Home Assistant Community Add-on: WireGuard

Installation Home Assistant OS
,
124

:tada: Release v0.3.0

Full Changelog

This is a general maintenance release.

:hammer: Changes

  • :ambulance: Fix Patreon link
  • :books: Update add-on documentation to use new YAML configuration format
  • :hammer: Re-branding
  • :hammer: Update add-on config with new password & list features
  • :arrow_up: Upgrades add-on base image to v7.0.2
  • :arrow_up: Upgrades wireguard-tools@edge to 1.0.20200102-r0
  • :arrow_up: Upgrades WireGuard Go to v0.0.20200121
  • :hammer: Update community forum links

Questions? Join our Discord server! https://discord.me/hassioaddons
Enjoying my add-ons? Consider supporting my work:
https://github.com/sponsors/frenck or https://patreon.com/frenck

125

Hi @frenck

Thankyou for this great addon, and keeping it updated!
I’ve moved my installation from Hass.io to Raspbian with supervised ha. I did this to get the RPi4 to boot from the SSD.
After doing this, the wireguard doesn’t work at all. There is no firewall active on the raspbian. It won’t even ping the homeassistant itself.
As soon as I start the tunnel the ping shows “General failure”, as soon as I close it again, the ping replies.
I’m not sure if it’s supposed to look like this, but when looking at the routes of the PC (client) with the ‘FullVPN’, I see two default gateways (0.0.0.0), one is pointing to the LAN’s gateway, and the other to the vpn ip.
Do you have any input on this?

126

Probably somewhere in this lengthy thread there is an answer to my question but I it isn’t obvious. I am running WireGuard and AdGuard plugins both on the same server. I have the DNS set to 172.30.32.1 and I can resolve everything just fine–including Ads. The ads are not being blocked in this config. On my internal network, my DNS server is set to 172.16.1.104 which blocks ads. I tried setting the WireGuard DNS to 172.16.1.104 but nothing resolves. The 172.30.32.1 is the correct IP according to the docs so why doesn’t it block ads?

127

Somebody knows if it is possible that the wireguard client get the public IP of the wireguard server when connected ?

By example. on my cell phone my public ip is 24.124.143.46 (coming from my carrier).
When I connect a third party VPN via OpenVPN, my IP change to the one coming from the OpenVPN server.
When I connect to my wireguard server, I still have my carrier ip 24.124.143.46 rather than the one from my wireguard server.

thanks

1 Like
128

Hi all,

just tried to use the Wireguard Rest-Api to show the connection status of my devices.
Maybe someone is interested in this:

image
image880×345 8.72 KB

To get the data of my devices I us the a rest api sensor:

platform: rest
name: wireguard
resource: http://a0d7b954_wireguard
json_attributes:
- client01
- client02
value_template: "OK"

(Where client01 and client02 are the names defined for your wireguard peers)

To render the connection status I use the following template sensor for each device:

platform: template
sensors:
  wireguard_client01:
    friendly_name: "Wireguard Client01"
    value_template: >-
        {% if state_attr('sensor.wireguard', 'client01').latest_handshake > ( as_timestamp(now()) ) -180 %}
            Connected
          {% else %}
            Disconnected
          {% endif %}

Assumption: A Client is disconnected when there was no handshake in the last 3 minutes.

Please let me know what you think, input is more than welcome.

8 Likes
130

@mattlward Maybe this also helps you to show the status of the connection.

131

I will test this asap. Thanks for the input.

132

This monitor seems to work well! I will keep an eye on it for a few days and pass on any failures.

I did change disconnected and connected to down and up so it would fit a 4 or 5 column glance card well.

Thanks Matt

1 Like
133

I am trying to turn off the persistent keepalive but have this problem:

The config does not accept the term

peers:
  - name: phone
    addresses:
      - 172.27.66.2
    allowed_ips: []
    client_allowed_ips: []
    persistent_keep_alive: 'off'

Failed to save addon configuration, not a valid value for dictionary value @ data[‘options’].

edit
Seems like it does accept ‘0’ though

134

HI @frenck,
Is it possible to add the capability to your addon to work as both a “server” or a “client”? Connecting HA instances via VPN is a really useful thing to do. ZeroTier is good but uses a lot of data just keeping the connection alive. Wireguard would be prefect if you could make your remote instance behave like your phone or device.

Love your work!

135

Hi,

If I understand it correctly, if I already have a paid VPN service (on my phone for instance), this addon is not for me, right ?
Or will it allow me to access other devices on my home network as if I was home myself ?

Regards.

136

This addon will turn your HA instance into a VPN server and allow clients to connect to it. A paid VPN to mask your IP is different.

137

ok, but I can only have one at once so if I use one I have to disconnect from the other that’s what I wanted to say by saying “have to choose”
Are some of you only connecting to HA through the Wireguard add-on and have totally removed external access via HTTPS ?

138

No not with WireGuard. WG “server” needs a duckdns address or similar to resolve your IP. Have a look at ZeroTier. That will run fine without a duckdns address and you can setup multiple networks to access your instance.

139

Great thanks

140

Just tried this, and everything appears to act as expected, except for no data being transferred on my phone. this is my setup, i added google dns as i suspected the pi-hole dns could be the issue:

server:
  host: myurl.duckdns.org
  addresses:
    - 10.10.10.1
  dns:
    - 172.30.32.1
    - 8.8.8.8
peers:
  - name: mymob
    addresses:
      - 10.10.10.2
    allowed_ips: []
    client_allowed_ips: []
  - name: mylaptop
    addresses:
      - 10.10.10.3
    allowed_ips: []
    client_allowed_ips: []

anything obvious here? the ip range is 192.168.1.x in m local network. This is from the log

[14:05:57] INFO: Requesting current status from WireGuard...
interface: wg0
  public key: trololololololohahaha
  private key: (hidden)
  listening port: 51820
peer: trololololololohahaha-no1
  endpoint: 77.18.51.214:14889
  allowed ips: 10.10.10.2/32
  latest handshake: 1 minute, 50 seconds ago
  transfer: 101.38 KiB received, 15.41 KiB sent
  persistent keepalive: every 25 seconds
peer: trololololololohahaha-no2
  allowed ips: 10.10.10.3/32
  persistent keepalive: every 25 seconds

EDIT: Removed the DNS server, and now it works, but obviously doesn’t block ads. In the Pi-hole add-on, i keep seeing 200 192.168.1.1, 172.30.32.1(172.30.32.2) GET ..., which makes me think that 172.30.32.1 should be correct. Yes, I do re-scan the qr code, and Private DNS is turned off. Anybody?

141

I was finally able to get wireguard working as a full tunell.

But I have yet to set it up as a spit tunnel.

I tried this

Your allowed IP’s doesn’t include the internal docker network used by Home Assistant. Hence, traffic goes nowhere.

Add:

- 172.16.32.0/24
- 172.16.33.0/24

and also added my lan IP range = 192.168.1.0/24

but I can only access local network this way. Nothing else connects through my actual internet

142 
server:
  host: <url>
  addresses:
    - 10.10.10.1
  dns:
    - 172.30.32.1
peers:
  - name: phone
    addresses:
      - 10.10.10.2
    allowed_ips: []
    client_allowed_ips: []

This works for me and tunnels everything.
DNS is pointing to the AdGuard add-on.

143

These may be dumb questions but here goes…

  • Now that I am connected and there is traffic in the add-on log does this mean that everything is going through WireGuard and is now secure including surfing the web?
  • What URL should I be using in the iOS app and on my desktop? Can I still use my https://xxx.duckdns.org URL or should I be using https://homeassistant:8123? And can I use https since I am using the duckdns.org add-on with SSL?
  • Do I still need all these ports to be forwarded on my router for things like Configurator (port: 3218), Influxdb (port: 8086) and Node-Red (port: 1880)?

Any answers to these questions would be great as I want to keep my HA as secure as possible.

144

Is there any way to configure this add-on also as site-to-site vpn? I need to connect my HA server to other location’s LAN over internet to integrate smart devices and HUE bridge there with my HA. So I’m curious that can I do it via this add-on or do I need full WireGuard installation on both locations? Any help and advice is highly appreciated, thanks!

Anyway, this add-on is already awesome and I love it with my smartphone. There is only one dilemma for me though: I’m using an Android smartphone and WireGuard app doesn’t have on-demand option on Android. I don’t have NAT hairpinning / loopback option with my router either, so is there any wise configuration how I make it work also within my wifi network without toggling the tunnel on/off every time when I connect/disconnect my wifi? I use AdGuard as well and want to use it all the time, so now I just keep my smartphone disconnected from wifi and vpn tunnel always on to get everything routed as needed. I would prefer wifi though because it consumes less battery on the phone.