Today, I’m going to show you how to set up a secured virtual private network (VPN) using WireGuard andHome Assistant. I’m also going to show you how to configure devices like Android, iOS, Windows, and Mac to connect to the WireGuard VPN.
Table of Contents
So, what is a VPN?
A VPN or virtual private network allows devices to connect securely through the Internet to another network. It creates an Encrypted tunnel where you can safely transmit sensitive data preventing people from eavesdropping on your traffic. When a device connects to a VPN via the Internet, the device will look like it’s connecting locally to the VPNs network utilizing the network’s public IP address.
What is WireGuard?
WireGuardis a fast, modern, open-source VPN protocol that aims to outperform other VPNs. It utilizes state-of-the-art cryptography, and it’s very easy to configure. It’s also under heavy development, and it might be considered the most secure, fast, and simple solution for a VPN.
WireGuard add-on configuration
Before setting the WireGuard Add-on, you need to have remote access configured in Home Assistant. If you haven’t done that yet, check out myBeginner's Guide to Home Assistant, where I show how to set up remote access using DuckDNS.
Open Home Assistant, go intoSupervisor,Add-on store, search and selectWiredGuardand then click onInstall. When the installation completes, go toConfigurationand enter the following:
server: host: your_domain_here.duckdns.org addresses: - 172.27.66.1 dns: - 1.1.1.1 - 1.0.0.1peers: - name: Device-1-Android public_key: addresses: - 172.27.66.2 allowed_ips: [] client_allowed_ips: []In theserversection, enter your DuckDNS URL underhost. The add-on set up by default, the server IP underaddresses. However, you can still change it to whatever you would like (Make sure other devices in your network don’t use the same IPs you set up for the server or the peers). If you use specific DNS servers, you can set it up here as well.
Thepeerssection is where you configure the devices that will connect to the VPN. So, set up anamefor the device and also anIP address. To make it even more secure, you want to add the public key for this device manually. So add the optionpublic_key. Then, on the device connecting to the VPN, download and open the official WireGuard app.
Configure WireGuard on android
On an Android device, download and open the WireGuard app. Tap on the plus“+”icon to add a new VPN and then tap onCreate from scratch.
Set up anamefor the VPN. Then, on thePrivate Keyfield, tap on the generate icon, and the app creates the private and public keys for this device. UnderAddresses, enter the IP address that you assigned to this device in the WireGuard configuration and add at the end,/24. Add the DNS servers that you would like to use, separated by a comma and no spaces.
You still need to add the server as a peer in the WireGuard app. However, there are a few more steps to do on the server-side, so copy the public key and tap on theSaveicon so you don’t lose the settings. Go back to Home Assistant and paste the device’s public key under thepublic_keyoption.Savethe configuration andStartthe add-on.
To add the WireGuard server as a peer on the connecting device, you need to locate the server’s public key. So, go to theLogtab and click on refresh until you see the Interface option with the public key. That would be the public key for the server itself.
Copy the key, go back to the WireGuard app on the other device, open the VPN settings, and tap onAdd Peer. Paste the server’s public key. Set thePersistent keepaliveto25seconds. For theEndpoint, set it to your DuckDNS URL with the WireGuard Port51820at the end. TheAllowed IPs, you can just set it to0.0.0.0/0. Lastly, click on theSaveicon, and the device is all set to connect to the VPN.
On an Android device, you can add the WireGuard toggle under the Quick Settings in the Notification panel so you can quickly turn on and off the VPN.
Configure WireGuard on iOS
To add an iOS device to connect to the VPN, add another peer in the WireGuard configuration in Home Assistant. So, below the current device, add the same options and set up anamefor the new device and anIP address.
peers: - name: Device-1-Android public_key: addresses: - 172.27.66.2 allowed_ips: [] client_allowed_ips: [] - name: Device-2-iOS public_key: addresses: - 172.27.66.3 allowed_ips: [] client_allowed_ips: []Then, on the iOS device, download and open the WireGuard app. Tap onAdd a tunnelor on the plus“+”icon and then tap,Create from scratch. Set up aNamefor the VPN and click onGenerate keypair. Then, underAddresses, enter the IP that you set up for this device in the WireGuard configuration. Also, add at the end/24and then add the DNS servers. After that, tap onAdd peerto add the server’s information. Add the Server’s public key. For theEndpoint, add the DuckDNS URL with the WireGuard Port51820. TheAllowed IPsset it to0.0.0.0/0and set thePersistent keepaliveto25seconds.
Below, you have theOn-demand Activationsettings. With this feature, you can toggle the Cellular option, and the VPN will turn on automatically when your device is connected to the mobile network. You can also toggle the WiFi option and set it to enable the VPN when connected to a specific WiFi. Or you can tap onExcept these SSIDsand set it to connect to any WiFi unless you are connected to the networks that you add in there.
The last thing you need to do is copy the public key andsavethe configuration. Then, go back to Home Assistant, and add the public key in the WireGuard configuration.Savethe changes and restart the add-on. Once the add-on is back online, the iOS device will be able to connect to the VPN.
Configure WireGuard on Windows/Mac
To connect a Windows or Mac computer, you would also need to download the WireGuard application but from the WireGuard website. The app for both systems is the same, so you would be able to follow along for either OS. In the WireGuard add-on configuration, add a new peer with the same options from the other peers. Set a name and an IP for that device.
peers: - name: Device-1-Android public_key: addresses: - 172.27.66.2 allowed_ips: [] client_allowed_ips: [] - name: Device-2-iOS public_key: addresses: - 172.27.66.3 allowed_ips: [] client_allowed_ips: [] - name: Device-3-Windows/Mac public_key: addresses: - 172.27.66.4 allowed_ips: [] client_allowed_ips: []On your computer, download and open the WireGuard application. Where it saysAdd Tunnel, click on the upside-down triangle next to it and then click onAdd empty tunnel. The app generates the private and public keys. Set up a name for the VPN. Then, enter the following options and add the assigned IP address and the DNS servers:
[Interface]PrivateKey = 2FoGc7sgpIjv+MLU4hofjdYlRxzgPGrSugAWIFEQj1U=Address = 172.27.66.4/24DNS = 1.1.1.1,1.0.0.1Below that, add the information from the server, so enter the following options:
[Peer]PublicKey = Your_Server_Public_KeyAllowedIPs = 0.0.0.0/0Endpoint = your.duckdns.org:51820Add the server’sPublicKey. Set theAllowedIPsto0.0.0.0/0and add your DuckDNS URL with the WireGuard port to theEndpoint. And that’s about it. Copy the Public Key andSavethe changes. Then, in the WireGuard configuration in Home Assistant, add the computer’s public key,Savethe changes, and restart the add-on. When the add-on is back online, You can press onActivateunder the WireGuard application on your computer, and the device will connect to your VPN.
Set up a port forwarding rule for WireGuard
The last thing you need to do to connect from outside the home network is to create a port forwarding rule in your router. So, open the router’s settings and locate thePort forwardingconfiguration. Add a new rule and set the name to WireGuard. Theincoming portset it to51820. For theforwarding IP, set it to your Home Assistant IP address, theforwarding portto51820, and theProtocolset it toUDP.
Savethe new port forwarding rule, and you might need to restart your router to apply the changes. After that, you can disconnect from your WiFi and turn on the VPN on your devices to see if it connects with no problem.
Final thoughts
The WireGuard VPN is all set, and you configured several devices to connect to it. Now, how can you make the VPN even better? You could set up the AdGuard add-on that blocks ads in the home network, and at the same time, it would block ads for the devices connected via VPN. That would be something to cover in a separate guide. If you guys are interested, let me know in the video comments or via social media.
