New Wireguard VPN web UI addon

Share your Projects!
1

I forked a repository for an old wireguard UI addon and updated it to use a different wg UI client.

screenshot
screenshot819×498 30.8 KB

I thought I would share it since I struggled to find a nice UI and instead ended up creating a new integration.

2

Finally got multi-user mode working. I had to deep dive into nginx. Home assistant ingress only allows a single Set-Cookie header. WireGuard UI sends two Set-Cookie headers.

I configured nginx to combine the cookies when sending backend to frontend. nginx also handles splitting the combined cookie into multiple cookies sending frontend to backend.

Mobile client screenshots

IMG_7256
IMG_72561290×2796 109 KB

IMG_7257
IMG_72571290×2796 157 KB

IMG_7258
IMG_72581290×2796 179 KB

IMG_7259
IMG_72591290×2796 170 KB

IMG_7260
IMG_72601290×2796 208 KB

3
  • Multi-user mode works.
  • Dark mode UI patch included; For screenshots see Dark mode UI pull request.
  • DMZ subnet feature added. You can allow friends and family to route traffic through your home without granting them LAN access.
  • AdGuard through home assistant support has been added.
4

DMZ subnet now configured for the user by default initially. This makes it much easier to use.

There’s two networks out of the box:

  • Home - WireGuard access to home assistant and your LAN.
  • DMZ Network - WireGuard access to your location so friends and family can masquerade traffic from your house. No access to LAN or home assistant. This only provides internet access to the WireGuard users. Home Assistant DNS resolving is still available (for example, users are still protected by AdGuard).
5

Another major update.

  • Telegram, SendGrid, and Email configuration available
  • Some configurations were converted to a List to be more versatile. Unfortunately, 1.1.117 breaks configuration for existing users. I will avoid this in the future it was part of first add-on learning curve. How to fix during migration.
  • Multiple DMZ subnets now supported.
  • DMZ Allowances feature added. For example, you can grant an IP in the DMZ or create a separate DMZ which can access home assistant. Allowance rules only affect DMZ networks.
  • Previously, access to home assistant DNS was granted to DMZ. This access has been converted to a DMZ Allowance rule meaning you can opt out of this default by removing the access.

WireGuard UI now has a sane network layout out of the box. This is a nice solution which enables the user to configure more advanced networking as needed.

I have added lots of local infrastructure tests which help prevent me from breaking the addon in the future by mistake.

Latest release 1.1.123

6

Another significant update. This update pushes the add-on to be advanced enough that you can now set up multi-site wireguard networks with only the Home Assistant add-on. For example, having home assistant in multiple homes.

Isolated subnets and more

New features:

  • icmp ping to LAN addresses is configurable for DMZ.
  • Isolated subnets available (no network access when connected).
  • DMZ and Isolated subnets can now optionally allow established and related traffic via config.
  • Isolated Allowances available which functions similar to DMZ Allowances.
  • Allowance rules support new format src_net|dst_net.

Bug fixes:

  • Subnet Ranges supports comma-separated network addresses. The example in documentation failed regex validation. The regex was fixed.

Other:

  • Add-on renamed changing Wireguard to WireGuard.
  • Fix DOCS examples. Source IP or network is always defined.
  • Added icmp example to DOCS.
  • All CIDR regex in configuration schema and scripts has been tightened.
  • Documented isolated networks.

Current release 1.1.131