bigmoby / addon-wireguard-client Goto Github PK
View Code? Open in Web Editor NEWHassio Add-On Wireguard Client
License: MIT License
Hassio Add-On Wireguard Client
License: MIT License
My desired setup is that I have a public Wireguard VPN, eg. hosted on DigitalOcan, accessible by everyone.
Home Assistant, hosted locally, should connect to this Wireguard server, so the server can act as a reverse proxy and make my Home Assistant installation accessible from everywhere without any port forwarding issues.
I have the setup up and running with OpenVPN but want to switch, due to simpler configuration, to Wireguard.
This plugin manages to connect to my Wireguard server.
Connection is unusable slow. curl
from Wireguard server to Homeassistant takes ages and usually ends with Recv failure: Connection reset by peer
Plugin connects to my Wireguard server.
Wireguard server can curl
Home Assistant and get some HTML back
Plugin connects to my Wireguard server.
curl
reponse takes ages and results in a "Recv failure: Connection reset by peer"
curl
sees some header information sent by Home Assistant, so there is a connection, its just unusable slow:
root@3876e6bea848:/# curl 10.13.13.2:8123 -vvvv
* Trying 10.13.13.2:8123...
* Connected to 10.13.13.2 (10.13.13.2) port 8123 (#0)
> GET / HTTP/1.1
> Host: 10.13.13.2:8123
> User-Agent: curl/7.87.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Content-Length: 9294
< Date: Sun, 12 Feb 2023 15:59:52 GMT
< Server: Python/3.10 aiohttp/3.8.1
<
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
I also noticed when I ping 10.13.13.2
it takes like 20 seconds until I get the first response. But once I got the first response the following reponses come up immediately
root@3876e6bea848:/# ping 10.13.13.2
PING 10.13.13.2 (10.13.13.2) 56(84) bytes of data.
64 bytes from 10.13.13.2: icmp_seq=19 ttl=64 time=18.6 ms
64 bytes from 10.13.13.2: icmp_seq=20 ttl=64 time=16.6 ms
64 bytes from 10.13.13.2: icmp_seq=21 ttl=64 time=22.8 ms
64 bytes from 10.13.13.2: icmp_seq=22 ttl=64 time=16.3 ms
^C
When I connect my phone to the Wireguard server it responds immediately to requests.
Wireguard server is set up like this:
version: '3'
networks:
web:
external: true
services:
wireguard:
image: lscr.io/linuxserver/wireguard:1.0.20210914-alpine
restart: unless-stopped
networks:
- default
- web
volumes:
- /data/wireguard/config:/config
cap_add:
- NET_ADMIN
environment:
- SERVERURL=wireguard.mydomain.com
- SERVERPORT=51820
- PEERS=hass
- INTERNAL_SUBNET=10.13.13.0
- PERSISTENTKEEPALIVE_PEERS=
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
labels:
- traefik.enable=true
- traefik.udp.services.wireguard-service.loadbalancer.server.port=51820
- traefik.udp.routers.wireguard-router.entrypoints=wireguard
- traefik.udp.routers.wireguard-router.service=wireguard-service
Wireguard client is set up like this:
Interface:
private_key: <redacted>
address: 10.13.13.2
dns:
- 1.1.1.1
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
Peers:
- public_key: <redacted>
pre_shared_key: <redacted>
endpoint: wireguard.mydomain.com:51820
allowed_ips:
- 10.13.13.0/24
persistent_keep_alive: 25
Remote HomeAssistant Break on 0.2.0
Connection Established on Remote HomeAssistant
Log :
import of 10.10.0.3 failed
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 986, in _wrap_create_connection
return await self._loop.create_connection(*args, **kwargs) # type: ignore[return-value] # noqa
File "/usr/local/lib/python3.9/asyncio/base_events.py", line 1081, in create_connection
transport, protocol = await self._create_connection_transport(
File "/usr/local/lib/python3.9/asyncio/base_events.py", line 1111, in _create_connection_transport
await waiter
ConnectionAbortedError: SSL handshake is taking longer than 60.0 seconds: aborting the connection
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/config/custom_components/remote_homeassistant/config_flow.py", line 45, in validate_input
info = await async_get_discovery_info(
File "/config/custom_components/remote_homeassistant/rest_api.py", line 47, in async_get_discovery_info
async with session.get(url, headers=headers) as resp:
File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 1138, in aenter
self._resp = await self._coro
File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 535, in _request
conn = await self._connector.connect(
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 542, in connect
proto = await self._create_connection(req, traces, timeout)
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 907, in _create_connection
_, proto = await self._create_direct_connection(req, traces, timeout)
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 1206, in _create_direct_connection
raise last_exc
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 1175, in _create_direct_connection
transp, proto = await self._wrap_create_connection(
File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 992, in _wrap_create_connection
raise client_error(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host 10.10.0.3:8123 ssl:default [None]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/config/custom_components/remote_homeassistant/config_flow.py", line 180, in async_step_import
info = await validate_input(self.hass, user_input)
File "/config/custom_components/remote_homeassistant/config_flow.py", line 54, in validate_input
raise CannotConnect()
custom_components.remote_homeassistant.rest_api.CannotConnect
Remote HomeAssistant
N/A
Having an issue pinging the WG server network from my homeassistant install. The WG server has a Lutron hub on subnet 192.168.0.0/24 I am unable to ping the 192.168.0.0/24 subnet from the terminal addon in Homeassistant.
I was able to import the configuration from my server onto my own laptop and was able to ping the 192.168.0.0/24 subnet without an issue.
I wish to be able to add the Lutron Caseta integration to my homeassistant even though they are at 2 different locations/networks. The homeassistant install is on 192.168.86.0/24 subnet.
Expect to be able to reach the 192.168.0.0/24 subnet
Unable to reach the subnet, the logs are filled with "nc: bind: Address in use"
Configuration:
Interface:
private_key: XXXXXXXXXXXXXXXXXXXX
address: 10.253.0.2
dns:
- 8.8.8.8
- 8.8.4.4
post_up: >-
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420
Peers:
- public_key: XXXXXXXXXXXXXXXX
pre_shared_key: XXXXXXXXXXXXXXXXX
endpoint: XXXXXXX.duckdns.org:51820
allowed_ips:
- 10.253.0.0/24
persistent_keep_alive: "25"
Logs:
-----------------------------------------------------------
Add-on: WireGuard Client
Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
Add-on version: 0.2.2
You are running the latest version of this add-on.
System: Home Assistant OS 12.3 (aarch64 / raspberrypi4-64)
Home Assistant Core: 2024.5.4
Home Assistant Supervisor: 2024.05.1
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[13:29:20] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[13:29:20] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.253.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
nc: bind: Address in use
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
(If you have a proposed change, workaround or fix,
describe the rationale behind it)
IP masquerading not working; cannot access other devices on my local area network
traceroute 192.168.8.169 and get a reply
traceroute stops at 10.10.1.2
I used to run a wireguard client on debian. Since installing Home Assistant on my RPI4 I am trying to reproduce my wg config
here is my original config that worked
[Interface]
Address = 10.10.1.2/24
PrivateKey = redacted
ListenPort = 51820
DNS = 192.168.8.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = redacted
Endpoint = mydomain.com:51820
AllowedIPs = 10.10.1.0/24
PersistentKeepalive = 25
here is the actual config in the plugin
[interface]
private_key: redacted
address: 10.10.1.2/24
dns:
- 192.168.8.1
post_up: >-
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420
[peer]
- public_key: redacted
endpoint: mydomain:51820
allowed_ips:
- 10.10.1.0/24
persistent_keep_alive: "25"
I also tried changing the masquerading for the one of my original config replacing eth0
for end0
but nothing works
ip route list table main default
default via 192.168.8.1 dev end0 src 192.168.8.186 metric 100
10.10.1.0/24 dev wg0 scope link src 10.10.1.2
172.30.32.0/23 dev hassio scope link src 172.30.32.1
172.30.232.0/23 dev docker0 scope link src 172.30.232.1
192.168.8.0/24 dev end0 scope link src 192.168.8.186 metric 100
ipv4 forwarding seems to be enabled
cat /proc/sys/net/ipv4/ip_forward
1
I am trying to connect my HA to a fritzbox in another city with wireguard. I am quite sure the problem is the listening port. The fritzbox has a wireguard server and it works (I connected to it with both my laptop and android mobile), but it wants ListenPort = 51336 while wireguard client uses a random number for the interface.
It doesn't receive anything
transfer: 0 B received, 2.89 KiB sent
persistent keepalive: every 25 seconds
I am not really able to make it works. Any help will be much appreciated!
If WireGuard is activated on boot , HA core updates will fail
I had a hell of a time upgrading from 2023.12.x to HA Core 2024.1.2.
Then again from 2024.1.2 to 2024.1.6
My solution:
1.) Disable WireGuard client (Uncheck “Start on boot”)
2.) Reboot system
3.) Update your system
4.) Re-activate WireGuard as desired
I am running two home assistant instaces in two separate houses.
At my major home, I am running the home assistant Wireguard-server addon with following config:
server:
host: [IP]:[PORT]
addresses:
- 172.27.66.1
dns: []
peers:
In my second home, I have a RPI3 runs home assistant with the Wireguard-client. Config:
interface:
private_key: [PRIVATE KEY]
address: 172.27.66.203/24
dns:
- 172.30.32.3
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
public_key: [PIUBLIC KEY]
endpoint: [IP]:[PORT]
allowed_ips:
- 10.9.0.0/24
persistent_keep_alive: 25
Unfortunately, the connection between the two networks cannot be established. I use the wireguard-server for several connections with wireguard-clients (e.g. wireguard app for windows, iOS) and everything is working ok there - only the wireguard-client-addon does not want to connect to the VPN-server.
Could you please advice, how to get the connection running :-)
Thanks in advance for your assistance!
PS:
LOG CLIENT:
[19:12:20] INFO: Requesting current status from WireGuard Client...
interface: wg0
public key: A/HzBwQEFnHbR8vXx/F75oFBEkYF7k8AiCBe8P8qd0g=
private key: (hidden)
listening port: 47677
peer: LTji/hiLAjUsRSvpjEdgX54SDn8uaWTjujxGEQEq8Uo=
preshared key: (hidden)
endpoint: 185.248.151.188:51850
allowed ips: 10.9.0.0/24
transfer: 0 B received, 888 B sent
persistent keepalive: every 25 seconds
Both devices are up to date!
Added multiple peer but returns invalid yaml error
wireguard is peer to peer so all clients should be able to be configured with multiple peers
yaml error when saving configuration
add a second peer entry
configuration of peers needs to allow an array of peers
Ciao,
ho seguito tutta la tua guida per homeassistant sotto rete nat.
essendo su hassio ho installato subito il tuo addon wireguard cliente.
mi mancano però diversi passaggi poco chiari.
nel server google ho lanciato anche i comandi:
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
.. ho sistemato il codice del client cosi
interface:
private_key: xxxxxxxxxxxxxxx
address: 10.6.0.2
dns:
- 8.8.8.8
- 8.8.4.4
peer:
public_key: xxxxxxxxxxxxxxx
pre_shared_key: xxxxxxxxxxxxxxxxxxx
endpoint: 'xxxxxxxxxxxxxxxx.duckdns.org:51820'
allowed_ips:
- 10.6.0.1
persistent_keep_alive: '25'
ed ho fatto partire premendo start.
poi ho settato wireguard "normale" cosi:
server:
host: xxxxxxxxxxxxxx.duckdns.org
addresses:
- 10.6.0.2
dns: []
peers:
quindi faccio partire anche questo add-on.
ora? sul log dell'add-on client non vedo errori.
se lancio l'add on wireguard "normale" mi da questo errore:"Port '51820' is already in use by something else on the host."
Hello!
After installing and configuring i don´t have anymore access from my Laptop over wifi to my Raspberry´s Home Assistant.
Also i cant ping my local LTE-Router from HA wich is connected over WiFi.
But if Wireguard connected then i can access from @Home to my LTE-Home Assistant.
At home i have Fritz!Box Wireguard konfiguration.
Konfig on my Fritzbox @home:
[Interface]
PrivateKey = xxx
ListenPort = 53892
Address = 192.168.178.1/24
DNS = 192.168.178.1,192.168.84.1
DNS = fritz.box
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.178.131/32
PersistentKeepalive = 25
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.178.132/32
PersistentKeepalive = 25
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.84.0/24
PersistentKeepalive = 25
Config on my Plugin:
interface:
private_key: xxx
address: 192.168.84.0/24
dns:
- 192.168.84.1
- 8.8.4.4
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peers:
route:
Kernel IP routing table
Destination Gateway Genmask iface
default fd24a921-wiregu 0.0.0.0 eth0
172.30.32.0 * 255.255.254.0 eth0
My installed Image on Raspberry 4 is:
https://github.com/home-assistant/operating-system/releases/download/9.3/haos_rpi4-64-9.3.img.xz
I hope you can help me!?
I can only connect to my wireguard server when I enter a IPv4 address as an endpoint in the config of the wireguard-client add-on.
I tried it with domains pointing to my cable router (dual stack connection v4 and v6) or directly with IPv4 and IPv6 addresses.
The handshake only works with the v4 address.
When I use a dynamic domain wireguard-client resolves the domain into the v6 address. It looks like it's connected but there is no handshake entry in the log. And the transfer entry shows only sent, nothing received.
LOG:
interface: wg0
public key: $key$
private key: (hidden)
listening port: 60973
peer: $some-key-here$
preshared key: (hidden)
endpoint: [some_ipv6_address]:51820
allowed ips: 10.13.13.0/24
transfer: 0 B received, 13.15 KiB sent
persistent keepalive: every 25 seconds
My config:
interface:
private_key: $mykey$
address: 10.13.13.2
dns:
- 10.13.13.1
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peers:
- public_key: $pupkey$
pre_shared_key: $pskey$
endpoint: wg.example.com:51820
allowed_ips:
- 10.13.13.0/24
persistent_keep_alive: "25"
LOG (IPv4 address as endpoint instead of v6):
interface: wg0
public key: $$$$
private key: (hidden)
listening port: 54311
peer: $$$$
preshared key: (hidden)
endpoint: $ipv4_address$:51820
allowed ips: 10.13.13.0/24
latest handshake: 30 seconds ago
transfer: 92 B received, 212 B sent
persistent keepalive: every 25 seconds
When I connect to the same server from my iPhone (also from the same network as the homeassistantOS) the domain will always get resolved into a v4 address and everything is working.
What Do I miss here?
Thanks
Eugen
I'm having issues getting my connection working, partly because I dont use PSK, I can see activity on the server of the connection however the reverse link fails. I notice I can't force the peer address to a /32 so I have a subnet mismatch (the addon automatically appends /24, manually appending /32 into the config errors with 10.9.0.7/32/24)
WG connects and am able to access HA from the WG address.
Unable to access HA via WG, host unable to ping WG Server
Config im using:
interface:
private_key: PRIVATEKEY
address: 10.9.0.7
dns:
- 8.8.8.8
- 8.8.4.4
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE ; ping -c 2 10.9.0.1
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
public_key: REMOTEPUBKEY
pre_shared_key: REMOTEPUBKEY
endpoint: 'SERVER'
allowed_ips:
- 10.9.0.0/24
persistent_keep_alive: '120'
If I was to do this in pure WG config it would look like this
[Interface]
PrivateKey = HAPRIVATEKEY
Address = 10.9.0.7/32
PostUp = ping -c 2 10.9.0.1
[Peer]
PublicKey = REMOTEPUBKEY
AllowedIPs = 10.9.0.0/24
Endpoint = SERVER
I have 10 devices already talking to this WG server so there isn't anything awol on the server side
Wireguard is correctly connected to the other peer, but my HA is unable to access any device.
Any idea ?
Hi!
I'm looking the way to connect to Home Assistance instance using WireGuard. Here is a scenario:
All the clients are successfully connected to WireGuard server running on VPS. All clients are able to cross-communicate (e.g. ping mobile from desktop and vice-versa).
Home Assistant's addons are running on separate docker containers, UI and WireGuard are completely separate, so when VPN is connected from addon container, I cannot access UI from other VPN client.
Can you please suggest the way to access Home Assistant UI in such a scenario?
From network perspective this should be something like opening port on addon container that will forward requests to UI container on 8123, but I can hardly imagine how this can be achieved in HASS.
Thank you in advance!
PS: One more weird thing found: Home Assistant is unable to download update and access Internet in general, when addon is running.
Is there a way to do it? Because I can ping from home-assistant all networks connected thru VPN client but I can't use them from others computers on the same network using home-assistant as a gateway for them even if I put rules for this on iptables.
Is this configuration possible?
Hi,
please add the ability to set the MTU size.
I have one client that can connect but the default mtu 1420 is too high for it's network (CGNAT).
I tried to include MTU: 1412 but in the log i can see that wg is starting with 1420.
Cannot get a valid configuration that works with my wireguard server on windows
To show Endpoint in Wireguard Server GUI, Tunnels tab under peer for HASSIO. Two other peers show valid endpoints which are mobile devices.
Error message shown in Log tab of Wireguard Server GUI:
[TUN] [wg_server] No valid endpoint has been configured or discovered for peer 3
see below for yaml
interface:
private_key: (***removed***)
address: 10.147.17.51
dns:
- 8.8.8.8
- 1.1.1.1
post_up: >-
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420
peers:
- public_key: (***removed***)
pre_shared_key: (***removed***)
endpoint: example.hostname.com:60000
allowed_ips:
- 10.147.17.0/24
persistent_keep_alive: "25"
log_level: debug
Network ports tried: 80, 8080, 51820, 60000 all show {} in web browser.
I suspect it is an issue as the wireguard server is internally connected with an IP address 192.168.1.50 listening on port 60000, and the HASS is running on a Hyper-V VM with an IP address 192.168.1.51.
Wireguard Client only connecting shortly. Then failing to. stay in the VPN.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing...
-----------------------------------------------------------
Add-on: WireGuard Client
Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
Add-on version: 0.1.5
You are running the latest version of this add-on.
System: Home Assistant OS 5.13 (armv7 / raspberrypi4)
Home Assistant Core: 2021.4.0
Home Assistant Supervisor: 2021.03.9
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[09:47:11] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[09:47:11] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.7.0.4/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[09:47:41] INFO: Requesting current status from WireGuard Client...
[09:48:11] INFO: Requesting current status from WireGuard Client...
Standard HomeAssistant OS install on RPI4
WireGuard client status API port configuration doesn't work. It always runs on port 80
Changing WireGuard client status API port works on another port
Only works on port 80. Also if it is disabled
Change port via GUI in HA
Please fix it because port 80 is in use to Hue Emulation
I have installed Hassos on Raspberry 4 and I have installed HACS and it works regularly.
I wanted to install wireguard client for the Snat problem so I tried to add the repository indicated on GitHub to the HACS configuration but I got this error:
"Repostitory structure for v0.1.7 is not compliant"
what am I wrong? What is the correct procedure for installing the custom component on Hassos?
Thanks Antonio
How to correctly describe HA sensors? Does REST return the correct JSON format?
sensor:
{"peer_1":"{"endpoint":xx.xx.xx.xx:51820,"latest_handshake":Thu Jun 8 11:14:28 EEST 2023,"transfer_rx":219000,"transfer_tx":86940}"}
Maybe it should return:
{"peer_1":{"endpoint":xx.xx.xx.xx:51820,"latest_handshake":Thu Jun 8 11:14:28 EEST 2023,"transfer_rx":219000,"transfer_tx":86940}}
And even better:
{"peer_1":{"endpoint":"xx.xx.xx.xx:51820","latest_handshake":"Thu Jun 8 11:14:28 EEST 2023","transfer_rx":"219000","transfer_tx":"86940"}}
i am trying to set up wireguard-client
on HA and connecting to an WG Server with an non default port and no DNS Name.
interface:
private_key: <privatekey>
address: 10.0.0.10
dns:
- 8.8.8.8
- 8.8.4.4
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
peer:
public_key: <pubkey>
pre_shared_key: ''
endpoint: 5.6.7.8:1194
allowed_ips:
- 192.168.30.0/24
- 192.168.100.0/24
- 10.0.0.10/32
persistent_keep_alive: '25'
-----------------------------------------------------------
Add-on: WireGuard Client
Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
Add-on version: 0.1.8
You are running the latest version of this add-on.
System: Home Assistant OS 6.6 (amd64 / qemux86-64)
Home Assistant Core: 2021.11.5
Home Assistant Supervisor: 2021.10.8
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[13:24:34] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[13:24:34] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.10/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
external ip: 1.2.3.4 (of courses NAT behind home router)
wg-server ip: 5.6.7.8
wg-server port: 1194
13:24:21.729857 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:27.169598 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:32.545867 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:37.921267 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:43.297880 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:48.417649 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:53.537629 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:24:58.657655 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
13:25:03.777850 IP 1.2.3.4 > 5.6.7.8: ICMP 1.2.3.4 udp port 42529 unreachable, length 184
This Setup ist working perfectly fine using ubuntu 20.04 something from the same network but other VM.
root@fd24a922-wireguard-client:/$ nc -uvz 5.6.7.8 1194
5.6.7.8 (5.6.7.8:1194) open
config files looks correct:
root@fd24a922-wireguard-client:/$ cat /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <privatekey>
Address = 10.0.0.10/24
DNS = 8.8.8.8,8.8.4.4
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
[Peer]
PublicKey = <pubkey>
Endpoint = 5.6.7.8:1194
AllowedIPs = 192.168.30.0/24,192.168.100.0/24,10.0.0.10/32
PersistentKeepalive = 25
Connection is possible
wireguard-client
connecting to a different port 42529
Spawn an new WG server and using the non-default port
Hi there,
I'm fine with having forks, however, you have to adhere to the MIT license and restore my name and authorship.
Please read the upstream license: https://github.com/hassio-addons/addon-wireguard/blob/master/LICENSE.md
Hi Fabio,
With more and more people getting behind NAT444, wireguard client is more useful for home usage than wireguard server. So after finding that original plugin doesn't support client mode, I find this one. I added https://github.com/bigmoby/hassio-repository-addon as repository in Add-on Store, reloaded, but this add-on or repository is still not visible in my Hassio Add-on Store list. System logs:
21-03-27 14:34:32 INFO (MainThread) [supervisor.store.git] Update add-on https://github.com/bigmoby/hassio-repository-addon repository 21-03-27 14:34:33 INFO (MainThread) [supervisor.store.git] Update add-on https://github.com/home-assistant/addons repository 21-03-27 14:34:34 WARNING (MainThread) [supervisor.store.data] Can't read /data/addons/git/fc962596/frpc/config.json: required key not provided @ data['arch']. Got None 21-03-27 14:34:35 WARNING (MainThread) [supervisor.store.data] Can't read /data/addons/git/fc962596/frpc/config.json: required key not provided @ data['arch']. Got None
My Home Assistant Core version: core-2021.3.2
I installed latest version of Hassio in my raspberry pi2. I tried to install the addon from HA store using your repo and compiled config as it was before (I already had a HA installation on this rpi2 using docker image). If I try to run the plugin it says that it can't set a variable and it deletes link to route and iptables rules added
It connect to my wireguard server on my vps and it's accessible from my vpn
It turns off the connection because it can't set a variable and it says this
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
This is the complete log
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing...
-----------------------------------------------------------
Add-on: WireGuard Client
Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
Add-on version: 0.2.2
You are running the latest version of this add-on.
System: Home Assistant OS 11.1 (armv7 / raspberrypi2)
Home Assistant Core: 2023.11.2
Home Assistant Supervisor: 2023.11.3
-----------------------------------------------------------
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[21:07:31] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[21:07:32] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add y.y.y.y/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[21:08:02] INFO: Requesting current status from WireGuard Client...
[21:08:32] INFO: Requesting current status from WireGuard Client...
I simply run the addon with this config
interface:
private_key: <hidden>
address: y.y.y.y
dns:
- y.y.y.z
post_up: >-
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420
peers:
- public_key: <hidden>
pre_shared_key: <hidden>
endpoint: x.x.x.x:51830
allowed_ips:
- 0.0.0.0/0
persistent_keep_alive: "25"
The old config file was
[Interface]
PrivateKey = <hidden>
Address = y.y.y.y/24,<ipv6 address>/64
DNS = y.y.y.z
[Peer]
PublicKey = <hidden>
PresharedKey = <hidden>
Endpoint = x.x.x.x:51830
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepAlive = 25
When installed in the hassio os version it is unable to connect.
It connects to my wireguard server
It makes an initial connection, but doesn't hold it. I can see it connects, send a couple packages, and then it drops
Install hassio os, this plugin and try to connect to a server.
No idea.
Receiving error message when connecting to my wireguard vpn server. Server works properly I can connect from other devices.
here is my config.
Interface:
private_key: myprivatekey=
address: 10.8.0.5/24
dns:
- 1.1.1.1
post_up: iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
post_down: iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
Peers:
- public_key: mypublickey=
pre_shared_key: thepresharedkey=
endpoint: myserversdomain.com:51820
allowed_ips:
- 0.0.0.0/0
persistent_keep_alive: "25"`
Error output:
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing...
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing...
[18:49:53] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[18:49:53] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.5/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] resolvconf -d wg0 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
After adding the reposity and refreshing the add-on store I cannot find the wireguard client
Unable to establish connection beetwen client and server
Establish connection beetwen server and client and connect from domain.duckdns.org
This what I get from the addon's log:
INFO: Requesting current status from WireGuard Client...
interface: wg0
public key: _public_keyB
private key: (hidden)
listening port: 52762
peer: public_keyA
preshared key: (hidden)
endpoint: IPv4:51820
allowed ips: 10.50.138.0/24
transfer: 0 B received, 17.63 KiB sent
persistent keepalive: every 25 seconds
Never get any packet received.
If I try to ping client from the server I always get:
$ ping 10.50.138.2
PING 10.50.138.2 (10.50.138.2) 56(84) bytes of data.
From 10.50.138.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
If I ping 10.50.138.0 or 10.50.138.1 from client I get no response
In the addon I'm unable to set allowed_ips: 0.0.0.0 If I'll do that I receive this error:
sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
like this, but I can't set allowed_ips: []
because I get same error.
I followed all the guide with HA Core and it worked out, then I retry it in HAOS with the addon but didn't manage to get it work
These are all the configs files:
HAOS Addon
interface:
private_key: _privatekeyA
address: 10.50.138.2
dns:
- 8.8.8.8
- 8.8.4.4
post_up: >-
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420
peers:
- public_key: _publickA
pre_shared_key: _presharedKey
endpoint: domain.duckdns.com:51820
allowed_ips:
- 10.50.138.0/24
persistent_keep_alive: "25"
log_level: debug
GC /etc/wireguard/configs/homeassistanthost.conf
[Interface]
PrivateKey = _privatekeyA
Address = 10.50.138.2/24
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey = _publickA
PresharedKey = _presharedKey
Endpoint = domain.duckdns.org:51820
AllowedIPs = 0.0.0.0/0, ::0/0
GC /etc/wireguard/wg0.conf
[Interface]
PrivateKey = _privatekeyB
Address = 10.50.138.1/24
MTU = 1420
ListenPort = 51820
### begin homeassistanthost ###
[Peer]
PublicKey = _publickB
PresharedKey = _presharedKey
AllowedIPs = 10.50.138.2/32
### end homeassistanthost ###
I have configured PortMapping on my router to redirect 51820 to my raspy as setupped before for Core.
I also tried to configure http.trusted_proxies from configuration.yaml but nothing changed.
I think I miss something else in the configuration...
Thank you
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.