Home Assistant Community Add-on: WireGuard

itcgma · April 23, 2020, 4:37pm

Connecting two (or more) hassio raspberrys over the internet, one of them with a public IP address (“Server”). My little attempt.

“Server” (public IP, domain name) config:

server:
  host: server_domain_name_or_IP
  addresses:
    - 172.27.66.1
  dns: []
peers:
  - name: laptopdell7
    addresses:
      - 172.27.66.5
    allowed_ips: []
    client_allowed_ips: []
  - name: hassio3
    addresses:
      - 172.27.66.6
    allowed_ips: []
    client_allowed_ips: []

“Client” config (192.168.1.6 - hassio local IP):

server:
  host: hassio3
  addresses:
    - 172.27.66.6
  private_key: hassio3_private_key
  post_up: iptables -t nat -A PREROUTING -j DNAT --to-destination 192.168.1.6; iptables -t nat -A POSTROUTING -j MASQUERADE
  post_down: iptables -t nat -D PREROUTING -j DNAT --to-destination 192.168.1.6; iptables -t nat -D POSTROUTING -j MASQUERADE
  dns: []
peers:
  - name: any_server_description
    addresses:
      - 172.27.66.1
    public_key: server_public_key
    allowed_ips:
      - 172.27.66.0/24
    client_allowed_ips: []
    persistent_keep_alive: 25
    endpoint: 'server_domain_name_or_IP:51820'

And Hassio3 is accesseble to laptopdell7…

itcgma · April 23, 2020, 4:42pm

at 172.27.66.6

lpt2007 · April 29, 2020, 11:03pm

I try similar to connect two rpi running WireGuard addon, but not working:

server conf:

server:
  host: external ip
  addresses:
    - 172.27.66.1
  dns: []
peers:
  - name: hassos-server
    addresses:
      - 172.27.66.6
    allowed_ips: []
    client_allowed_ips: []

Client conf:

server:
  host: hassos-server
  addresses:
    - 172.27.66.6
  private_key: private key from server
  post_up: >-
    iptables -t nat -A PREROUTING -j DNAT --to-destination 192.168.200.202;
    iptables -t nat -A POSTROUTING -j MASQUERADE
  post_down: >-
    iptables -t nat -D PREROUTING -j DNAT --to-destination 192.168.200.202;
    iptables -t nat -D POSTROUTING -j MASQUERADE
  dns: []
peers:
  - name: server
    addresses:
      - 172.27.66.1
    public_key: public key form server
    allowed_ips:
      - 172.27.66.0/24
    client_allowed_ips: []
    persistent_keep_alive: 25
    endpoint: exiternal ip:51820

On server side I opened port 51820/udp on my router.

Any Idea why not working?

itcgma · April 30, 2020, 8:36pm

Are you just opened port or opened and forwarded to rpi? Does wan router interface have a public IP? Can you give log from server or client?

lpt2007 · May 2, 2020, 6:57pm

@itcgma sorry for delay.

I opened and forwarded port to rpi on server side. Is this correct or I must do the same on client side?

Yes router have public ip.

Here is log:

server:

[20:54:05] INFO: Requesting current status from WireGuard...
interface: wg0
  public key: 5TR0f/26ecyXemzJtDZ7JeJ3bUclG31bnYN0KYyVRgk=
  private key: (hidden)
  listening port: 51820
peer: GpasgrZLAqdeLYs50bgZzPev0rXiPvZXv9uiUsh0iVM=
  allowed ips: 172.27.66.5/32
  persistent keepalive: every 25 seconds
peer: 9tQA2V+YR3fpCF9aOk4MgWCQ01UTE79xVD6ZXja4g3E=
  allowed ips: 172.27.66.6/32
  persistent keepalive: every 25 seconds

client:

[20:55:17] INFO: Requesting current status from WireGuard...
interface: wg0
  public key: 5TR0f/26ecyXemzJtDZ7JeJ3bUclG31bnYN0KYyVRgk=
  private key: (hidden)
  listening port: 51820

itcgma · May 3, 2020, 5:50pm

No, client is behind the nat and it hasn’t public IP and forwarding. Otherwise its no interesting;) Your config looks like a quaitly correct. But client and server don’t view each other. My server hassio is on Ubuntu Server and all ip ports are opeded on it. I can ping my ubuntu server to its public IP and check functionality another services on this computer. Are you sure your server rpi is accesseble from internet?

lpt2007 · May 3, 2020, 9:35pm

Yes. I am sure.

I tested on my android phone and is working.

lpt2007 · May 3, 2020, 10:29pm

Thx @itcgma. It’s working.

I have wrong private key on client

lpt2007 · May 4, 2020, 12:41pm

I have another problem.

if I connect with android phone I can ping all machines 172.27.66.0/24 and 192.168.0.0/24.

if I connect with hassio client I can only ping machines in 172.27.66.0/24.

Any idea why I can’t ping machines on 192.168.0.0/24 from hassio client?

ping freezes at first line, like this:

firstLline

itcgma · May 5, 2020, 7:10pm

Try add this subnet in allowed_ips (client side)

itcgma · May 5, 2020, 7:13pm

Accesebling another host on client side:

 post_up: iptables -t nat -A PREROUTING -p tcp --dport 80:8123 -j DNAT --to-destination 192.168.1.6; iptables -t nat -A PREROUTING -p tcp --dport 8321 -j DNAT --to-destination 192.168.1.1:80; iptables -t nat -A POSTROUTING -j MASQUERADE
 post_down: iptables -t nat -D PREROUTING -p tcp --dport 80:8123 -j DNAT --to-destination 192.168.1.6; iptables -t nat -D PREROUTING -p tcp --dport 8321 -j DNAT --to-destination 192.168.1.1:80; iptables -t nat -D POSTROUTING -j MASQUERADE

lpt2007 · May 6, 2020, 2:37pm

I try to add like this but not working.

    allowed_ips:
      - 172.27.66.0/24
      - 192.168.0.0/24

lpt2007 · May 6, 2020, 2:39pm

I don’t have any device on this ip 192.168.1.1:80

DavidFW1960 · May 6, 2020, 9:30pm

192.168.1.1 is not in your allowed subnet 192.168.0.0/24
Either change 192.168.0.0/24 to 192.168.1.0/24 or on the off chance you need it change to 192.168.0.0/16

someone · May 7, 2020, 8:01am

Can’t get the DNS thing running. My tunnel is up and I can get to my HA over the tunnel (also ping works).

But when trying to use HA’s AdGuard as DNS, I won’t get any response. In AdGuard’s log, I can see the request from my client so I guess that the iptable-Rules of the Wireguard-Add-on are simply dropping the DNS response on its way to the client.

This neither works with my internal LAN IP nor with Docker-IP for AdGuard. As I said: Accessing HA is possible so that’s pretty weird.

lpt2007 · May 8, 2020, 10:59am

Why? My device I wanna have on same network is 192.168.0.198.

Why? My device has ip 192.168.0.198 my connecting hassos client has ip 192.168.11.1.

DavidFW1960 · May 8, 2020, 11:54am

Because /24 will only match the last octet and you need it to be a 16 bit /16 mask not /24 with those 2 addresses.

lpt2007 · May 8, 2020, 12:06pm

I try but still not working:

Here is my whole client config:

server:
  host: ha-mp-lasko-dn-sp
  addresses:
    - 172.27.66.6
  private_key: wg-private-key
  post_up: >-
    iptables -t nat -A PREROUTING -j DNAT --to-destination 192.168.11.1;
    iptables -t nat -A POSTROUTING -j MASQUERADE
  post_down: >-
    iptables -t nat -D PREROUTING -j DNAT --to-destination 192.168.11.1;
    iptables -t nat -D POSTROUTING -j MASQUERADE
  dns: []
peers:
  - name: rimske
    addresses:
      - 172.27.66.1
    public_key: wg-public-key
    allowed_ips:
      - 172.27.66.0/24
      - 192.168.0.0/16
    client_allowed_ips: []
    persistent_keep_alive: 25
    endpoint: 'my-external-ip:51820'

Will711990 · May 15, 2020, 8:31pm

Hi,

does it possible to mask the public IP, like a paid VPN ?

Thank you !

MISEV · May 20, 2020, 2:23pm

Hi Franck,

Working like a charm. One PI less for the OpenVPN solution i was running.
Thanks for all your amazing addons!

Cheers!