Problem/Motivation

My desired setup is that I have a public Wireguard VPN, eg. hosted on DigitalOcan, accessible by everyone.

Home Assistant, hosted locally, should connect to this Wireguard server, so the server can act as a reverse proxy and make my Home Assistant installation accessible from everywhere without any port forwarding issues.

I have the setup up and running with OpenVPN but want to switch, due to simpler configuration, to Wireguard.

This plugin manages to connect to my Wireguard server.
Connection is unusable slow. curl from Wireguard server to Homeassistant takes ages and usually ends with Recv failure: Connection reset by peer

Expected behavior

Plugin connects to my Wireguard server.
Wireguard server can curl Home Assistant and get some HTML back

Actual behavior

Plugin connects to my Wireguard server.

curl reponse takes ages and results in a "Recv failure: Connection reset by peer"
curlsees some header information sent by Home Assistant, so there is a connection, its just unusable slow:

root@3876e6bea848:/# curl 10.13.13.2:8123 -vvvv
*   Trying 10.13.13.2:8123...
* Connected to 10.13.13.2 (10.13.13.2) port 8123 (#0)
> GET / HTTP/1.1
> Host: 10.13.13.2:8123
> User-Agent: curl/7.87.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 9294
< Date: Sun, 12 Feb 2023 15:59:52 GMT
< Server: Python/3.10 aiohttp/3.8.1
< 
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

I also noticed when I ping 10.13.13.2it takes like 20 seconds until I get the first response. But once I got the first response the following reponses come up immediately

root@3876e6bea848:/# ping 10.13.13.2
PING 10.13.13.2 (10.13.13.2) 56(84) bytes of data.
64 bytes from 10.13.13.2: icmp_seq=19 ttl=64 time=18.6 ms
64 bytes from 10.13.13.2: icmp_seq=20 ttl=64 time=16.6 ms
64 bytes from 10.13.13.2: icmp_seq=21 ttl=64 time=22.8 ms
64 bytes from 10.13.13.2: icmp_seq=22 ttl=64 time=16.3 ms
^C

When I connect my phone to the Wireguard server it responds immediately to requests.

Steps to reproduce

Wireguard server is set up like this:

version: '3'

networks:
  web:
    external: true

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:1.0.20210914-alpine
    restart: unless-stopped
    networks:
      - default
      - web
    volumes:
      - /data/wireguard/config:/config
    cap_add:
      - NET_ADMIN
    environment:
      - SERVERURL=wireguard.mydomain.com
      - SERVERPORT=51820
      - PEERS=hass
      - INTERNAL_SUBNET=10.13.13.0
      - PERSISTENTKEEPALIVE_PEERS=
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    labels:
      - traefik.enable=true
      - traefik.udp.services.wireguard-service.loadbalancer.server.port=51820
      - traefik.udp.routers.wireguard-router.entrypoints=wireguard
      - traefik.udp.routers.wireguard-router.service=wireguard-service

Wireguard client is set up like this:

Interface:

private_key: <redacted>
address: 10.13.13.2
dns:
  - 1.1.1.1
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE


Peers:

- public_key: <redacted>
  pre_shared_key: <redacted>
  endpoint: wireguard.mydomain.com:51820
  allowed_ips:
    - 10.13.13.0/24
  persistent_keep_alive: 25

Problem/Motivation

Remote HomeAssistant Break on 0.2.0

Expected behavior

Connection Established on Remote HomeAssistant

Actual behavior

Log :
import of 10.10.0.3 failed

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 986, in _wrap_create_connection
return await self._loop.create_connection(*args, **kwargs) # type: ignore[return-value] # noqa
File "/usr/local/lib/python3.9/asyncio/base_events.py", line 1081, in create_connection
transport, protocol = await self._create_connection_transport(
File "/usr/local/lib/python3.9/asyncio/base_events.py", line 1111, in _create_connection_transport
await waiter
ConnectionAbortedError: SSL handshake is taking longer than 60.0 seconds: aborting the connection

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/config/custom_components/remote_homeassistant/config_flow.py", line 45, in validate_input
info = await async_get_discovery_info(
File "/config/custom_components/remote_homeassistant/rest_api.py", line 47, in async_get_discovery_info
async with session.get(url, headers=headers) as resp:
File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 1138, in aenter
self._resp = await self._coro
File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 535, in _request
conn = await self._connector.connect(
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 542, in connect
proto = await self._create_connection(req, traces, timeout)
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 907, in _create_connection
_, proto = await self._create_direct_connection(req, traces, timeout)
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 1206, in _create_direct_connection
raise last_exc
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 1175, in _create_direct_connection
transp, proto = await self._wrap_create_connection(
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 992, in _wrap_create_connection
raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 10.10.0.3:8123 ssl:default [None]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/config/custom_components/remote_homeassistant/config_flow.py", line 180, in async_step_import
info = await validate_input(self.hass, user_input)
File "/config/custom_components/remote_homeassistant/config_flow.py", line 54, in validate_input
raise CannotConnect()
custom_components.remote_homeassistant.rest_api.CannotConnect

Steps to reproduce

Remote HomeAssistant

Proposed changes

N/A

Problem/Motivation

Having an issue pinging the WG server network from my homeassistant install. The WG server has a Lutron hub on subnet 192.168.0.0/24 I am unable to ping the 192.168.0.0/24 subnet from the terminal addon in Homeassistant.
I was able to import the configuration from my server onto my own laptop and was able to ping the 192.168.0.0/24 subnet without an issue.
I wish to be able to add the Lutron Caseta integration to my homeassistant even though they are at 2 different locations/networks. The homeassistant install is on 192.168.86.0/24 subnet.

Expected behavior

Expect to be able to reach the 192.168.0.0/24 subnet

Actual behavior

Unable to reach the subnet, the logs are filled with "nc: bind: Address in use"

Steps to reproduce

Configuration:
Interface:

private_key: XXXXXXXXXXXXXXXXXXXX
address: 10.253.0.2
dns:
  - 8.8.8.8
  - 8.8.4.4
post_up: >-
  iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
  iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420

Peers:

- public_key: XXXXXXXXXXXXXXXX
  pre_shared_key: XXXXXXXXXXXXXXXXX
  endpoint: XXXXXXX.duckdns.org:51820
  allowed_ips:
    - 10.253.0.0/24
  persistent_keep_alive: "25"

Logs:

-----------------------------------------------------------
 Add-on: WireGuard Client
 Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
 Add-on version: 0.2.2
 You are running the latest version of this add-on.
 System: Home Assistant OS 12.3  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2024.5.4
 Home Assistant Supervisor: 2024.05.1
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[13:29:20] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[13:29:20] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.253.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
nc: bind: Address in use
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use

Proposed changes

(If you have a proposed change, workaround or fix,
describe the rationale behind it)

Problem/Motivation

IP masquerading not working; cannot access other devices on my local area network

Expected behavior

traceroute 192.168.8.169 and get a reply

Actual behavior

traceroute stops at 10.10.1.2

I used to run a wireguard client on debian. Since installing Home Assistant on my RPI4 I am trying to reproduce my wg config

here is my original config that worked

[Interface]
Address = 10.10.1.2/24
PrivateKey = redacted
ListenPort = 51820
DNS = 192.168.8.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = redacted
Endpoint = mydomain.com:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25

here is the actual config in the plugin

[interface]
private_key: redacted
address: 10.10.1.2/24
dns:
  - 192.168.8.1
post_up: >-
  iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
  iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420


[peer]
- public_key: redacted
  endpoint: mydomain:51820
  allowed_ips:
    - 10.10.1.0/24
  persistent_keep_alive: "25"

I also tried changing the masquerading for the one of my original config replacing eth0 for end0 but nothing works

ip route list table main default
default via 192.168.8.1 dev end0  src 192.168.8.186  metric 100
10.10.1.0/24 dev wg0 scope link  src 10.10.1.2
172.30.32.0/23 dev hassio scope link  src 172.30.32.1
172.30.232.0/23 dev docker0 scope link  src 172.30.232.1
192.168.8.0/24 dev end0 scope link  src 192.168.8.186  metric 100

ipv4 forwarding seems to be enabled

cat /proc/sys/net/ipv4/ip_forward
1

I am trying to connect my HA to a fritzbox in another city with wireguard. I am quite sure the problem is the listening port. The fritzbox has a wireguard server and it works (I connected to it with both my laptop and android mobile), but it wants ListenPort = 51336 while wireguard client uses a random number for the interface.

It doesn't receive anything

transfer: 0 B received, 2.89 KiB sent
persistent keepalive: every 25 seconds

I am not really able to make it works. Any help will be much appreciated!

Problem/Motivation

If WireGuard is activated on boot , HA core updates will fail

I had a hell of a time upgrading from 2023.12.x to HA Core 2024.1.2.
Then again from 2024.1.2 to 2024.1.6

My solution:
1.) Disable WireGuard client (Uncheck “Start on boot”)
2.) Reboot system
3.) Update your system
4.) Re-activate WireGuard as desired

I am running two home assistant instaces in two separate houses.

At my major home, I am running the home assistant Wireguard-server addon with following config:
server:
host: [IP]:[PORT]
addresses:
- 172.27.66.1
dns: []
peers:

• name: any name
  addresses:
  • 172.27.66.202
    allowed_ips: []
    client_allowed_ips: []
• name: any second name
  addresses:
  • 172.27.66.203
    allowed_ips: []
    client_allowed_ips: []

In my second home, I have a RPI3 runs home assistant with the Wireguard-client. Config:
interface:
private_key: [PRIVATE KEY]
address: 172.27.66.203/24
dns:
- 172.30.32.3
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
public_key: [PIUBLIC KEY]
endpoint: [IP]:[PORT]
allowed_ips:
- 10.9.0.0/24
persistent_keep_alive: 25

Unfortunately, the connection between the two networks cannot be established. I use the wireguard-server for several connections with wireguard-clients (e.g. wireguard app for windows, iOS) and everything is working ok there - only the wireguard-client-addon does not want to connect to the VPN-server.
Could you please advice, how to get the connection running :-)

Thanks in advance for your assistance!

PS:

LOG CLIENT:
[19:12:20] INFO: Requesting current status from WireGuard Client...
interface: wg0
public key: A/HzBwQEFnHbR8vXx/F75oFBEkYF7k8AiCBe8P8qd0g=
private key: (hidden)
listening port: 47677
peer: LTji/hiLAjUsRSvpjEdgX54SDn8uaWTjujxGEQEq8Uo=
preshared key: (hidden)
endpoint: 185.248.151.188:51850
allowed ips: 10.9.0.0/24
transfer: 0 B received, 888 B sent
persistent keepalive: every 25 seconds

Both devices are up to date!

Problem/Motivation

Added multiple peer but returns invalid yaml error

Expected behavior

wireguard is peer to peer so all clients should be able to be configured with multiple peers

Actual behavior

yaml error when saving configuration

Steps to reproduce

add a second peer entry

Proposed changes

configuration of peers needs to allow an array of peers

Ciao,
ho seguito tutta la tua guida per homeassistant sotto rete nat.
essendo su hassio ho installato subito il tuo addon wireguard cliente.
mi mancano però diversi passaggi poco chiari.
nel server google ho lanciato anche i comandi:
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

.. ho sistemato il codice del client cosi
interface:
private_key: xxxxxxxxxxxxxxx
address: 10.6.0.2
dns:
- 8.8.8.8
- 8.8.4.4
peer:
public_key: xxxxxxxxxxxxxxx
pre_shared_key: xxxxxxxxxxxxxxxxxxx
endpoint: 'xxxxxxxxxxxxxxxx.duckdns.org:51820'
allowed_ips:
- 10.6.0.1
persistent_keep_alive: '25'

ed ho fatto partire premendo start.
poi ho settato wireguard "normale" cosi:
server:
host: xxxxxxxxxxxxxx.duckdns.org
addresses:
- 10.6.0.2
dns: []
peers:

• name: hassio
  public_key: xxxxxxxxxxxxxx
  pre_shared_key: xxxxxxxxxxxx
  endpoint: 'xxxxxxx.duckdns.org:51820'
  addresses:
  • 10.99.97.1
    allowed_ips:
  • 0.0.0.0/0
  • 192.168.3.0/24
    client_allowed_ips: []
    Persistent_Keep_alive: 25

quindi faccio partire anche questo add-on.

ora? sul log dell'add-on client non vedo errori.
se lancio l'add on wireguard "normale" mi da questo errore:"Port '51820' is already in use by something else on the host."

Hello!

After installing and configuring i don´t have anymore access from my Laptop over wifi to my Raspberry´s Home Assistant.
Also i cant ping my local LTE-Router from HA wich is connected over WiFi.
But if Wireguard connected then i can access from @Home to my LTE-Home Assistant.
At home i have Fritz!Box Wireguard konfiguration.

Konfig on my Fritzbox @home:
[Interface]
PrivateKey = xxx
ListenPort = 53892
Address = 192.168.178.1/24
DNS = 192.168.178.1,192.168.84.1
DNS = fritz.box

[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.178.131/32
PersistentKeepalive = 25
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.178.132/32
PersistentKeepalive = 25
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.84.0/24
PersistentKeepalive = 25

Config on my Plugin:
interface:
private_key: xxx
address: 192.168.84.0/24
dns:
- 192.168.84.1
- 8.8.4.4
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peers:

• public_key: xxx
  pre_shared_key: xxx
  endpoint: abcdef.myfritz.net:53892
  allowed_ips:
  • 192.168.178.0/24
    persistent_keep_alive: "25"

route:
Kernel IP routing table
Destination Gateway Genmask iface
default fd24a921-wiregu 0.0.0.0 eth0
172.30.32.0 * 255.255.254.0 eth0

My installed Image on Raspberry 4 is:
https://github.com/home-assistant/operating-system/releases/download/9.3/haos_rpi4-64-9.3.img.xz

I hope you can help me!?

I can only connect to my wireguard server when I enter a IPv4 address as an endpoint in the config of the wireguard-client add-on.
I tried it with domains pointing to my cable router (dual stack connection v4 and v6) or directly with IPv4 and IPv6 addresses.
The handshake only works with the v4 address.

When I use a dynamic domain wireguard-client resolves the domain into the v6 address. It looks like it's connected but there is no handshake entry in the log. And the transfer entry shows only sent, nothing received.

LOG:

interface: wg0
  public key: $key$
  private key: (hidden)
  listening port: 60973
peer: $some-key-here$
  preshared key: (hidden)
  endpoint: [some_ipv6_address]:51820
  allowed ips: 10.13.13.0/24
  transfer: 0 B received, 13.15 KiB sent
  persistent keepalive: every 25 seconds

My config:

interface:
  private_key: $mykey$
  address: 10.13.13.2
  dns:
    - 10.13.13.1
  post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
  post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peers:
  - public_key: $pupkey$
    pre_shared_key: $pskey$
    endpoint: wg.example.com:51820
    allowed_ips:
      - 10.13.13.0/24
    persistent_keep_alive: "25"

LOG (IPv4 address as endpoint instead of v6):

interface: wg0
  public key: $$$$
  private key: (hidden)
  listening port: 54311
peer: $$$$
  preshared key: (hidden)
  endpoint: $ipv4_address$:51820
  allowed ips: 10.13.13.0/24
  latest handshake: 30 seconds ago
  transfer: 92 B received, 212 B sent
  persistent keepalive: every 25 seconds

When I connect to the same server from my iPhone (also from the same network as the homeassistantOS) the domain will always get resolved into a v4 address and everything is working.

What Do I miss here?

Thanks
Eugen

Problem/Motivation

I'm having issues getting my connection working, partly because I dont use PSK, I can see activity on the server of the connection however the reverse link fails. I notice I can't force the peer address to a /32 so I have a subnet mismatch (the addon automatically appends /24, manually appending /32 into the config errors with 10.9.0.7/32/24)

Expected behavior

WG connects and am able to access HA from the WG address.

Actual behavior

Unable to access HA via WG, host unable to ping WG Server

Steps to reproduce

Config im using:

interface:
  private_key: PRIVATEKEY
  address: 10.9.0.7
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE ; ping -c 2 10.9.0.1
  post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
  public_key: REMOTEPUBKEY
  pre_shared_key: REMOTEPUBKEY
  endpoint: 'SERVER'
  allowed_ips:
    - 10.9.0.0/24
  persistent_keep_alive: '120'

If I was to do this in pure WG config it would look like this

[Interface]
PrivateKey = HAPRIVATEKEY
Address = 10.9.0.7/32
PostUp = ping -c 2 10.9.0.1


[Peer]
PublicKey = REMOTEPUBKEY
AllowedIPs = 10.9.0.0/24
Endpoint = SERVER

I have 10 devices already talking to this WG server so there isn't anything awol on the server side

Wireguard is correctly connected to the other peer, but my HA is unable to access any device.

Any idea ?

Hi!

I'm looking the way to connect to Home Assistance instance using WireGuard. Here is a scenario:

• client (1) is a mobile phone
• client (2) is a desktop
• client (3) is a Home Assistant

All the clients are successfully connected to WireGuard server running on VPS. All clients are able to cross-communicate (e.g. ping mobile from desktop and vice-versa).

Home Assistant's addons are running on separate docker containers, UI and WireGuard are completely separate, so when VPN is connected from addon container, I cannot access UI from other VPN client.

Can you please suggest the way to access Home Assistant UI in such a scenario?
From network perspective this should be something like opening port on addon container that will forward requests to UI container on 8123, but I can hardly imagine how this can be achieved in HASS.

Thank you in advance!

PS: One more weird thing found: Home Assistant is unable to download update and access Internet in general, when addon is running.

Is there a way to do it? Because I can ping from home-assistant all networks connected thru VPN client but I can't use them from others computers on the same network using home-assistant as a gateway for them even if I put rules for this on iptables.

Is this configuration possible?

Hi,

please add the ability to set the MTU size.
I have one client that can connect but the default mtu 1420 is too high for it's network (CGNAT).

I tried to include MTU: 1412 but in the log i can see that wg is starting with 1420.

Problem/Motivation

Cannot get a valid configuration that works with my wireguard server on windows

Expected behavior

To show Endpoint in Wireguard Server GUI, Tunnels tab under peer for HASSIO. Two other peers show valid endpoints which are mobile devices.

Actual behavior

Error message shown in Log tab of Wireguard Server GUI:
[TUN] [wg_server] No valid endpoint has been configured or discovered for peer 3

Steps to reproduce

see below for yaml

interface:
  private_key: (***removed***)
  address: 10.147.17.51
  dns:
    - 8.8.8.8
    - 1.1.1.1
  post_up: >-
    iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  post_down: >-
    iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  mtu: 1420
peers:
  - public_key: (***removed***)
    pre_shared_key: (***removed***)
    endpoint: example.hostname.com:60000
    allowed_ips:
      - 10.147.17.0/24
    persistent_keep_alive: "25"
log_level: debug

Network ports tried: 80, 8080, 51820, 60000 all show {} in web browser.

I suspect it is an issue as the wireguard server is internally connected with an IP address 192.168.1.50 listening on port 60000, and the HASS is running on a Hyper-V VM with an IP address 192.168.1.51.

Problem/Motivation

Wireguard Client only connecting shortly. Then failing to. stay in the VPN.

Expected behavior

Actual behavior

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: WireGuard Client
 Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
 Add-on version: 0.1.5
 You are running the latest version of this add-on.
 System: Home Assistant OS 5.13  (armv7 / raspberrypi4)
 Home Assistant Core: 2021.4.0
 Home Assistant Supervisor: 2021.03.9
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[09:47:11] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[09:47:11] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[09:47:41] INFO: Requesting current status from WireGuard Client...
[09:48:11] INFO: Requesting current status from WireGuard Client...

Steps to reproduce

Standard HomeAssistant OS install on RPI4

Proposed changes

Problem/Motivation

WireGuard client status API port configuration doesn't work. It always runs on port 80

Expected behavior

Changing WireGuard client status API port works on another port

Actual behavior

Only works on port 80. Also if it is disabled

Steps to reproduce

Change port via GUI in HA

Proposed changes

Please fix it because port 80 is in use to Hue Emulation

I have installed Hassos on Raspberry 4 and I have installed HACS and it works regularly.
I wanted to install wireguard client for the Snat problem so I tried to add the repository indicated on GitHub to the HACS configuration but I got this error:
"Repostitory structure for v0.1.7 is not compliant"
what am I wrong? What is the correct procedure for installing the custom component on Hassos?
Thanks Antonio

How to correctly describe HA sensors? Does REST return the correct JSON format?

sensor:

• platform: rest
  resource: http://xxxxxxxx-wireguard-client

{"peer_1":"{"endpoint":xx.xx.xx.xx:51820,"latest_handshake":Thu Jun 8 11:14:28 EEST 2023,"transfer_rx":219000,"transfer_tx":86940}"}

Maybe it should return:

{"peer_1":{"endpoint":xx.xx.xx.xx:51820,"latest_handshake":Thu Jun 8 11:14:28 EEST 2023,"transfer_rx":219000,"transfer_tx":86940}}

And even better:

{"peer_1":{"endpoint":"xx.xx.xx.xx:51820","latest_handshake":"Thu Jun 8 11:14:28 EEST 2023","transfer_rx":"219000","transfer_tx":"86940"}}

Problem/Motivation

i am trying to set up wireguard-client on HA and connecting to an WG Server with an non default port and no DNS Name.

Config

interface:
  private_key: <privatekey>
  address: 10.0.0.10
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
  post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
  public_key: <pubkey>
  pre_shared_key: ''
  endpoint: 5.6.7.8:1194
  allowed_ips:
    - 192.168.30.0/24
    - 192.168.100.0/24
    - 10.0.0.10/32
  persistent_keep_alive: '25'

wireguard-client Log

-----------------------------------------------------------
 Add-on: WireGuard Client
 Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
 Add-on version: 0.1.8
 You are running the latest version of this add-on.
 System: Home Assistant OS 6.6  (amd64 / qemux86-64)
 Home Assistant Core: 2021.11.5
 Home Assistant Supervisor: 2021.10.8
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[13:24:34] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[13:24:34] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.10/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

WG Server tcpdump

external ip: 1.2.3.4 (of courses NAT behind home router)
wg-server ip: 5.6.7.8
wg-server port: 1194

13:24:21.729857 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:27.169598 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:32.545867 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:37.921267 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:43.297880 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:48.417649 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:53.537629 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:58.657655 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:25:03.777850 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184

This Setup ist working perfectly fine using ubuntu 20.04 something from the same network but other VM.

Troubleshooting from inside container

root@fd24a922-wireguard-client:/$ nc -uvz 5.6.7.8 1194
5.6.7.8 (5.6.7.8:1194) open

config files looks correct:

root@fd24a922-wireguard-client:/$ cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <privatekey>
Address = 10.0.0.10/24
DNS = 8.8.8.8,8.8.4.4
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

[Peer]
PublicKey = <pubkey>
Endpoint = 5.6.7.8:1194
AllowedIPs = 192.168.30.0/24,192.168.100.0/24,10.0.0.10/32
PersistentKeepalive = 25

Expected behavior

Connection is possible

Actual behavior

wireguard-client connecting to a different port 42529

Steps to reproduce

Spawn an new WG server and using the non-default port

Proposed changes

Problem/Motivation

Hi there,

I'm fine with having forks, however, you have to adhere to the MIT license and restore my name and authorship.

Please read the upstream license: https://github.com/hassio-addons/addon-wireguard/blob/master/LICENSE.md

Hi Fabio,

With more and more people getting behind NAT444, wireguard client is more useful for home usage than wireguard server. So after finding that original plugin doesn't support client mode, I find this one. I added https://github.com/bigmoby/hassio-repository-addon as repository in Add-on Store, reloaded, but this add-on or repository is still not visible in my Hassio Add-on Store list. System logs:

21-03-27 14:34:32 INFO (MainThread) [supervisor.store.git] Update add-on https://github.com/bigmoby/hassio-repository-addon repository 21-03-27 14:34:33 INFO (MainThread) [supervisor.store.git] Update add-on https://github.com/home-assistant/addons repository 21-03-27 14:34:34 WARNING (MainThread) [supervisor.store.data] Can't read /data/addons/git/fc962596/frpc/config.json: required key not provided @ data['arch']. Got None 21-03-27 14:34:35 WARNING (MainThread) [supervisor.store.data] Can't read /data/addons/git/fc962596/frpc/config.json: required key not provided @ data['arch']. Got None

My Home Assistant Core version: core-2021.3.2

Problem/Motivation

I installed latest version of Hassio in my raspberry pi2. I tried to install the addon from HA store using your repo and compiled config as it was before (I already had a HA installation on this rpi2 using docker image). If I try to run the plugin it says that it can't set a variable and it deletes link to route and iptables rules added

Expected behavior

It connect to my wireguard server on my vps and it's accessible from my vpn

Actual behavior

It turns off the connection because it can't set a variable and it says this

[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system

This is the complete log

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 

-----------------------------------------------------------
 Add-on: WireGuard Client
 Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
 Add-on version: 0.2.2
 You are running the latest version of this add-on.
 System: Home Assistant OS 11.1  (armv7 / raspberrypi2)
 Home Assistant Core: 2023.11.2
 Home Assistant Supervisor: 2023.11.3
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[21:07:31] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[21:07:32] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add y.y.y.y/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[21:08:02] INFO: Requesting current status from WireGuard Client...
[21:08:32] INFO: Requesting current status from WireGuard Client...

Steps to reproduce

I simply run the addon with this config

interface:
  private_key: <hidden>
  address: y.y.y.y
  dns:
    - y.y.y.z
  post_up: >-
    iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  post_down: >-
    iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  mtu: 1420
peers:
  - public_key: <hidden>
    pre_shared_key: <hidden>
    endpoint: x.x.x.x:51830
    allowed_ips:
      - 0.0.0.0/0
    persistent_keep_alive: "25"

The old config file was

[Interface]
PrivateKey = <hidden>
Address = y.y.y.y/24,<ipv6 address>/64
DNS = y.y.y.z

[Peer]
PublicKey = <hidden>
PresharedKey = <hidden>
Endpoint = x.x.x.x:51830
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepAlive = 25

Problem/Motivation

When installed in the hassio os version it is unable to connect.

Expected behavior

It connects to my wireguard server

Actual behavior

It makes an initial connection, but doesn't hold it. I can see it connects, send a couple packages, and then it drops

Steps to reproduce

Install hassio os, this plugin and try to connect to a server.

Proposed changes

No idea.

Logs

https://pastebin.com/aem09zsr

Receiving error message when connecting to my wireguard vpn server. Server works properly I can connect from other devices.

here is my config.

Interface:

private_key: myprivatekey=
address: 10.8.0.5/24
dns:
  - 1.1.1.1
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

Peers:

 - public_key: mypublickey=
  pre_shared_key: thepresharedkey=
  endpoint: myserversdomain.com:51820
  allowed_ips:
    - 0.0.0.0/0
  persistent_keep_alive: "25"`

Error output:

[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[18:49:53] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[18:49:53] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.5/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0

After adding the reposity and refreshing the add-on store I cannot find the wireguard client

Problem/Motivation

Unable to establish connection beetwen client and server

Expected behavior

Establish connection beetwen server and client and connect from domain.duckdns.org

Actual behavior

This what I get from the addon's log:

INFO: Requesting current status from WireGuard Client...
interface: wg0
  public key: _public_keyB
  private key: (hidden)
  listening port: 52762
peer: public_keyA
  preshared key: (hidden)
  endpoint: IPv4:51820
  allowed ips: 10.50.138.0/24
  transfer: 0 B received, 17.63 KiB sent
  persistent keepalive: every 25 seconds

Never get any packet received.
If I try to ping client from the server I always get:

$ ping 10.50.138.2
PING 10.50.138.2 (10.50.138.2) 56(84) bytes of data.
From 10.50.138.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required

If I ping 10.50.138.0 or 10.50.138.1 from client I get no response

In the addon I'm unable to set allowed_ips: 0.0.0.0 If I'll do that I receive this error:

sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system

like this, but I can't set allowed_ips: [] because I get same error.

Steps to reproduce

I followed all the guide with HA Core and it worked out, then I retry it in HAOS with the addon but didn't manage to get it work

These are all the configs files:

HAOS Addon

interface:
  private_key: _privatekeyA
  address: 10.50.138.2
  dns:
    - 8.8.8.8
    - 8.8.4.4
  post_up: >-
    iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  post_down: >-
    iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
    tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  mtu: 1420
peers:
  - public_key: _publickA
    pre_shared_key: _presharedKey 
    endpoint: domain.duckdns.com:51820
    allowed_ips:
      - 10.50.138.0/24
    persistent_keep_alive: "25"
log_level: debug

GC /etc/wireguard/configs/homeassistanthost.conf

[Interface]
PrivateKey = _privatekeyA
Address = 10.50.138.2/24
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = _publickA
PresharedKey = _presharedKey 
Endpoint = domain.duckdns.org:51820
AllowedIPs = 0.0.0.0/0, ::0/0

GC /etc/wireguard/wg0.conf

[Interface]
PrivateKey = _privatekeyB
Address = 10.50.138.1/24
MTU = 1420
ListenPort = 51820
### begin homeassistanthost ###
[Peer]
PublicKey = _publickB
PresharedKey = _presharedKey 
AllowedIPs = 10.50.138.2/32
### end homeassistanthost ###

I have configured PortMapping on my router to redirect 51820 to my raspy as setupped before for Core.
I also tried to configure http.trusted_proxies from configuration.yaml but nothing changed.

I think I miss something else in the configuration...
Thank you