I’ve built quite a few add-ons for Hass.io, the Docker management system for Home Assistant; and because of that, I get a lot of requests for building all different kinds of add-ons, like WireGuard.
Undoubtedly, the most requested add-ons are related to providing a VPN solution, that will allow one to securely connect to their home to control their home automation systems (or any other device in their network), without exposing everything to the internet.
I’ve heard all your prayers and therefore, I present you: WireGuard, as an add-on to Hass.io, to easily access Home Assistant, your network or even use your home internet, wherever you are.
The history of developing a VPN add-on
I’ve started development on all kinds add-ons providing VPN solutions already back in December 2018; however, I never succeeded in creating a VPN add-on that satisfied me in a way that is was worthy of releasing it. I aimed not only for secure and fast, but I wanted it to be easy to use, but allow for advanced uses cases as well. The recipe was hard to find.
OpenVPN is one of the first goto VPN’s I tried. It is one of the most used VPN’s for a reason, right? However, it is slow, especially on a Pi. I also tried to port PiVPN into an add-on. PiVPN makes the use of OpenVPN pretty darn easy, nevertheless, it would require a terminal (not friendly, and it would be confusing, which terminal?). OpenVPN Access Server, nice UI, friendly, but closed-source, and not available for a Pi.
VPN is hard. Hard to make it easy. There are some web GUI’s around, though, most are abandoned or didn’t fit the use case. Meanwhile, I did create and release the ZeroTier add-on as an alternative VPN solution, while it does allow you to access your Home Assistant easily, full tunneling and accessing your home network devices in this add-on, is an issue.
WireGuard is reasonably new, it is darn small, fast, secure, sexy and elegant, but suffered the same issues in terms of user-friendliness. Management web UI’s are even rarer, most abandoned in an unusable state. So I had to find a way to make the add-on configuration as easy as it gets.
Meanwhile, NabuCasa introduced the Home Assistant Cloud Remote UI
During all these months, NabuCasa introduces the Home Assistant Cloud Remote UI, allowing you to access Home Assistant remotely in a secure manner. This is great! Is removed a lot of complex “crap” for the user, and providing an awesome experience to the user.
Even with the introduction of this new add-on, I can still highly recommend getting a NabuCasa Home Assistant Cloud subscription. Why? Well for just $5, you are supporting the project. Furthermore, it allows you to set up webhooks, Amazon Alexa, and Google Assistant with ease.
Also, it gives you a secure emergency entry in case your VPN fails or when you are behind a computer that does not have WireGuard (e.g., a public one).
The WireGuard add-on
I’ve kept getting back at WireGuard. I knew this was going to be the right solution and I think I rewrote the add-on about 5 times. Now, 9 months later, I’m happy with the result, and I’m fairly positive I’ve hit the right balance between ease of use, allowing virtually any use case and about every advanced configuration WireGuard has to offer.
Here is a quick start video on how to start out with WireGuard:
The add-on supports ALL available Hass.io architectures (armhf, armv7, aarch64, i386, and amd64). This means, that any system capable of running Hass.io, can use this add-on.
Oh, and it is small!
If you are running Hass.io on the HassOS operating system, you are in luck! HassOS has backed in support for WireGuard natively into the Linux kernel. The add-on is capable of detecting that and using that kernel module, making it fast, even on small devices like a Raspberry Pi 3.
If you are not using HassOS, but instead are running Hass.io on a generic Linux system (e.g., Ubuntu, Debian), don’t worry. If the add-on detects the Linux kernel support is missing, it will run a WireGuard implementation by itself and still works! However, the add-on documentation contains instructions on how to install kernel support on your system as well.
How fast is it? Well, I run Hass.io on Core i5 system, running Ubuntu 18.04 LTS. This is a speed test result:
How I use WireGuard
So I’ve been playing with the add-on quite some time already. I personally use WireGuard on all devices I carry with me. I’ve set it up to be always connected on my iPhone and set the DNS server to use the AdGuard Home add-on.
This is awesome, since no matter where I am, or which network I use: I can be assured nobody is listening in on my connection and can enjoy a more privacy-aware and ad-free experience at all times. My home, including Home Assistant, is always available to me in a secure manner.
Want to give WireGuard a try yourself? You can find the add-on documentation right here:
Community Hass.io Add-ons: WireGuard
If you want to discuss this add-on, please do so on the Home Assistant Community Forum.
../Frenck
Thank you Frenck for all that you do for the community! I am excited to get started with WireGuard on my Hassio system. Do you have any advice on how to configure it in conjunction with your NginX Proxy Manager component?
WireGuard has nothing to do with an HTTP proxy. WireGuard is UDP traffic…
You are a machine. A question. Can you introduce to this adson the functionality to be able to have google assistant or alexa?? Thnks
Home Assistant can provide those features. Once it is hooked up to Home Assistant, you can expose those entities to Alexa or Google.
Hi Frenck,
Thanks for all your work developing addins for Home Assistant. They’re a big part of what makes it so useful.
I see that your VPN addin is available for all of the native platforms supported by the underlying package, but there are other addins in the catalog where some supported platforms haven’t been included in your addins (eg. InfluxDB and ESPhome are ones I’m interested in running on ARMHF).
Could I suggest that you include all available platforms by default, or alternatively that you do a quick post on how those of us not so familiar with Docker could modify and sideload addins?
Hi Steve,
It ain’t that easy. Some applications simply do not support all architectures. For example, InfluxDB and ESPHome cannot run on an ARMHF. It is not an add-on limitation, but a limitation to the application running inside the add-on.
All add-ons that I provide, support all possible architectures. If your architecture is not in the list, then I’m afraid you are out of luck.
../Frenck
Frenck, have you considered using zero-trust tunnel instead of VPN, something like Cloudflare Access https://teams.cloudflare.com/access ?
Frenck, is it possible to have WireGuard Home Assistant worked only for the access to Home Assistant from my phone, and rest of the internet traffic is still going through the normal route, without having to go through my Raspberry PI Home Assistant server? Thank you in advance.