Problem setting up site-to-site vpn with HASS and Wireguard addon at both sites

Hello,

I like to set up a site to site vpn using the HASS wireguard addon (GitHub - hassio-addons/addon-wireguard: WireGuard - Home Assistant Community Add-ons) running on a Home Assistant instance at each site.

The end goal is that each site can reach the (local) ip-addresses of the other site.

I think I got 90% along the way, but haven’t got it working. By searching around, I got bits and pieces, but not the full puzzle yet.

It seems many people try to get this working, so I decided to make a detailed description. But so far, the manual doesn’t lead to the targeted result yet.

Feel free to comment, and correct any mistakes

Assumptions:

• Home assistant installation :

  • Install Wireguard addon on HASS at both sites
  • Install Portainer addon on HASS at both sites : this is only needed to get the internal ip-address of the wireguard addon, there are other methods to obtain this (search the internet).

• Site A:

  • Ip-address subnet: 192.168.3.0/24
  • Router ip-address : 192.168.3.1
  • Home assistant host ip-address: 192.168.3.100
  • Wireguard docker container ip-address: 172.30.33.13 (can be obtained by observing the Wireguard container in Portainer)
    • This is an ip-address on the internal HASS-networks connecting all core components and addons
  • Public url: sitea.duckdns.org.

• Site B:

  • Ip-address subnet: 192.168.4.0/24
  • Router ip-address : 192.168.4.1
  • Home assistant host ip-address: 192.168.4.100
  • Wireguard docker container ip-address: 172.30.33.10
  • This site can’t be reached using a public url, as the internet provider uses CGNAT. For Wireguard (and other vpn’s) to work, it usually is ok if only one site has a public ip-address or url.

Setup :

The setup consists of some key steps:

• Configuring the Wireguard addon at both sites
• Setting up port forwarding on the routers at both sites
• Routing traffic at both sites to ensure traffic towards the other site is directed to the local HASS instance and then to the Wireguard addon of that instance

Here are the details:

• Setup the Wireguard connection between the two HASS machines:

  • Site A wireguard configuration: we use this site as the ‘master’ : i twill generate the private keys for both site A and site B
    • Server:

      host: sitea.duckdns.org
      addresses:
         - 10.10.10.1/32
      dns:
         - 192.168.3.1
      

    • Peers:

      - name: SiteB
        addresses:
          - 10.10.10.2
        allowed_ips:
          - 192.168.4.0/24
        client_allowed_ips:
          - 10.10.10.0/24
          - 192.168.3.0/24
      

  • Site B wireguard configuration:
    • Server:

         host: siteb
         addresses:
            - 10.10.10.10
         dns:
           - 192.168.4.1
         private_key : __private key for site B, pasted from HASS site A___
         Here you paste the private key that can be found on HASS machine A in folder /ssl/wireguard/siteB
      

    • Peers:

         - name: SiteA
           addresses:
              - 10.10.10.1/32
           allowed_ips: []
           client_allowed_ips: []
           private_key: __ private key for site A, pasted from HASS site A ___
                Here you paste the private key that can be found on HASS machine A in folder /ssl/wireguard/siteA
           persistent_keep_alive: 30
           endpoint: sitea.duckdns.org:51820
      
      

• Port forwarding on the routers:
  Make sure you forward port 51820 to the HASS machines for both sites. The setting needs to be done on your router (192.168.3.1 and 192.168.4.1).
  Note: If your modem is not integrated in the router, you need to setup the modem as well to forward this port towards your router.

• Checkpoint: at this point, the vpn between the two sites should be up and running. You can verify this by observing the logs of the Wireguard addons at both sites
  You should see messages like: “latest handshake: 59 seconds ago”, and “transfer: 272 B received, 560 B sent”

• Next you need to route traffic at each site so it can reach the other site :

  • In your router at site A, configure a route so traffic towards site B (192.168.4.0/24) needs to be directed towards your Home Assistant instance. It will be called something like ‘static routes’ in your router.
  • Similar, in your router at site B, configure a route so traffic towards site A (192.168.3.0/24) needs to be directed towards your Home Assistant instance.

• Now, internet traffic towards subnet 192.168.4.0/24 reaching your Home Assistant at site A, needs to be fowarded toward the Wireguard addon

  • Source : Wireguard Add-on for site-to-site offsite backup
  • This needs to be done in HASS host A (using eg the Terminal & SSH addon):
    • sudo ip route add 192.168.4.0/24 via 172.30.33.13
      * sudo iptables -A FORWARD -i end0 -o hassio -s 192.168.3.0/24 -d 192.168.4.0/24 -j ACCEPT
      • end0 is the device name of the internet interface of the HASS host. The exact name in your situation can be found by launching ip link show. It should be something like eth0, end0, enp2s0, …

• Similarly for site b:

  • This needs to be done in HASS host B:
    • sudo ip route add 192.168.3.0/24 via 172.30.33.10
    • sudo iptables -A FORWARD -i end0 -o hassio -s 192.168.4.0/24 -d 192.168.3.0/24 -j ACCEPT
      • end0 is the device name of the internet interface

At this point, I hoped to be able to browse to 192.168.4.1 from a computer on site A, but unfortunately, no luck yet .
And I don’t see how I can troubleshoot the situation: I tried ping and tracert, but it didn’t learn me anything.

What am I missing here?

I found some hints to play with the ‘post up’-settings on the wireguard addons, but haven’t been able to find out the details. And I’m not sure whether this is needed because the Wireguard HASS-addon already puts in place some defaults (see documentation of the addon)

Anybody knows the solution to my problem? I’m quite sure the solution lies in the ip route and iptables, but I don’"t know sufficiently about those command to find the answer. Thanks in advance.

Just to inform you: I haven’t been able to resolve my problem, but I succeeded in avoiding it: I added the Firefox addon to my remote HASS instance. This allows me to manage remote devices (like accessing the setup of a router or a webcam).
Link to Firefox addon

I’m no networking/Wireguard expert, but I’m using a similar setup - Wireguard in LXC containers in Proxmox. I tried various things until I got it working.
In my setup, adding a network to AllowedIPs causes that network to be added to the routing table in the Wireguard container. I think this is crucial for the container/addon to properly handle packets sent to the external network. E.g:

[Peer]
AllowedIPs = 172.17.17.0/28,192.168.148.0/24,192.168.17.0/24

ip route
default via 192.168.0.1 dev eth0
172.17.17.0/28 dev wg-client0 proto kernel scope link src 172.17.17.2
192.168.148.0/24 dev wg-client0 scope link
192.168.17.0/24 dev wg-client0 scope link

192.168.0.1 is local LAN; 172.17.17.0/28 is the wireguard network (10.10.10.0/24 in your case), 192.168.148.0/24 and 192.168.17.0/24 are external networks.

After a quick look at the addon documentation, the above setting seems to be split between allowed_ips (server side) and client_allowed_ips (client side). So your peer configuration should probably look more like this:

- name: SiteB
  addresses:
    - 10.10.10.2
  allowed_ips:
    - 192.168.4.0/24
    - 10.10.10.0/24

- name: SiteA
  addresses:
    - 10.10.10.1/32
  client_allowed_ips:
    - 192.168.3.0/24
    - 10.10.10.0/24

(the 10.10.10.0/24 on each side is perhaps not needed, test it).

Thanks for the information.
I agree that on site B, allowed ip’s need to be set to 192.168.3.0/24. And on site B, client_allowed_ips needs to be set at 192.168.4.0/24.
Whether this completely resolves the issue, I don’t know: I dismantled this setup (using the Firefox addon as a way to access the remote site), so I can’t anymore test it easily.
If anybody setting up a similar site to site vpn with HASS and wireguard, let us know if it works or not.