Internet of Things explorer and Open Source contributor.

Introducing WireGuard VPN for Hass.io

I
Logo of WireGuard VPN

I’ve built quite a few add-ons for Hass.io, the Docker management system for Home Assistant; and because of that, I get a lot of requests for building all different kinds of add-ons, like WireGuard.

Undoubtedly, the most requested add-ons are related to providing a VPN solution, that will allow one to securely connect to their home to control their home automation systems (or any other device in their network), without exposing everything to the internet.

I’ve heard all your prayers and therefore, I present you: WireGuard, as an add-on to Hass.io, to easily access Home Assistant, your network or even use your home internet, wherever you are.

The history of developing a VPN add-on

I’ve started development on all kinds add-ons providing VPN solutions already back in December 2018; however, I never succeeded in creating a VPN add-on that satisfied me in a way that is was worthy of releasing it. I aimed not only for secure and fast, but I wanted it to be easy to use, but allow for advanced uses cases as well. The recipe was hard to find.

OpenVPN is one of the first goto VPN’s I tried. It is one of the most used VPN’s for a reason, right? However, it is slow, especially on a Pi. I also tried to port PiVPN into an add-on. PiVPN makes the use of OpenVPN pretty darn easy, nevertheless, it would require a terminal (not friendly, and it would be confusing, which terminal?). OpenVPN Access Server, nice UI, friendly, but closed-source, and not available for a Pi.

VPN is hard. Hard to make it easy. There are some web GUI’s around, though, most are abandoned or didn’t fit the use case. Meanwhile, I did create and release the ZeroTier add-on as an alternative VPN solution, while it does allow you to access your Home Assistant easily, full tunneling and accessing your home network devices in this add-on, is an issue.

WireGuard is reasonably new, it is darn small, fast, secure, sexy and elegant, but suffered the same issues in terms of user-friendliness. Management web UI’s are even rarer, most abandoned in an unusable state. So I had to find a way to make the add-on configuration as easy as it gets.

Meanwhile, NabuCasa introduced the Home Assistant Cloud Remote UI

The logo of Nabu Casa
Nabu Casa, Inc. donates time and resources into Home Assistant.

During all these months, NabuCasa introduces the Home Assistant Cloud Remote UI, allowing you to access Home Assistant remotely in a secure manner. This is great! Is removed a lot of complex “crap” for the user, and providing an awesome experience to the user.

Even with the introduction of this new add-on, I can still highly recommend getting a NabuCasa Home Assistant Cloud subscription. Why? Well for just $5, you are supporting the project. Furthermore, it allows you to set up webhooks, Amazon Alexa, and Google Assistant with ease.

Also, it gives you a secure emergency entry in case your VPN fails or when you are behind a computer that does not have WireGuard (e.g., a public one).

The WireGuard add-on

I’ve kept getting back at WireGuard. I knew this was going to be the right solution and I think I rewrote the add-on about 5 times. Now, 9 months later, I’m happy with the result, and I’m fairly positive I’ve hit the right balance between ease of use, allowing virtually any use case and about every advanced configuration WireGuard has to offer.

Here is a quick start video on how to start out with WireGuard:

The add-on supports ALL available Hass.io architectures (armhf, armv7, aarch64, i386, and amd64). This means, that any system capable of running Hass.io, can use this add-on.

Oh, and it is small!

Screenshot showing the size of the WireGuard add-on on DockerHub
The WireGuard Hass.io add-on listed on DockerHub, it is just 15 megabytes!

If you are running Hass.io on the HassOS operating system, you are in luck! HassOS has backed in support for WireGuard natively into the Linux kernel. The add-on is capable of detecting that and using that kernel module, making it fast, even on small devices like a Raspberry Pi 3.

If you are not using HassOS, but instead are running Hass.io on a generic Linux system (e.g., Ubuntu, Debian), don’t worry. If the add-on detects the Linux kernel support is missing, it will run a WireGuard implementation by itself and still works! However, the add-on documentation contains instructions on how to install kernel support on your system as well.

How fast is it? Well, I run Hass.io on Core i5 system, running Ubuntu 18.04 LTS. This is a speed test result:

Screenshot showing a speed test that goes through the WireGuard VPN add-on
iperf speed test gone through the WireGuard add-on.

How I use WireGuard

So I’ve been playing with the add-on quite some time already. I personally use WireGuard on all devices I carry with me. I’ve set it up to be always connected on my iPhone and set the DNS server to use the AdGuard Home add-on.

This is awesome, since no matter where I am, or which network I use: I can be assured nobody is listening in on my connection and can enjoy a more privacy-aware and ad-free experience at all times. My home, including Home Assistant, is always available to me in a secure manner.

Want to give WireGuard a try yourself? You can find the add-on documentation right here:

Community Hass.io Add-ons: WireGuard

If you want to discuss this add-on, please do so on the Home Assistant Community Forum.


../Frenck

About the author

Franck Nijhof

Home Assistant enthusiast and contributor, Hass.io add-ons creator, IoT explorer, slightly assholic at first sight but actually a nice guy.

Add comment

Leave a Reply

Internet of Things explorer and Open Source contributor.

Franck Nijhof

Home Assistant enthusiast and contributor, Hass.io add-ons creator, IoT explorer, slightly assholic at first sight but actually a nice guy.

Follow Me

Categories