search

bigmoby / addon-wireguard-client

Hassio Add-On Wireguard Client
MIT License
64 stars 23 forks source link

Unable to reach WG server subnet from my homeassistant install with this add-on #37

Closed omriasta closed 3 months ago

omriasta commented 4 months ago

Problem/Motivation

Having an issue pinging the WG server network from my homeassistant install. The WG server has a Lutron hub on subnet 192.168.0.0/24 I am unable to ping the 192.168.0.0/24 subnet from the terminal addon in Homeassistant. I was able to import the configuration from my server onto my own laptop and was able to ping the 192.168.0.0/24 subnet without an issue. I wish to be able to add the Lutron Caseta integration to my homeassistant even though they are at 2 different locations/networks. The homeassistant install is on 192.168.86.0/24 subnet.

Expected behavior

Expect to be able to reach the 192.168.0.0/24 subnet

Actual behavior

Unable to reach the subnet, the logs are filled with "nc: bind: Address in use"

Steps to reproduce

Configuration: Interface:

private_key: XXXXXXXXXXXXXXXXXXXX
address: 10.253.0.2
dns:
  - 8.8.8.8
  - 8.8.4.4
post_up: >-
  iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
post_down: >-
  iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE; iptables -D FORWARD -p
  tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
mtu: 1420

Peers:

- public_key: XXXXXXXXXXXXXXXX
  pre_shared_key: XXXXXXXXXXXXXXXXX
  endpoint: XXXXXXX.duckdns.org:51820
  allowed_ips:
    - 10.253.0.0/24
  persistent_keep_alive: "25"

Logs:

-----------------------------------------------------------
 Add-on: WireGuard Client
 Fast, modern, secure Wireguard tunnel (client)
-----------------------------------------------------------
 Add-on version: 0.2.2
 You are running the latest version of this add-on.
 System: Home Assistant OS 12.3  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2024.5.4
 Home Assistant Supervisor: 2024.05.1
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] config.sh: executing... 
[13:29:20] INFO: Ended to write Wireguard configuration into: [/etc/wireguard/wg0.conf]
[cont-init.d] config.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[13:29:20] INFO: Starting WireGuard Client...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.253.0.2/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
nc: bind: Address in use
[#] iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE; iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use
nc: bind: Address in use

Proposed changes

(If you have a proposed change, workaround or fix, describe the rationale behind it)

bigmoby commented 3 months ago

Hi @omriasta , this is not an issue for this add-on, rather you would like to find help for your needs. However... When you set AllowedIPs = 10.253.0.0/24 in your WireGuard client configuration, you are instructing the client to route only traffic destined for the 10.253.0.0/24 network through the VPN tunnel. This means that any traffic destined for other networks, such as your local network 192.168.0.0/24, will not be routed through the tunnel and instead will use the regular network interface. Since your local device has an IP address of 192.168.86.x and you are trying to reach devices in the 192.168.0.0/24 network, this traffic is not being routed through the WireGuard tunnel and is likely not being routed correctly on your local network either. You could modify the AllowedIPs setting to include both the VPN network and your local network but ensure that the WireGuard server is set up to correctly route traffic to the 192.168.0.0/24 network. Other "solution" as add a Static Route on the Client is forbidden because add-on structure is read-only.

bigmoby commented 3 months ago

Please read this help: https://github.com/bigmoby/addon-wireguard-client/issues/34#issuecomment-2109181459

omriasta commented 3 months ago

Thanks @bigmoby that was very helpful, most of the issue was of course an oversight on my end being the server network was 192.168.1.0/24 and not 192.168.0.0/24 and I confused them. All working now!