Wireguard addon

Hello all,

I have a question regarding the wireguard addon. I have read the documentation, but from what I understand from it, this addon allows a setup where the HA becomes a “server” (I know that strictly speaking there is no such thing in a wireguard network) which allow for peers to connect to it.

My question is, can I setup this addon in a “client” mode so that it connects to an external wireguard “server”?

I have to do this in one location because, HA is behind a cg-nat and i can only get around that by having a vm running a wireguard connection to a server I have at home. My goal was to get rid of that vm and have wireguard and HA in one place.


Might want to look into ZeroTier One
… or Tailscale
Nebula is probably overkill.

There is no client & server in wireguard per-se.
The VPN is peer-to-peer and each node is (or can be) both client (can reach remote peers) and server (can be reached by peers).

But yeah, Tailscale makes all this pretty transparent, and uses wireguard behind-the-scenes, so use that instead.

i know that with wireguard “client” and “server” are interchangeable but what confuses me is who initiates the connection. because in my case, I need the HA wireguard to connect to my home server wireguard. If my homeserver goes down then the HA wireguard should continue to try to connect to it and if HA wireguard goes down, upon restart (or when the internet connection becomes available again) it should try to connect to the server again.

this reminds me of another problem with wireguard: endpoint of the connection is resolved once. if the connection goes down on the home server side and the endpoint (ie the home server) changes its IP, then the HA wireguard will not be able to connect. is this the case here? On a normal linux machine there is a script included with wireguard that re-resolves the endpoint periodically.

I will look into the other suggestions as well!

I see this is an old thread, but its the best search result when i tried finding it myself. You can define the endpoint for the peer definition that is the public “server”, so the “client” initiates the connection.

  - name: hassio-public
    public_key: <key>
    endpoint: <public ip>:51820
      - <remote subnet>
    allowed_ips: []
      - <local subnet>
  dns: []
  host: hassio.local
  private_key: <key>
  public_key: <key>

(edit: simplified)

1 Like

thank you! I will give it a go soon!

If you need to run Wireguard as a client to a public server, use this addon instead.

1 Like

I installed the addon but the configuration section is blocked. What needs to be done?