Hello @JoaoM
Can you send me your Configuration file please ?
I want an access on my local Network and than the internet goes through my phone network instead of VPN.
I wonder, why some tutorials about Wireguard are presented alongside Traefik or HAProxy?
What is the reason to use them at home?
For example, access to docker containers on homelab: Internet>Proxy>HomeAssistantContainer
instead Internet>HomeAssistant
Another example: Internet>Proxy>DockerContaineroftheService
Somewhere between HassOS 4.14 and 4.16, my wireguard setup stopped working. When I updated to version 4.17, it started working again. See HassOS 4.17 changes.
Guys, any idea how to transform following Wireguard config to Add-on config? I really struggle with different terminology and syntax.
I need HASS to connect as client, not to host a server.
[Interface]
PrivateKey = XXXXXXXXXX // Private key of THIS client
Address = 10.10.20.3/24 // Local IP client will get
DNS = 10.10.20.1
[Peer]
PublicKey = XXXXXXXXXXXXX // Public key of remote Wireguard server
AllowedIPs = 0.0.0.0/0
Endpoint = XX.XX.XX.XX:YYYY // Public IP of remote Wireguard server
Thanks!
2 Likes
Same issue here … are you using also DNSMasq?
WireGuard Configuration is below
server:
host: xxxyyy.duckdns.org
addresses:
- 10.10.10.1
dns: []
peers:
- name: myiphone6s
addresses:
- 10.10.10.2
allowed_ips: []
client_allowed_ips: []
log_level: debug
From the LOG I see that the tunnel is established, but no data transfer and no handshake.
I stopped DNSMasq as well, but without success …
Someone has any ideas how to mix this issue??
Dear community,
first of all thank you for your great support! I read the whole thread and multiple people addressed the following topic but no answer was provided yet.
I’m running the supervised version of Home Assistant and managed to connect a peer with the below config to my home network (192.168.179.0/24). I’m able to ping devices in the home network from the peer but additionally I need to access the peer from the home network.
Could you please help me to enhance my configuration to be able to ping the peer from my home network? I already added the IP route 192.168.169.0/24 to my Home Assist server (192.168.179.10) in the router (192.168.179.1). I tried to add an iptable entry on the host of the home assistant server but did not succeed.
server:
host: <myserver>.duckdns.org
addresses:
- 192.168.169.1
dns:
- 192.168.179.10
peers:
- name: Full
addresses:
- 192.168.169.2
allowed_ips: []
client_allowed_ips:
- 0.0.0.0/0
Todd, did you get your Wireguard install working?
I am attempting to install & configure and I get exactly the same log entries as you.
Thanks
Apologies in advance if I missed it from the 187 previous messages - can someone help me understanding the server.addresses configuration? The add-on documentation specifies the following:
It is strongly advised to create/use a separate IP address space from your home network, e.g., if your home network uses
192.168.1.xthen DO NOT use that for the add-on.
What is the intention behind using a different address space: is this for security reasons, or solely to avoid collisions with local DHCP, or something else that I might be missing?
If my network is 10.0.1.x, can I set server.addresses to 10.1.1.1 and expect no further issues?
This setting work fine by the way, but I’m trying to wrap my head around this specific to make sure I’m not missing anything, so any help appreciated - thanks!
I am running the latest of the supervisor and HA. I am also getting the errno 111 and my sensors are flipfloping as well. This seemed to start a few versions of HA ago, but I ignored it because wireguard continued to work. But, it is really annoying. I use the status to notify users that they are not on vpn when not at home.
Is this a docker config issue? The error is generated by not being able to connect to the container IP on port 80… If I look at the container for wireguard, it has this port configuration 0.0.0.0:51820 51820/udp, does that mean that port 80 is not getting into the container?
I may be way off, just asking.
Matt
Hi ALl,
Installed WireGuard on my HA (Docker) on Debian 10 64Bit. I read that I need to install wireguard on detain to let this add-on work. Install is done, reboot RPi to load everything correct.
root@hassio:/home/poudenes# apt install wireguard
Reading package lists... Done
Building dependency tree
Reading state information... Done
wireguard is already the newest version (1.0.20200827-1).
The following package was automatically installed and is no longer required:
lxplug-volume
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
When I start my Add-On I get this error:
[10:22:02] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
RTNETLINK answers: Not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W G
W You are running this software on a Linux kernel, G
W which is probably unnecessary and misguided. This G
W is because the Linux kernel has built-in first G
W class support for WireGuard, and this support is G
INFO: (wg0) 2020/12/07 12:22:02 Starting wireguard-go version 0.0.20200320
ERROR: (wg0) 2020/12/07 12:22:02 Failed to create TUN device: no such file or directory
W much more refined than this slower userspace G
W implementation. For more information on G
W installing the kernel module, please visit: G
W https://www.wireguard.com/install G
W G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
I’m stuck now (also unknown knowledge of wireguard)
Can someone help me with this?
EDIT:
I did install this:
sudo apt-get install raspberrypi-kernel-headers
and now its working
Hallo @twproject,
I am also trying to do the same as you have described at your post from 1.8.20.
I also get a connection refused when I am execute the curl command.
How did you solved it?
Thanks, einzelband.
Would there be a significant benefit in using SSL, in addition to WireGuard? Or would this be redunant, since the VPN is already encrypting the traffic?
I’m currently using the WireGuard add-on, with the duckdns integration set up in configuation.yaml, but no SSL. I had initially tried using the duckdns add-on and had it working but I was getting SSL errors in the HA companion app on Android. I believe I understand why I was getting the errors but wasn’t able to find a workaround. So I thought why bother with SSL if WireGuard is already doing encryption. Sure, the traffic is moving over http rather than https, but it’s still encrypted… or is there a big risk in my setup that I’m not understanding?
Thanks,
Jeff
I add HA private up on the allowed hosts, below an example.
server:
host: hassio.local
addresses:
- 10.9.0.2
dns:
- 8.8.8.8
- 8.8.4.4
peers:
- name: aws
addresses:
- 10.9.0.1
allowed_ips: []
client_allowed_ips:
- 192.168.1.1/32 <-- **This is the private ip of HA**
public_key:
persistent_keep_alive: 25
endpoint: 'aws_public_ip:45329'
Thanks @twproject for the response. That you could solve it for you, makes me optimistic that I can make it as well 
I have tried like described but it does not fix it for me.
server:
host: <host>
addresses:
- 10.66.66.2
dns:
- 94.140.14.14
- 94.140.15.15
peers:
- name: cloudserver
addresses:
- 10.66.66.1
public_key: <key>
preshared_key: <key>
endpoint: '<ip>:<port>'
allowed_ips: []
client_allowed_ips:
- 192.168.178.100/32
log_level: debug
Like at your first post I can ping home assistant from the server:
PING 10.66.66.2 (10.66.66.2) 56(84) bytes of data.
64 bytes from 10.66.66.2: icmp_seq=1 ttl=64 time=57.7 ms
When I am using curl I still get:
curl http://10.66.66.2:8123
curl: (7) Failed to connect to 10.66.66.2 port 8123: Connection refused
When I do it without port information I get a response which looks like the status of the connection
{"cloudserver":{"endpoint":"ip:port","latest_handshake":1609839858,"transfer_rx":2292,"transfer_tx":2812}}
Do you have any idea what can be the reason? Did you do something else? Maybe some router settings etc?
Thanks einzelband
P.S. I did also see no changes in the log output:
[10:00:58] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.66.66.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[10:01:28] INFO: Requesting current status from WireGuard...
I had expected, that I may see the allowed IPs for example in the iptables output. Do you have here something different
2 things:
- You need to add also a route on yout wireguard “server” as example below
[Interface]
Address = 10.9.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 45329
PrivateKey =
[Peer]
PublicKey =
AllowedIPs = 10.9.0.2/32, 192.168.1.1/32 <-- Your HA private ip
Endpoint = aws public ip
- you need to ping and access your private ip 192.168.178.100 so 10.66 network will be only a transportation network
make sense @twproject, thanks.
I am one step closer again 
but not at the solution.
Now I am able to ping the HA rpi with my 192… IP. But when execute curl it does not refuse the connection anymore, but therefor nothing happen. Like it is waiting all time to get an answer.
Any other great ideas?
Edit1: It looks like I receive no data from port 8123. But I was able to connect hassio via ssh from the server.
A tcpdump showed that “TCP Previous segment not captured” when executing the curl command.
Looks like it the automatically determination of the MTU size worked not correctly. I had to set it manually.
Maybe this helps other having similar problems.
Greetings einzelband.
P.S. @twproject, you did not have to adapt the mtu?
mmm if i remember well I don’t change other things so MTU is the standard. If you give me the parameter path i can check and confirm
Hey Guys,
I cannot get WireGuard to run anymore after updating to 2021.01. It did work before, Adguard is installed and runs without problems.
The only thing different that I can find is the ‘Cannot find device wg0’ error in the log:
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[20:10:16] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
RTNETLINK answers: Not supported
[!] Missing WireGuard kernel module. Falling back to slow userspace implementation.
[#] wireguard-go wg0
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
W G
W You are running this software on a Linux kernel, G
W which is probably unnecessary and misguided. This G
W is because the Linux kernel has built-in first G
W class support for WireGuard, and this support is G
W much more refined than this slower userspace G
W implementation. For more information on G
W installing the kernel module, please visit: G
W https://www.wireguard.com/install G
W G
WARNING WARNING WARNING WARNING WARNING WARNING WARNING
INFO: (wg0) 2021/01/14 21:10:16 Starting wireguard-go version 0.0.20200320
ERROR: (wg0) 2021/01/14 21:10:16 Failed to create TUN device: no such file or directory
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
Am I missing something? Here’s my config:
server:
host: 'hogeborg.duckdns.org:8123'
addresses:
- 172.27.66.1
dns:
- 172.30.32.1
peers:
- name: galaxys10
addresses:
- 172.27.66.2
allowed_ips: []
client_allowed_ips: []
- name: workpc
addresses:
- 172.27.66.3
allowed_ips: []
client_allowed_ips: []
EDIT: Somehow the Wireguard kernel package of Synology got removed. Manually installed the kernel using this repo: https://github.com/runfalk/synology-wireguard/releases .
All is working now!