WireGuard Problems

Marckkill · May 18, 2024, 3:27am

Hi everyone,

I’m trying to setup an external connection with an ESP32 running ESPhome, with the WireGuard component. I’m having trouble adding the esphome device using the WireGuard IP.

Cannot connect to ESP. Please check that your YAML file contains an ‘api:’ line.

A couple of things to note:

I’m running HAOS on Virtual Box, with the host machine running Windows 10.
I’m using the WireGuard add-on, from the add-on store in HA.
ESP32 is in my office’s wifi.

ESP home yaml:

`wireguard: 
address: 192.168.2.3 
private_key: xxxxxxxxxxxxxxxx 
peer_endpoint: xxxxxxxxxxxx 
peer_public_key: xxxxxxxxxx 
netmask: 0.0.0.0 
peer_allowed_ips: 0.0.0.0`

WireGuard add-on config:

From the ESP32 and the add-on logs, I can see that it connects to the tunnel:

I also know that the tunnel works because I tested with my phone, and I can access HA and my NAS that are on the 192.168.1.x subnet.

I’ve also added a static route (on the host machine) to all IPs on the 192.168.2.x subnet to the IP of the VM running HA.

And i cant ping the ESP32 from the CLI in HA.

Can someone lend me a hand on this issue? I’m pulling my hair out already.

FriedCheese · May 18, 2024, 3:44am

HA is going to use it’s default gateway for outbound comms. I’m going to assume the VM is a bridged network with HA pulling DHCP from your router (and having your router set as the gateway). If that’s the case, you need a static route on the router or directly in HA to point to the Wireguard add-on for the Wireguard subnet.

Marckkill · May 18, 2024, 4:16am

My router is pretty simple, I don’t think it can do static routes. How can I do that in HA?

nickrout · May 18, 2024, 10:33am

You don’t seem to have a time source set up.

Marckkill · May 18, 2024, 1:48pm

I have a time source:

time:
  - platform: sntp
    id: sntp_time1

Forgot to add it to the post. The complete YAML is gigantic.

FriedCheese · May 18, 2024, 2:03pm

The OP in the post I linked to posted how they did it.

Marckkill · May 20, 2024, 6:11am

You are right!
The solution is to run this bash script on the CLI (via add-on ssh):
host_result=$(host a0d7b954-wireguard); addon_ip=${host_result##* }; ip route replace 192.168.1.0/24 via $addon_ip; echo $addon_ip

Where 192.168.1.0/24 is the subnet of the WireGuard server.

Thanks for the help, Ryan.