WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. This component uses a custom implementation not developed by original authors and currently available for ESP32 platform only.
Please note that “WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld. See “WireGuard” Trademark Usage Policy for additional information.
To successfully use this component you must have WireGuard® also on your remote host (already installed and ready to accept connections). If you don’t have it please read the section Remote peer setup.
This component requires the system clock to be synchronized.
See Time Component to setup a time source
and do not use
homeassistant time-platform if
Home Assistant is on the remote peer because the time
synchronization is a prerequisite to establish the VPN link.
The SNTP Time Source is a valid time-platform choice.
A VPN tunnel can be created to a single remote peer adding the following to your configuration:
# Example configuration entry wireguard: address: x.y.z.w private_key: AaBbCcDd...= peer_endpoint: wg.server.example peer_public_key: EeFfGgHh...= # Optional netmask (this is the default if omitted) netmask: 255.255.255.255 # Optional endpoint port (WireGuard default if omitted) peer_port: 51820 # Optional pre-shared key (omit if not in use) peer_preshared_key: XxYyZzWw...= # Optional list of ip/mask (any host is allowed if omitted) peer_allowed_ips: - x.y.z.0/24 - l.m.n.o/32 # the /32 can be omitted for single host - [...] # Optional keepalive (disabled by default) peer_persistent_keepalive: 25s
It is recommended to use secrets at least for private and pre-shared keys:
wireguard: private_key: !secret wg_privkey peer_preshared_key: !secret wg_shrdkey
address (Required, IPv4 address): The local VPN address of the device.
If you intend to upload firmwares through the VPN link you probably need to copy this value to the
use_addressparameter of the WiFi Component.
netmask (Optional, IPv4 address): The netmask for the configured address. Default to
private_key (Required, string): The private key of the device.
peer_endpoint (Required, string): The hostname of the remote peer.
peer_port (Optional, UDP port): The port where remote peer is listening on. The WireGuard® default is
peer_public_key (Required, string): The public key of the remote peer.
peer_preshared_key (Optional, string): The chosen pre-shared key between local device and remote peer.
peer_persistent_keepalive (Optional, Time): The amount of time after which a keepalive packet is sent through the tunnel. By default this feature is disabled (
If there are NATs or firewalls between the device and the remote peer set this value to something like
peer_allowed_ips (Optional, list of IPv4 networks): A list of networks in CIDR notation (IP/mask) to be allowed through the tunnel. Any host (
0.0.0.0/0) will be allowed if this parameter is omitted.
The device own
address/32is always added by default to this list.
reboot_timeout (Optional, Time): The amount of time to wait before rebooting the device when the remote peer is unreachable. Can be disabled by setting this to
0s. Default to
require_connection_to_proceed (Optional, boolean): Set to
trueto wait for the remote peer to be up before continuing to boot the device. Default to
This can be used to delay the initialization of components that use the VPN tunnel as long as the VPN isn’t ready. For example if you are using MQTT Client Component to reach a remote broker you may experience boot freeze just after the setup of MQTT because it waits for the broker to be reachable, but the connection cannot be established until the VPN link is active too. To bypass such deadlock set this parameter to
truein order to not initialize MQTT until the remote peer is up.
update_interval (Optional, Time): How often to check the connection status and the latest handshake value. Default to
id (Optional, ID): Manually specify the ID used for code generation.
Static routes and outgoing connections¶
Currently there is no way on ESP32 devices to configure static routes for
network interfaces, so the
peer_allowed_ips list is used only to allow
(or drop) packets that pass through the VPN tunnel, not to define static
routes for remote hosts.
The routes are implicitly added by the configured
only packets with destination inside the same network defined
address/netmask will be routed to the tunnel.
This means that the user has to tweak the
to “cover” all the networks in the allowed IPs list in order
to successfully establish outgoing connections to remote hosts.
Incoming connections are not affected by
Let’s explain with some examples:
working outgoing connections
omitted or 255.255.255.255
omitted or any other value
none, no routes are created
only to the networks in
the allowed list because the
netmask will route the whole
to any network that is in the list of allowed IPs because the netmask will route any traffic but wireguard allows only its own list
0.0.0.0 has the effect of routing
through the VPN link any traffic. It is like having set the wireguard
interface as the system default.
Here after the sensors available for this component.
Status Binary Sensor¶
This binary sensor tracks the connection status (online/offline) of the remote peer.
# Example configuration entry binary_sensor: - platform: wireguard status: name: 'WireGuard Status'
All options from Binary Sensor can be added to the above configuration.
Latest Handshake Sensor¶
This sensor reports the timestamp of the latest completed handshake.
# Example configuration entry sensor: - platform: wireguard latest_handshake: name: 'WireGuard Latest Handshake'
All options from Sensor can be added to the above configuration.
Address Text Sensor¶
This sensor exposes to the frontend the configured address.
# Example configuration entry text_sensor: - platform: wireguard address: name: 'WireGuard Address'
All options from Text Sensor can be added to the above configuration.
Remote peer setup¶
There are many different ways for installing and configuring WireGuard® on servers, home servers or general host. It depends on the platform and on the operating system in use.
You can start reading the official documentation to have an overview of what it is and on how to install it system wide for common operating systems. Read the thread at Home Assistant Community Add-on: WireGuard if you intend to install it through Home Assistant. Plase note that securely setting up a VPN requires some networking experience, you will need to open router ports and possibly use custom commands to redirect traffic.
Once everything is configured you should be able to add the device to Home Assistant. See next section.
Connecting to remote Home Assistant¶
The ESP device should interact with remote Home Assistant, across the VPN link, as it is on the local network but probably the initial auto discovery will not work and you have to add the device manually.
These are the steps:
go to the Home Assistant “Integrations” page
click on the “Add Integration” button (bottom right corner)
select “ESPHome” from the list
insert the configured IP address as the host name
The device should now be linked to your remote Home Assistant.