/$ sudo wg show
interface: wg0
public key: hidden
private key: (hidden)
listening port: port
peer: hidden
endpoint: hidden
allowed ips: 10.9.0.2/32
latest handshake: 1 minute, 58 seconds ago
transfer: 11.32 KiB received, 4.91 KiB sent
ubuntu@ip:/$ ping 10.9.0.2
PING 10.9.0.2 (10.9.0.2) 56(84) bytes of data.
64 bytes from 10.9.0.2: icmp_seq=4 ttl=64 time=28.5 ms
64 bytes from 10.9.0.2: icmp_seq=5 ttl=64 time=56.6 ms
64 bytes from 10.9.0.2: icmp_seq=6 ttl=64 time=27.3 ms
but if i try to access to ha i receive connection refused
ubuntu@ip:/$ curl http://10.9.0.2:8123
curl: (7) Failed to connect to 10.9.0.2 port 8123: Connection refused
This is my addon config:
server:
host: hassio.local
addresses:
- 10.9.0.2
dns:
- 8.8.8.8
- 8.8.4.4
peers:
- name: vps
addresses:
- 10.9.0.1
allowed_ips: []
client_allowed_ips: []
public_key: pubkey
persistent_keep_alive: 25
endpoint: 'vps_pub_ip:port'
My goal is to use vps as nginx proxy to expose my ha behind nat
Thanks
1 Like
I solved myself, I allow my ha private ip and now it works
Okey, I was struggling a lot to get this work. I could access my local devices. But had no Internet Connection.
This config is now working for me:
I’m running hass.io on a windows server with VirtualBox (network bridged mode)
My Router is an Apple Airport Extreme (don’t think it matters).
But what actually made this work was when I configured the DNS to use my default gateway ip.
server:
host: my.external.hostname
addresses:
- 10.10.10.1
dns:
- 192.168.1.1
peers:
- name: mypc
addresses:
- 10.10.10.2
allowed_ips: []
client_allowed_ips:
- 192.168.1.0/24
1 Like
Recently I changed my home router and ISP provider.
I configured again the redirected port but after some days my Windows client is not working but my Android client does. Any ideas what to check?
“Handshake did not complete after 5 seconds”
Hello every body.
I’m new in home-assistant forum and I don’t know how to use it very much. Let’s see if I can do it.
I have installed hassio in a rpi 4 and proxied my cloudflare domain through nginx proxy manager which in in another rpi 4. I installed wireguard and AdGuard in home assistant and configured this way
log_level: info
server:
host: ha.example.com (cloudflare domain)
addresses:
- 10.10.10.1
dns:
-172.30.32.1 (AdGuard)
peers:
- name: my iPhone
addresses:
- 10.10.10.2
allowed_ips: []
client_allowed_ips: []
The configuration works well because I can access my LAN when I type for example the local pi of nginx proxy manager. I can search the web to, but if I am with 4G my ip is not my home pi, instead is the ISP ip. Can someone tell me if it’s correct? I would like to config the VPN to use my home ip when I’m outside. Like comercial VPN.
Thank you
I have solved the problem. My cloudflare domain was proxied and it couldn’t find my home ip. Now works perfect
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing...
-----------------------------------------------------------
Add-on: WireGuard
Fast, modern, secure VPN tunnel
-----------------------------------------------------------
Add-on version: 0.3.2
You are running the latest version of this add-on.
System: null (armv7 / raspberrypi3)
Home Assistant Core: 0.114.4
Home Assistant Supervisor: 245
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[00:18:25] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
RTNETLINK answers: Not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W G
W You are running this software on a Linux kernel, G
W which is probably unnecessary and misguided. This G
W is because the Linux kernel has built-in first G
W class support for WireGuard, and this support is G
W much more refined than this slower userspace G
W implementation. For more information on G
W installing the kernel module, please visit: G
W https://www.wireguard.com/install G
W G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2020/10/03 00:18:25 Starting wireguard-go version 0.0.20200320
ERROR: (wg0) 2020/10/03 00:18:25 Failed to create TUN device: no such file or directory
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
[00:18:55] INFO: Requesting current status from WireGuard...
[00:19:25] INFO: Requesting current status from WireGuard...
I’m having issues getting Wireguard to work, it use to work just fine and then it stopped. I’ve tried reinstalling the addon but still having trouble. What am I doing wrong?
This is my configuration:
server:
host: #####.duckdns.org
addresses:
- 172.27.66.1
dns:
- 172.30.32.1
peers:
- name: iphone
addresses:
- 172.27.66.2
allowed_ips: []
client_allowed_ips: []
I‘m using exactly your config for the sensors. Till 0.116 it worked fine. Yesterday I upgraded to 0.117 and getting errors. I guess there is something wrong with the rest sensor.
Error fetching data: http://a0d7b954-wireguard failed with [Errno 111] Connect call failed (‘172.30.33.4’, 80)
Hi Friends!
I’m experiencing some troubles with this configuration. My Wireguard sensors seems to be on a flipflop state permanently.
Can someone share the full config? Im a newbe, and need some help!
Thank you all!
I tried to setup the same sensor and am having exactly the same issue. I would be interested if anyone has it working okay in the latest version of HA and if so can share any further details in their config.
1 Like
Hello @JoaoM
Can you send me your Configuration file please ?
I want an access on my local Network and than the internet goes through my phone network instead of VPN.