Home Assistant Community Add-on: WireGuard

Which host?

mysite.duckdns.org

I mean, Ubuntu? Try resetting your Host-dns.

Thank you for a super add-on! Managed to install and configure it in a few minutes, but now I would have a question.

I would like to use the Wireguard HA addon (located in a remote location) as a bridge between my home network and the remote location’s network. I can currently create a VPN tunnel from my home laptop to the remote Wireguard and access all devices at the remote location’s network. But the tunnel is limited to my laptop. I would like to expose the remote devices to all my home network’s devices.

I have a HA installation also at my home network. Can I somehow install a Wireguard client on this HA instance and connect it to the remote HA Wireguard server? Or what would be the best way to expose for example the remote network’s cameras to my home network via the VPN?

1 Like

Yesterday, I achieved one step on the way to exactly what you describe:

Prerequisites:

  • Have the DuckDNS addon configured an both home and remote HA instance.
  • Have Port UDP 51820 forwarded to both your home and remote HA instance as mentioned in the WireGuard addon documentation.

Wireguard Config of home HA instance:

server:
  host: home.duckdns.org
  addresses:
    - 192.168.180.1
  dns: # use your own settings here
    - 192.168.178.1
peers:
  - name: remote
    endpoint: remote.duckdns.org
    public_key: # start the WG addon on the remote instance, the public key can be found in the log after 'interface: wg0'
    addresses:
      - 192.168.180.2
    allowed_ips: []
    client_allowed_ips: []

Wireguard Config of remote HA instance:

server:
  host: remote.duckdns.org
  addresses:
    - 192.168.170.1
  dns: # use your own settings here
    - 192.168.177.1
peers:
  - name: home
    endpoint: home.duckdns.org
    public_key: # start the WG addon at home, the public key can be found in the log after 'interface: wg0'
    addresses:
      - 192.168.170.2
    allowed_ips: []
    client_allowed_ips: []

You then need to configure a static IP route in your home network router, so that your home router knows, that it can reach the remote subnet behind the home HA instance’s IP and vice versa in the remote network router.

In theory, these should be the static IP route settings in your home and remote router for this example.

Router to configure Network Subnet Mask Gateway
Home Router (with
IP 192.168.178.1)
192.168.177.0 255.255.255.0 192.168.178.50
(your home HA IP)
Remote Router (with
IP 192.168.177.1)
192.168.178.0 255.255.255.0 192.168.177.34
(your remote HA IP)

Edit: This is not sufficient as someone mentioned earlier.

Wow! This would be so nice if it works!

I’ve been playing with the REST API, but actually having access to the remote devices would make things so much easier. Not to mention the possibility to actually use remote cameras, as they do not work through the API.

Please let me know when you have tested the static routes. I’m definitely not an expert on networking and clear instructions like yours are of great help.

Is it possible to set up the WireGuard addon so that the only way to access Home Assistant externally is through WireGuard? I have WireGuard set up so that my cell phone automatically connects to it when leaving my home network, but I can still go to my duckdns URL off of WireGuard outside my network from a device that does not have WireGuard and get to my Home Assistant.

This might be a dumb question but how do I use this to setup my Home Assistant instance to be a client to an existing Wireguard installation on another server on my network? I’d like for the HASS instance to be addressable by other wireguard VPN clients using the wireguard address space (vs setting up each client as “Remote access to LAN”).

1 Like

sounds like you’ve forwarded port 8123 on your router. Unforwarding the port will block external acces.

Are there any disadvantages of using the add-on instead of direct install on docker? I’m guessing you can still access Wireguard directly using the port still?

I have Wireguard inside of supervisor. How can I see who and when was connected via Wireguard?

I’ve setup Wireguard on Home Assistant formally known as Hassio as follows:- ​

server:
 ​host: home.example.com
 ​addresses:
   ​- 172.27.66.1
 ​dns: []
peers:
 ​- name: myphone
   ​addresses:
     ​- 172.27.66.2
   ​allowed_ips: []
   ​client_allowed_ips: []
 ​- name: chromebook
   ​addresses:
     ​- 172.27.66.3
   ​allowed_ips: []
   ​client_allowed_ips: []
 ​- name: windows10
   ​addresses:
     ​- 172.27.66.4
   ​allowed_ips: []
   ​client_allowed_ips: []
 ​- name: ipad
   ​addresses:
     ​- 172.27.66.5
   ​allowed_ips: []
   ​client_allowed_ips: []

On the iPad, Android Phone and Chromebook everything works as expected, internet access going via Wireguard, and access to the LAN via IP address - both Samba Shares and local web pages (e.g. the Web Interface of my Engima2 STB.

But for some reason only the Internet bit kinda-works on Windows 10, no access to the LAN.

When I say “Kinda Works”, looks like sites which are served over IPv6 don’t work - e.g. theguardian.com, racefans.net - they just hang for ages.

In the Wireguard Client it shows (the “block untunnelled traffic kill switch option” makes no difference). Disabling IPv6 in the Wireless network card also makes no difference. The one thing I can do on the LAN is PING the LAN devices and I get a response back - no HTTP at all. Samba partially works sometimes - which is very weird - i.e. going to \\192.168.6.6\ for instance shows a list of shares and printers, but you can’t then access the shares.

[Interface]
PrivateKey = ###
Address = 172.27.66.4/24
DNS = 172.30.32.3

[Peer]
PublicKey = ####
AllowedIPs = 0.0.0.0/0
Endpoint = home.example.com:51820
PersistentKeepalive = 25
C:\Users\Kev>route print
===========================================================================
Interface List
 11...30 e1 71 7a de 36 ......Intel(R) Ethernet Connection I219-V
 40...........................Wintun Userspace Tunnel
 15...34 f3 9a 59 07 0f ......Microsoft Wi-Fi Direct Virtual Adapter
  8...36 f3 9a 59 07 0e ......Microsoft Wi-Fi Direct Virtual Adapter #2
  6...34 f3 9a 59 07 0e ......Intel(R) Dual Band Wireless-AC 8260
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.84.72    192.168.84.47     50
          0.0.0.0        128.0.0.0         On-link       172.27.66.4      5
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link       172.27.66.4    261
        128.0.0.0        128.0.0.0         On-link       172.27.66.4      5
      172.27.66.0    255.255.255.0         On-link       172.27.66.4    261
      172.27.66.4  255.255.255.255         On-link       172.27.66.4    261
    172.27.66.255  255.255.255.255         On-link       172.27.66.4    261
     192.168.84.0    255.255.255.0         On-link     192.168.84.47    306
    192.168.84.47  255.255.255.255         On-link     192.168.84.47    306
   192.168.84.255  255.255.255.255         On-link     192.168.84.47    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.84.47    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.84.47    306
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  6     66 ::/0                     fe80::84a7:97ff:fecb:b07f
  1    331 ::1/128                  On-link
  6     66 2a01:4c8:c29:830e::/64   On-link
  6    306 2a01:4c8:c29:830e:7418:4891:41d9:d7eb/128
                                    On-link
  6    306 2a01:4c8:c29:830e:e03b:195b:cd34:2ca0/128
                                    On-link
  6    306 fe80::/64                On-link
  6    306 fe80::e03b:195b:cd34:2ca0/128
                                    On-link
  1    331 ff00::/8                 On-link
  6    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Is there some magic configuration option on the Windows 10 client that I’m missing to get this working properly?

Hi,

I have a problem with Wireguard. It was worked before but since last week it is not working. The tunnel is created but there is no internet access and I cannot reach nothing from the local network. I have adguard also and saw that it is listining on the local address of the host I’ve changed that but nothing changed :frowning: This is my config:

server:
  host: myhostname.duckdns.org
  addresses:
    - 172.27.66.1
  dns:
    - 192.168.0.10
peers:
  - name: honor20
    addresses:
      - 172.27.66.2
    allowed_ips: []
    client_allowed_ips: []
  - name: T450s
    addresses:
      - 172.27.66.3
    allowed_ips: []
    client_allowed_ips: []

Since it was working. Did your public IP maybe changed? Worth checking if it’s still the same in duckdns. Also check if your Wireguard port is still open.

Remember that it is not enough to just change the add-on configuration. You also need to either re-add the configuration to the client or modify the existing config on the clientnto reflect the new ip for AdGuard.

2 Likes

I’ve checked the port is open, reinstalled the Wireguard with default settings. Delete the client configurations and add again. Still it is not working…

I’ve not gotten mine working yet, but could it be the IP addresses? I see your DBS is at 192.168.0.10 but your client IPs are not within a similar subnet (such as 192.168.1.x)

Could that cause an issue? I can connect to mine, but then cannot get internet through it, and I’m thinking it’s because my IP is outside the subnet, so I’ll have another look on the weekend

I’ve solved my issue. I’ve supervides installation and install wireguard on host debian solved the issue. It was written in the addon documentation but until that time it was worked with install only the addon.

@totti001 can you tell me what you did? I’m having the same problem. Thanks

That one addon-wireguard/DOCS.md at 29e2a4ffcdbcfedfe52e3313c5625c10abed7efa · hassio-addons/addon-wireguard · GitHub