Home Assistant Community Add-on: WireGuard

i have added a peer in my home assistant server , for my home assistant which is running in my office raspberry pi ,
the client.conf file shows this,

Copy to clipboard

[Interface]
PrivateKey = qwerty/zFkgKEpLxxxxxxxxxxxxxxxxxxxxxxs=
Address = 172.xx.66.4/24
DNS = 172.xx.32.3

[Peer]
PublicKey = vlxCxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9v/asdfgh=
Endpoint = xxxxxxxxxxxxx.duckdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

now how to configure my office raspberry pi to connect with my home assistant server in my home,

i am unable to put the details in my office home assistant wireguard addon setting

1 Like

Hi I changed in the options to port 51822

But in the log it says

listening port: 51820

Is not possible to change port?

1 Like

The log will always say that, it runs on a fixed port inside the add-on container, but it routed outwards with the port you have set in the add-on configuration. So, yes, you can change the port, it is just not listed in the logs.

1 Like

:tada: Release v0.2.0

Full Changelog

This is a general maintenance release.

:hammer: Changes

  • :pencil2: Fixes a typo in a error message (#8)
  • :books:Add note to not attempt to use Nabu Casa (#14)
  • :books: Add troubleshooting note about Pi-Hole issue (#15)
  • :books: Update troubleshooting note to avoid confusion (#16)
  • :ambulance: Fixes broken MTU setting (#20)
  • :books: Simple fix for issue #21 (#26)
  • :arrow_up: Upgrades go to 1.13.4-r1
  • :arrow_up: Upgrades openresolv to 3.9.2-r0
  • :arrow_up: Upgrades wireguard-tools to 0.0.20191219-r0
  • :arrow_up: Upgrades wireguard-go to v0.0.20191012
  • :fireworks: Updates maintenance/license year to 2020
  • :pencil2: Funding adjustments
  • :pencil2: Fixes some spelling and grammar
  • :arrow_up: Upgrades add-on base image to v6.0.1
  • :arrow_up: Upgrades git to 2.24.1-r0
  • :books: Adjust add-on installation instructions
  • :fire: Remove unused config mapping
  • :ambulance: Move name variable up in script (#33)

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work:
https://github.com/sponsors/frenck or https://patreon.com/frenck

Hi Frenck,
First of all I love this add-on. I was using it with the pi-hole add-on and the dns 172.30.32.1 as described. Now I did a fresh install of Home-Assistant and wireguard add-on and installed pi-hole unbound “https://docs.pi-hole.net/guides/unbound/” on a separate second rpi 3. Now my question, Can I safely just change the dns “172.30.32.1” to “10.7.7.21” (my internal ip of the second rpi running pi-hole) in the wireguard add-on? I already did it and it is working perfectly. I just want to know if I did it right (and safe) because I am not an expert and learning all the time. Thnx in advance!

Hi,

I am trying to set up my wireguard add on (which works great as a manual switch) to work whilst permanently switch on.

The docs (I think this is the section) instruct this:

Option: peers.client_allowed_ips (optional) This configuration only valid for the peer end/client configuration and does not affect the server/add-on! A list of IPs (IPv4 or IPv6) addresses (optionally with CIDR masks) from which incoming traffic from the server is allowed and to which outgoing traffic for this peer is directed.

This is my settings:

  "server": {
    "host": "xxxxxx.duckdns.org",
    "addresses": [
      "172.244.66.1"
    ],
    "dns": []
  },
  "peers": [
    {      
      "name": "android",
      "addresses": [
        "172.244.66.6"
      ],
      "allowed_ips": [],
      "client_allowed_ips": [
        "172.244.66.0/24",
        "192.168.1.0/24"
      ]
    },

My unifi router is 192.168.1.1 My goal is to have wireguard on my phone switched on all the time. When I enter 192.168.1.400:8123 (Hassio address) is uses wireguard, and when I visit any other site, it goes from my phone directly to the site I’m visiting (eg google)

At the moment, the above setting allows me to go to 192.168.1.400:8123 but everything else is blocked.

Thanks

Frenck replied on discord with a solution, which works

You could use just use

172.16.0.0/12

&

172.244.66.0/24

and use

http://homeassistant:8123

instead

I would like to set up the same…but i dont understand where/why you need to use “172.16.0.0/12”

@frenck
I’ve just installed the addon and it’s working flawless.
The only issue is I can’t find a way to access samba share on hassio server.
In wireguard configuration I’m using the default 172.27.66.1 for the server, so in the Samba addon configuration I’ve added 172.27.0.0/24 to the interfaces part

...
"interface": "172.27.0.0/24",
"allow_hosts": [
  "10.0.0.0/8",
  "172.27.0.0/24",
  "192.168.0.0/16"
],
...

But it doesn’t work.
Samba addon doesn’t even start until I remove the interface value.

Any hint?
Thanks

Feeling noob, but I’ve been waiting for a VPN addon long time so I’m asking here anyway.

I can succesfully connect to my wireguard instance from both WLAN and 4G connections. But I do not get any traffic (intranet or internet).

I’ve used the most basic of setups:

{
  "server": {
    "host": "myadress.duckdns.org",
    "addresses": [
      "172.27.66.1"
    ],
    "dns": []
  },
  "peers": [
    {
      "name": "hassio",
      "addresses": [
        "172.27.66.2"
      ],
      "allowed_ips": [],
      "client_allowed_ips": []
    }
  ]
}

I’m running Hassio on a Raspberry PI 3+. Log:

interface: wg0
  public key: jRt7+ke47dlYxoeTiRD/K1IGHH6CQYL/5FE1aABruRI=
  private key: (hidden)
  listening port: 51820
peer: /MQM73DbKmL3X4x9gfAv/9Xbnug/8kzypk/y5ScH/Ro=
  allowed ips: 172.27.66.2/32
  persistent keepalive: every 25 seconds
[21:57:24] INFO: Requesting current status from WireGuard...
interface: wg0
  public key: jRt7+ke47dlYxoeTiRD/K1IGHH6CQYL/5FE1aABruRI=
  private key: (hidden)
  listening port: 51820
peer: /MQM73DbKmL3X4x9gfAv/9Xbnug/8kzypk/y5ScH/Ro=
  allowed ips: 172.27.66.2/32
  persistent keepalive: every 25 seconds

Oh, Frenck, keep up the good work, I’m enjoying Hass and its addons every day!

Look at my code above and find

client_allowed_ips

And add the numbers after that. However, it depends on your set up with the server address

Based on your posted configuration the peer “hassio” (bad name choice for the client btw) is unaware that this connection should be used for anything beside connecting to the host (172.27.66.1/32) only.

You should either list the desired target addresses in the client_allowed_ips array and re-import the files generated by the add-on or just alter the peer’s configuration within its client app directly.

Lets assume the device hass.io (the host) is running on is one of the zone you’ve called “intranet” and it is getting the IP address 192.168.123.4. All you have to do then is to add 192.168.123.0/24 and all devices of this subnet can be reached by their IP address. If you want to also use their name you must configure a corresponding DNS that is able to resolve them. I’d suggest you’ve start simple and try it using the IP address-only approach first.

Based on your config and my example change

"client_allowed_ips": []

to

"client_allowed_ips": ["172.27.66.1/32", "192.168.123.0/24"]

Save the change, restart the add-on, re-import the newly generated configuration and your peer “hassio” should be able to connect to host “hass.io” and all devices that also get an IP like 192.168.123.*

1 Like

Thanks for the reply! I realised hassio wasn’t a smart peer name and since changed it to “phone”. I tried your suggested config:

{
  "server": {
    "host": "myhome.duckdns.org",
    "addresses": [
      "172.27.66.1"
    ],
    "dns": []
  },
  "peers": [
    {
      "name": "phone",
      "addresses": [
        "172.27.66.2"
      ],
      "allowed_ips": [],
      "client_allowed_ips": [
        "192.168.0.0/24",
        "172.27.66.1/32"
      ]
    }
  ]
}

However, this didn’t solve my issue. I then tried your other suggestion and added the client_allowed_ips to my peer settings (iphone app). I do have internet now, but still no local traffic to NAS, router or Hassio. They are all in the 192.168.0.* range so my setting for that allowed ip is correct?

You don’t have to add anything to client_allowed_ips in the add-on if you don’t use the generated config and only edit the config on your iPhone manually.

I’m confused that you are able to connect to the internet but not your LAN. The configuration we were talking about above shouldn’t even enable that…

Did you disconnect your iPhone from your home’s wifi and checked your IP address (e.g. by googling “my ip address”)? The search result from a device within your LAN (e.g. Notebook) should yield the same IPv4 as on your iPhone outside your LAN to validate you are using your WireGuard connection for the internet.

Please have a look on the app configuration again. Does Interface \ Addresses show 172.27.66.2/24?
What exactly did you enter in Peer \ Allowed IPs? It should be 172.27.66.1/32, 192.168.0.0/24 (with just a comma, a space and no quotes around the IPs).

Well, apparently my VPN isn’t functioning. My ip adress is not the same and ISP is showing my mobile provider. That explains a lot… But why is the phone showing the VPN logo next to the 4G logo and Wireguard app showing an active VPN?

WireGuard can also be used in a split-tunnel setup, routing only data through its tunnel, when it matches a specific range of IPs. Everything else will be forwarded as if you were not using a tunnel at all. To do that it has to be running, thus displaying its icon on your phone. The setup you’ve posted initially corresponds to this behavior and because of that I’ve got confused when you mentioned you are successfully tunneling your internet connection…

I’d suggest you start fresh by resetting the WireGuard configuration of your phone and importing the configuration that was created by the add-on. Make sure the newly imported configuration includes 192.168.0.0/24 in the peer’s Allowed IPs.

Then check if your DuckDNS domain contains the IPv4 address that points to your router. Make sure you’ve opened the correct UDP port in your router and that it points to the machine hass.io is running on.

Make sure the add-on is running, then disable WiFi and enable WireGuard on your phone and enter an IP address form the 192.168.0.0/24 range in your phone’s browser. I’d suggest you enter the IP address of your router to see if the login form appears.

1 Like

So, I have this up and running on my install with 2 clients, android and Windows 10. Works great, have split tunnel working on the windows 10 system as well.

My question is as follows… I would like to show connections in the HA front end, but when I issue the curl command:

curl -X get http://a0d7b954-wireguard

the response only shows the to configs for the clients that I have added and amount of data transferred. Nothing about connection state. Is anyone aware of a way to get HA to see a live connection?

WireGuard is stateless, so there is no state.

So, it is not aware of the connection at all?

Nope, it has no idea.