Firstly I’m sure this is more my ignorance / lack of understanding but I was hoping someone could point me in the right direction.
I’ve installed the add-on and forwarded port 51820.
I’ve used the below (with added comments) and used the generated QR code with WireGuard on my phone.
{
"server": {
"host": "xxxxx.duckdns.org", #I used my duckdns address here which is registered correctly to my ip when i log into duckdns, also i can access my HA with this so all should be good here.
"addresses": [
"10.10.10.1" #Assume this is tbe address used for thr VPN and peer addresses should follow this format.
],
"dns": [
"1.1.1.1", #Taken from the example but once i get this working I would like to route through pi-hole (ran as addon on HA). I dont fully appreciate this part as my physical network is in the format of 192.168.1.0, I dont get how this translates over to being used here.
"1.0.0.1"
]
},
"peers": [
{
"name": "Phone",
"addresses": [
"10.10.10.2" #Taken to be the IP assigned to my phone (device I will connect with).
],
"allowed_ips": [],
"client_allowed_ips": [
"10.10.10.0/24", #Added for the connection.
"192.168.1.0/24" #Added as I have other devices on 192.168.1.0 that i would like to see when connected.
]
}
],
"log_level": "info"
}
WireGuard says it’s connected but everything seems as if it isn’t. If I check my IP, it’s still my 4G IP. If I check my ISP it’s still my mobile provider. Lastly I cannot log onto anything local (192.168.1…).
I have tried leaving client allowed ips blank (my understanding this allows for any IP, is 0.0.0.0/24) however when I do this it just kills off the internet completely.
I fully appreciate it’s me doing something wrong, I hope someone can point me in the right direction.
is it an ipv4 or ipv6 address behind that duckdns domain and is you peer able to connect to that protocol variant?
your configuration looks okay to me. personally i would replace 10.10.10.0/24 with 10.10.10.1/32 in client_allowed_ips. technically your variant should also work but i don’t see a benefit to connect to anything else than the server itself in that net…
anything in the add-ons’ log that is worth mentioning?
and you are certain your ISP allows the usage of 51820/udp and does not block that port?
what is displayed as “Allowed IPs” in the client on your phone? is it 10.10.10.0/24, 192.168.1.0/24 and if it is can you try if it helps to change it to 10.10.10.1/32, 192.168.1.0/24 (no need to change anything on the server side to do that)…
does the client on your phone display a value greater zero for rx or is this only true for tx?
are you able to ping 10.10.10.1 from your phone or (if these tools are not available for you there) are you able to test that with a different device?
since i’m not a user of this add-on (i’m using home assistant core on docker) there might be something fundamental i’m missing here but since you are using IPv4 only this should work…
are you using hassos as the underlying system or are you running home assistant on a generic linux installation? if it’s the latter: did you enable ip forwarding on the host?
Secondly I must appologise as it wasn’t working down to a user error my side.
A while back I chaged my modem from “modem” mode to “router” mode and completely forgot I had done so. I forwarded the ports on my router but not on the “modem” router. I didn’t think about this as all my other servers were accessible from outside my network (because I had set them all up on the modem when I originaly swapped over from “modem” mode to “router” mode).
Sorry for wasting your time!
Now just to sort out the DNS to work with Pi-Hole.
as long as pi-hole is part of that same ip address range (in your case 192.168.1.*) you should be able to configure that ip as dns in your phone’s wireguard client and are ready to go.
you are currently using a split-tunnel configuration. everything that points to an IP of the range mentioned above will be tunneled through your server, anything else will use a direct connection from your phone.
if you want to use the tunnel exclusively reconfigure your phone’s client and set allowed ips to 0.0.0.0/0 (it’s /0 not /24 as in your fist post) and everything will be routed through it (as long as it is IPv4).
if you want to tunnel IPv6 too, then enter 0.0.0.0/0, ::/0 as allowed ips in your phone’s wireguard client.
i’m not sure if the add-on is capable to handle IPv6 connections though…
Thanks for this, I’ve tried what you’ve said but I can only access my local network when I do this.
{
"server": {
"host": "xxxxx.duckdns.org",
"addresses": [
"10.10.10.1"
],
"dns": [
"192.168.1.xxx" #I put the static IP address that Pi-Hole is running on and that I use to route my home PC (which obviously works).
]
},
"peers": [
{
"name": "Phone",
"addresses": [
"10.10.10.2"
],
"allowed_ips": [],
"client_allowed_ips": [
"0.0.0.0/0"
]
}
],
"log_level": "info"
}
From looking through the main page for it, this seems like an issue alot of people are having. Having said this from the wording it would seem more likely that it is people like myself not fully understanding it rather than there being an issue with the addon.
I think you are not altering the DNS your peer (the phone) is using. This setting only changes the DNS the server uses.
Open the WireGuard client on your phone and have a look at the configuration details where all the settings are listed. I’ll doubt you find this DNS there (again: I’m just a WireGuard user and not using the add-on myself)
No I changed it on both, if I change it to 1.1.1.1 (on the phone) I can access internet and local, if I change it to 192.168.1.XXX only local works (this is off a 4g connection). Thanks for the sugestion though and for your time, very kind.
Pi-Hole, HA & WireGuard are all hosted on the same Pi 3b (all the same ip 192.168.1.XXX). It’s like it can’t use the host of WireGuard as the same IP as the DNS Server (PiHole).
But you had to configure the desired DNS manually on your phone right?
Can you try to use your routers DNS on your phone to indicate of it works in general? I’d like to know if this problem is pi-hole related or if it’s still something WireGuard related…
Good to hear. I would have find it confusing if that DNS setting would have influenced the peer config…
So if I understand it correctly everything WireGuard related works now as desired functionality wise and only Pi-hole is refusing to serve your requests…
Maybe check that add-on’s logs than to get any hints? Maybe it is refusing to serve you because of the IP you’re asking with (10.*)? Since I never used pi hole I’ll doubt I can be of any help there… Sorry
Edit: For anyone who comes across this the answer is
“If you are running the Pi-hole add-on and facing DNS issues when connected through WireGuard, make sure the option Listen on all interfaces is selected in Pi-hole. This option is located under Settings > DNS > Interface listening behavior .”
