Home Assistant Community Add-on: WireGuard

If my main network runs on the 192.168.1.0/24 range, and I have a piHole running at 192.168.1.2, how would I go about setting the wireguard peers to hit this DNS server? Putting the piHole address in for the DNS option on the addon config throws an error from the clients:

2020-01-25 12:24:28.982: [TUN] [Hassio] Unable to resolve one or more DNS hostname endpoints: No such host is known.

Dropping the DNS server address and leaving an empty array works OK (as expected it pulls the Hassio DNS server). By works OK it allows for the peer to connect, but internal name resolution does not seem to be functional.

My wireguard server is at 10.10.10.x and peers are at 10.10.10.y.

Can I start and stop wiregaurd on demand via automations or does this only start at startup and run non stop?

Took me some time (busy with other stuff), but I tried your suggestion. I deleted all config and the addon. Then deleted the app from my phone and reinstalled everything, following the guide on the github page. It is working now, I can access my router from a 4G connection (at its local adress 192.168.0.1). But now it is working without ‘allowed IP’s’ and ‘client allowed IP’s’. Is that correct? Does it just assume when empty all IP’s are allowed?

Add-on wise allowed_ips will be set automatically if you don’t enter anything.

client_allowed_ips is only used to preconfigure your peer and does not affect the server side. That means it doesn’t really matter what you’ve entered in there as long as you’ve configured your peer’s app the way you want it :slight_smile:

This can be started and stopped like any other add-on using a service call. You can try it in the developer tools if you want to. The services you need begin with hassio.addon_

Cool, thanks for your help in setting this up Florian.
My employer has a tendency to block a lot of ports. Hopefully this will allow me to use home assistant on its native 8123 port.

I don’t seem to be able to get it to connect at all

I have the most basic config

server:
  host: xxxxx.ddns.net
  addresses:
    - 172.27.66.1
  dns: []
peers:
  - name: myphone
    addresses:
      - 172.27.66.2
    allowed_ips: []
    client_allowed_ips: []

and testing on a seperate Rpi I can see the UDP port is open with an nmap command

But on the phone rx 0 and no connection intra- or inter-net

if you did not alter your peer’s config manually nothing else than a connection to 172.27.66.1 will be routed through the tunnel.

try again by either configuring client_allowed_ips: [ "0.0.0.0/0" ] (and importing the updated config created by the add-on) or by manually entering that in the peer’s setting on “myphone”.

edit: don’t mind that comment. using the defaults will route anything through that tunnel…

But according to the documentation that is the default if it is left empty!? Which is why I hadn’t added it. And that is what shows up on the app on myphone

You don’t need to do that, leaving that option empty defaults to 0.0.0.0/0.

you’re right. looks like i remember that wrong…

did you have any logs that could help us?

So I restarted the addon and increased log to debug

[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
Log level is set to DEBUG
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[16:24:40] DEBUG: Requested API resource: http://hassio/dns/info
[16:24:40] DEBUG: Request method: GET
[16:24:40] DEBUG: Request data: {}
[16:24:40] DEBUG: API HTTP Response code: 200
[16:24:40] DEBUG: API Response: {"result": "ok", "data": {"version": "1", "latest_version": "1", "host": "172.30.32.3", "servers": ["dns://8.8.8.8", "dns://1.1.1.1"], "locals": ["dns://192.168.1.250", "dns://192.168.1.249", "dns://192.168.1.1", "dns://fe80::dcbb:901b:3332:97c"]}}
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[16:24:52] INFO: Starting WireGuard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 172.27.66.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[16:25:22] INFO: Requesting current status from WireGuard...
interface: wg0
  public key: xxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51820
peer: xxxxxxxxxxxxxxxx
  allowed ips: 172.27.66.2/32
  persistent keepalive: every 25 seconds
[16:25:52] INFO: Requesting current status from WireGuard...
interface: wg0
  public key: xxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51820
peer: xxxxxxxxxxxxxxxx
  allowed ips: 172.27.66.2/32
  persistent keepalive: every 25 seconds

Looks good. Does this log change if you enable the tunnel on your phone? I’d expect to see some more lines below you peer (endpoint, latest handshare and transfer) when it successfully connected. You could try to establish the tunnel even from within the same WiFi. Based on your router that might now work in the case reverse NAT is not allowed, but trying it should not hurt…

You did already open 51820/udp on your firewall and pointed that to the device running Home Assistant?

So the issue I think is it doesn’t end up connecting at all, thus no change in log. I get tx going up by 0.2 kbs every few seconds on the phone app and 0 on rx so no response

Log looks exactly the same no change whatsoever

The biggest issue is I have HA set up at my home but I am abroad so had to instruct people to open up the port pointing to HA. I think they did it correctly though judging from this (run on another pi on the network). But will have to confirm they pointed to the correct internal ip

pi@raspberrypi:~ $ sudo nmap -sU -p 51820 xxxxxxx.ddns.net

Starting Nmap 7.40 ( https://nmap.org ) at 2020-02-08 14:48 GMT
Nmap scan report for xxxxxxx.ddns.net (xxxxxxx)
Host is up (0.0013s latency).
rDNS record for xxxxxxx: ppp-xxxxxxx.home.otenet.gr
PORT      STATE         SERVICE
51820/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds

nmap reports the same result for my WireGuard peers (which are working as expected). So maybe it’s a good idea to first confirm the port configuration before trying anything else :slight_smile:

1 Like

I can’t get split-tunnel to work here.
I’m baffled.
It’s RPi4 with Hass.io
I’ve set this up in the config:

server:
  host: home.server.public-name
  addresses:
    - 172.16.100.1
  dns: []
peers:
  - name: KennethsLaptopFullVpn
    addresses:
      - 172.16.100.10
    allowed_ips: []
    client_allowed_ips: []
  - name: KennethsLaptopSplitTunnel
    addresses:
      - 172.16.100.12
    allowed_ips:
      - 172.16.12.0/24
      - 172.16.100.1/32
    client_allowed_ips: []
log_level: info

If I connect with the FullVPN, it works, it routes everything through the tunnel.
If I do the split-tunnel I loose my regular internet connection and I can’t ping anything on the lan (nor on the wan).

Your allowed IP’s doesn’t include the internal docker network used by Home Assistant. Hence, traffic goes nowhere.

Add:

- 172.16.32.0/24
- 172.16.33.0/24
1 Like

Hi Frenck
Ok, I tried addin that under ‘Allowed IP’s’ still going nowhere :cry:
I can’t ping 1.1.1.1 which should break out locally, nor my IP for the HomeAssistant (this is testing from my cellphone with fing).

Hello, I was wondering if I can use an hassio raspberry as a wireguard client, using this addon or in another way. I would like to use wireguard to connect two hassio raspberrys over the internet because one of them can’t have a public IP address. Is this possible?

1 Like

That is not possible, this add-on is designed to work as a “server” only.

Oh, what a pity.
Thank you for the answer and the good work! :slight_smile:

2 Likes