Home Assistant Community Add-on: WireGuard

Installation Home Assistant OS
,
415

This seems to be what I need, but seems to need a little bit of adjustment that I could not figure out myself. Probably wrt to the IP.

  • My setup is with homeassistant supervised.
  • I have adguard setup (which I believe should not be too relevant)
  • docker network inspect shows some containers such as hassio_supervisor use IP subnet 32 (172.30.32.2/23), while others such as addon_a0d7b954_wireguard, 33: 172.30.33.4/23.
  • My wireguard config:
host: silent-pangolin.duckdns.org
addresses:
  - 10.8.0.1
dns:
  - 192.168.77.254
pre_up: iptables -t nat -A POSTROUTING -j MASQUERADE -o enp2s0
pre_down: iptables -t nat -D POSTROUTING -j MASQUERADE -o enp2s0

peers (the machine I’m trying to access)

...
- name: durin
  addresses:
    - 10.8.0.4
  allowed_ips: []
  client_allowed_ips:
    - 192.168.77.0/24
    - 10.8.0.0/24
...

Please advise

416

What is the local IP address of your HA instance? The one you use to access port 8123 locally?

(it should be on a different address space - subnet - than your 192.168.4.0/24 you use for WG).

This is what you need to access your UI at.

417

Hello

Something that was also mentioned by @DaveThe but without any reply apparently: I suppose that there is no method to let Home Assistant initiate a connection to the remote network through the tunnel.

IMHO, wireguard runs in it’s docker instance without the possibility to configure the other containers. So those continue to route their outgoing connections as usual without passing trhough WG.

I did not see any method to add a route to the ha/core container.

I do not think that the WG instance can create another network interface (for wg) and that home assistant can connect on this interface.

So I supose that hte only solution is to add wireguard between HA’s public port and the rest of the network.

I am interested in feedback on this: possible or not, any success story and information on the approach.

418

When a peer has an “endpoint:” clause, it will initiate a connection to the remote network. Read on.

Check out this post in this topic. It creates a route in the core container, and it works - I have been using it extensively.

419

192.168.1.170 this is the network where my NUC HA is installed but it’s not working neither, it’s wireguard address is 192.168.4.2.

420

So can you try adding 192.168.1.0/24 (or 192.168.1.170/32) to allowed_ips on the clients, and then try to access 192.168.1.170:8132?

421

@doron it is not really a script. I just trigger a duckdns update of the external IP whenever I switch the ISP.

rest_command:
duckdns_update:
url: “https://duckdns.org/update//75f38d8-61c8-4c44-ab08-347972263e94”

Worked pretty OK, on duckdns end I always see the correct external IP.

422

Okay so moving on… When the ISPs change from 1 to 2, does the default gateway on your LAN change?

423

With the latest Adguard the installation uses the host network and not internal docker defined. I change my DNS server to my hassio servers IP (because it runs as add on)

Tada!!! It worked Aduard filters working and internal DNS names resolving :boom:

424

Thank you for your answer, I was offline for 2 weeks, just did the test on my phone but 192.168.1.170:8123 is not working and I can’t ping the device while I can ping it on it’s 192.168.4.2 interface.

Any idea ?

425

Welcome back. I’m assuming you’re seeking to connect from your phone to the VPS and via it, to your HA. Is that correct?

At any rate, let’s start with the VPS. It seems like it will not have a route to 192.168.1.0/24. You may want to add that to the allowed_ips for the server peer on the VPS. Once you’ve done that, try to connect to your HA at port 8123, from the VPS. Does that work?

426

I’m using HA supervised. How do I make HA use IP forwarding??? Wireguard can’t tunnel into my HA and then out to the internet. Tailscale works fine though! It asks for what ‘exit node’ to use, and then your client (my phone) thinks it’s where my HA tailscale computer is. Useful for travel! But Wireguard only allows me to route to local devices on my HA computer. There is not option to route my phone, through HA, then out into the internet. “what’s my ip address” always shows traffic from my phone’s local location. Is there a secret option, or startup command, that does this? I can’t do sudo commands like the instructions want since it’s HA supervised. Argh.

428

I’m not overly familiar with HA Supervised, but basically you need to (a) make sure allowed_ips in the client (phone?) include the Internet (0.0.0.0/0), and (b) that the underlying OS allows IP forwarding. This second requirement consists of a few potential items, such as kernel ipv4 forwarding (sysctl…), net filtering (iptables FORWARD table), and sometimes even NAT configuration.

429

Hi doron,

This is my new config after your suggestion on the VPS ;

cat /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <masqued>
ListenPort = 51820
Address = 192.168.4.1/24

[Peer]
PublicKey = UkuLYOrCjs5CmNns0tt3NvOBJttdMPqKI7eC5trLOzY=
AllowedIPs = 192.168.4.2/32,192.168.1.0/24

[Peer]
PublicKey = 0lI8kQ98J+KQm49lna5+gzA0yW//SMSRzaxr1KGlWFA=
AllowedIPs = 192.168.4.3/32,192.168.1.0/24

From VPS :

$ ping 192.168.4.2
PING 192.168.4.2 (192.168.4.2) 56(84) bytes of data.
64 bytes from 192.168.4.2: icmp_seq=1 ttl=64 time=52.8 ms
64 bytes from 192.168.4.2: icmp_seq=2 ttl=64 time=96.2 ms
64 bytes from 192.168.4.2: icmp_seq=3 ttl=64 time=59.4 ms
64 bytes from 192.168.4.2: icmp_seq=4 ttl=64 time=68.3 ms
^C
--- 192.168.4.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 52.769/69.175/96.211/16.550 ms
$ ping 192.168.1.170
PING 192.168.1.170 (192.168.1.170) 56(84) bytes of data.

--- 192.168.1.170 ping statistics ---
31 packets transmitted, 0 received, 100% packet loss, time 30726ms

Still not working :frowning:

Config on addon :

server:
  host: homesrv
  addresses:
    - 192.168.4.2/24
  dns: []
  private_key: <hidden>
peers:
  - name: ionosvps
    addresses:
      - 192.168.4.1/32
    allowed_ips:
      - 192.168.4.1/32
      - 192.168.4.3/32
    client_allowed_ips: []
    endpoint: <hidden>:51820
    persistent_keep_alive: 25
    public_key: ypNKXpemaKkV4WgDD6y/E/QerIP0r21UR9KHvUy+SUo=

From phone (termux) I can ping 192.168.4.1 and 192.168.4.2 but not 192.168.1.170 and cannot access HA on 192.168.1.170:8123 through http.

Any new idea ?

430

Hang on.
On the VPS you’re showing two peers. I assume the first is the HA and the second is the mobile. As I said, you need to add 192.168.1.0/24 to allowed_ips for the server peer, only. So for one thing, please remove it from the second peer - it will not work if you put it on both.

Also, please make sure allowed_ips for the VPS peer on the mobile does include 192.168.1.0/24.

Once you’ve done both of these, if it still doesn’t work, can you please show the result of

ip r

on the VPS?

431

OMG it’s working !

Thank you doron for your help and patience, I really appreciate it.

I thought that HA could be able to listen on the new network/ip but no, the solution was to expose my home network to the vps.

Good by tailscale and it’s huge battery drain :slight_smile:

Thank you again !

432

Great! Happy it finally works for you.

I thought that HA could be able to listen on the new network/ip but no, the solution was to expose my home network to the vps.

If you want to reduce the exposure, you can e.g. expose just the HA main instance, i.e. add only 192.168.1.170/32 to your allowed_ips and not the whole /24.

A more complex (and somewhat more secure) way would be to build a tunnel-in-tunnel, so that the HA addon opens a tunnel into the VPS, and then the mobile opens a tunnel back into the addon via the VPS. You can try this as an “advanced exercise” for bonus points :slight_smile:

1 Like
433

Before going this way, I have some new steps to complete. I use to use tailscale dns and it’s SSL cert, now I have to create a self signed one and make it trusted by my devices ! (I need it for vaultwarden and some other tools that require a TLS encryption to work)

Thanks again !

435

Hi,

I cannot figure out how to reach my local LAN peers from my host (Home Assistant on a ubuntu vps, dockerized).

Here is my config

server:
host: myvps.org
addresses:
- 10.0.0.1/32
dns:
- 1.1.1.1
peers:

  • name: myphone
    addresses:
    • 10.0.0.2/32
      allowed_ips:
    • 10.0.0.2/32
    • 192.168.1.0/24
      client_allowed_ips:
    • 10.0.0.0/24
      log_level: debug

I want to reach the local remote LAN 192.168.1.0/24 from HA located at 10.0.0.1 and through the remote peer (10.0.0.2 on the vpn and 192.168.1.14) but ping to any 192.168.1.x address from HA terminal gives nothing

Could a good soul help me ?

Thanks for your support

436

Hi all,

first of all thank you very much @frenck for this great addon!
Unfortunately I have problems to get it work. And I have a lot of questions, I will try to be concise.

My setup is very simple and pretty standard:

  • ISP Router (Fritzbox) as DHCP server for the LAN (10.0.0.1/24) and default gateway
  • Home assistant OS installed on a raspberryPI 4 in the LAN (home-assistant.local / 10.0.0.34)

What I need:

  • one or more peers able to connect with wireguard only for the LAN
  • other peers use wireguard to reach all Internet (without having access to the LAN)

The first time, I have tried the very basic configuration, but even that didn’t work.
I can’t reach / ping the Home Assistant server or any device in the LAN or even any website (using the local domain it works, but I think is not relevant, since to use it I need to be connected to my WiFi anyway).
I have tested it with the macbook connected to the phone’s hotspot using the mobile network or directly with the phone.

The first configuration I have used was:

Server
host: home.example.com
addresses:
  - 10.0.2.1
dns: []

Peers
- name: realme8
  addresses:
    - 10.0.2.2
  allowed_ips: []
  client_allowed_ips: []
- name: macbook
  addresses:
    - 10.0.2.3
  allowed_ips: []
  client_allowed_ips: []

And the log once it started:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service base-addon-banner: starting

-----------------------------------------------------------
 Add-on: WireGuard
 Fast, modern, secure VPN tunnel
-----------------------------------------------------------
 Add-on version: 0.10.2
 You are running the latest version of this add-on.
 System: Home Assistant OS 13.1  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2024.9.3
 Home Assistant Supervisor: 2024.09.1
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/config.sh
cont-init: info: /etc/cont-init.d/config.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun api (no readiness notification)
services-up: info: copying legacy longrun status (no readiness notification)
services-up: info: copying legacy longrun wireguard (no readiness notification)
[09:26:02] INFO: Starting WireGuard...
s6-rc: info: service legacy-services successfully started
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.2.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[09:26:32] INFO: Requesting current status from WireGuard...
interface: wg0
  public key: T4ohP2SCgNPmpXIZDOerg28CvoRC1E3dCU6gTvt49Bg=
  private key: (hidden)
  listening port: 51820

peer: vqLHjTZBAmCApwStsv3dTB/OTiUlA0jqjbxcCbNMu0s=
  allowed ips: 10.0.2.2/32
  persistent keepalive: every 25 seconds

peer: fnsqiDX8rxpi/R0CSaeSyt3G958LGIsKRVOBeynrdlU=
  allowed ips: 10.0.2.3/32
  persistent keepalive: every 25 seconds

If I use the 0.0.0.0/0 address in allowed_ips I am getting the error reported in this issue.

It’s not clear how allowed_ips should be configured, since the documentation says:

If there are no IP addresses configured, the add-on will use the addresses listed in peers.addresses.

But how could I reach my LAN (10.0.0.0/24) if the server routes only to the address of the wireguard peer (10.0.2.2/32 or 10.0.2.3/32)?

I have tried a lot of other configurations, read many times the documentation, see the introduction video and this post, but I haven’t find a solution yet.
Could someone help me? Many thanks in advance.

I think some examples of common configurations (like mine, I think it’s pretty basic and standard) could be useful in the documentation.

[EDIT] I have understood why it didn’t work… I am under CG-NAT, the IP address of my router is in the 100.64.0.0/10 range. So the endpoint is not reachable from the outside.