Help Request: Home Assistant OS and WireGuard Configuration Issue

Gaoguitar · August 14, 2024, 9:00am

Hello everyone,

I’m setting up a WireGuard VPN server on Home Assistant OS and have successfully connected to my local network. However, I’m unable to access the internet through the VPN.

I’ve opened port 5120 on my router and verified that the routing rules are correct. I also want to use my local DNS through Pi-hole while connected to the VPN. Despite my efforts, I’m not sure how to properly configure this, and I suspect there might be an issue with the NAT configuration or port forwarding.

Has anyone encountered a similar issue, or can anyone point me in the right direction to fix this?

Thanks in advance for your help!

dragonfire1119 · August 14, 2024, 4:28pm

Hi there! It sounds like you’ve done a lot of the groundwork already. The issue you’re experiencing is quite common with WireGuard setups. Let’s go through some troubleshooting steps to get your internet access working through the VPN.

Remember to always backup your configurations before making changes.

Ok let’s start I’ll try to make this as detailed reply as possible to get you up and running

1. NAT Configuration

Enable IP forwarding on your WireGuard server:
```
sudo sysctl -w net.ipv4.ip_forward=1
```
To make this permanent, add net.ipv4.ip_forward = 1 to /etc/sysctl.conf.
Set up iptables rules for NAT:
```
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
Replace eth0 with your internet-connected interface.

2. WireGuard Server Configuration

Ensure your WireGuard server config (wg0.conf) includes these lines:

[Interface]
...
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROSTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Replace %i with your WireGuard interface name and eth0 with your internet-connected interface.

3. Pi-hole DNS Configuration

In your client’s WireGuard config, add:
```
[Interface]
DNS = <Pi-hole_IP>
```
Make sure Pi-hole is configured to allow DNS queries from your VPN network. Add the VPN subnet to Pi-hole’s “Interface settings”.

4. Port Forwarding and Firewall

Verify that port 5120 UDP is correctly forwarded to your WireGuard server’s internal IP.
Check for any firewall rules on Home Assistant OS that might block outbound VPN traffic.

5. MTU Settings

Try setting a lower MTU in both server and client configs:

MTU = 1380

6. Routing

Check the routing table on both server and client:

ip route show

7. Client Configuration

Ensure your client config has:

AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

8. Logging and Diagnostics

Check WireGuard logs:

sudo wg show all dump

If you’re still having issues after trying these steps, please provide:

Your WireGuard server and client configs (with sensitive info redacted)
Output of ip route show on both server and client
Any relevant error messages from logs

Good luck, and let me know how it goes!