Links on the site may earn us an affiliate commission. Learn more.

Today, I’m going to show you how to set up a secured virtual private network (VPN) using WireGuard and Home Assistant. I’m also going to show you how to configure devices like Android, iOS, Windows, and Mac to connect to the WireGuard VPN.

So, what is a VPN?

A VPN or virtual private network allows devices to connect securely through the Internet to another network. It creates an Encrypted tunnel where you can safely transmit sensitive data preventing people from eavesdropping on your traffic. When a device connects to a VPN via the Internet, the device will look like it’s connecting locally to the VPNs network utilizing the network’s public IP address.

What is WireGuard?

WireGuard is a fast, modern, open-source VPN protocol that aims to outperform other VPNs. It utilizes state-of-the-art cryptography, and it’s very easy to configure. It’s also under heavy development, and it might be considered the most secure, fast, and simple solution for a VPN.

WireGuard add-on configuration

Before setting the WireGuard Add-on, you need to have remote access configured in Home Assistant. If you haven’t done that yet, check out my Beginner's Guide to Home Assistant, where I show how to set up remote access using DuckDNS.

Open Home Assistant, go into SupervisorAdd-on store, search and select WiredGuard and then click on Install. When the installation completes, go to Configuration and enter the following:

server:
  host: your_domain_here.duckdns.org
  addresses:
    - 172.27.66.1
  dns:
    - 1.1.1.1
    - 1.0.0.1
peers:
  - name: Device-1-Android
    public_key: 
    addresses:
      - 172.27.66.2
    allowed_ips: []
    client_allowed_ips: []

In the server section, enter your DuckDNS URL under host. The add-on set up by default, the server IP under addresses. However, you can still change it to whatever you would like (Make sure other devices in your network don’t use the same IPs you set up for the server or the peers). If you use specific DNS servers, you can set it up here as well.

The peers section is where you configure the devices that will connect to the VPN. So, set up a name for the device and also an IP address. To make it even more secure, you want to add the public key for this device manually. So add the option public_key. Then, on the device connecting to the VPN, download and open the official WireGuard app.

Configure WireGuard on android

On an Android device, download and open the WireGuard app. Tap on the plus “+” icon to add a new VPN and then tap on Create from scratch.

Set up a name for the VPN. Then, on the Private Key field, tap on the generate icon, and the app creates the private and public keys for this device. Under Addresses, enter the IP address that you assigned to this device in the WireGuard configuration and add at the end, /24. Add the DNS servers that you would like to use, separated by a comma and no spaces.

WireGuard Android UI config

You still need to add the server as a peer in the WireGuard app. However, there are a few more steps to do on the server-side, so copy the public key and tap on the Save icon so you don’t lose the settings. Go back to Home Assistant and paste the device’s public key under the public_key option. Save the configuration and Start the add-on.

To add the WireGuard server as a peer on the connecting device, you need to locate the server’s public key. So, go to the Log tab and click on refresh until you see the Interface option with the public key. That would be the public key for the server itself.

WireGuard logs

Copy the key, go back to the WireGuard app on the other device, open the VPN settings, and tap on Add Peer. Paste the server’s public key. Set the Persistent keepalive to 25 seconds. For the Endpoint, set it to your DuckDNS URL with the WireGuard Port 51820 at the end. The Allowed IPs, you can just set it to 0.0.0.0/0. Lastly, click on the Save icon, and the device is all set to connect to the VPN.

Android peer config

On an Android device, you can add the WireGuard toggle under the Quick Settings in the Notification panel so you can quickly turn on and off the VPN.

Configure WireGuard on iOS

To add an iOS device to connect to the VPN, add another peer in the WireGuard configuration in Home Assistant. So, below the current device, add the same options and set up a name for the new device and an IP address.

peers:
  - name: Device-1-Android
    public_key:
    addresses:
      - 172.27.66.2
    allowed_ips: []
    client_allowed_ips: []
  - name: Device-2-iOS
    public_key:
    addresses:
      - 172.27.66.3
    allowed_ips: []
    client_allowed_ips: []

Then, on the iOS device, download and open the WireGuard app. Tap on Add a tunnel or on the plus “+” icon and then tap, Create from scratch. Set up a Name for the VPN and click on Generate keypair. Then, under Addresses, enter the IP that you set up for this device in the WireGuard configuration. Also, add at the end /24 and then add the DNS servers. After that, tap on Add peer to add the server’s information. Add the Server’s public key. For the Endpoint, add the DuckDNS URL with the WireGuard Port 51820. The Allowed IPs set it to 0.0.0.0/0 and set the Persistent keepalive to 25 seconds.

iOS WireGuard config

Below, you have the On-demand Activation settings. With this feature, you can toggle the Cellular option, and the VPN will turn on automatically when your device is connected to the mobile network. You can also toggle the WiFi option and set it to enable the VPN when connected to a specific WiFi. Or you can tap on Except these SSIDs and set it to connect to any WiFi unless you are connected to the networks that you add in there.

The last thing you need to do is copy the public key and save the configuration. Then, go back to Home Assistant, and add the public key in the WireGuard configuration. Save the changes and restart the add-on. Once the add-on is back online, the iOS device will be able to connect to the VPN.

Configure WireGuard on Windows/Mac

To connect a Windows or Mac computer, you would also need to download the WireGuard application but from the WireGuard website. The app for both systems is the same, so you would be able to follow along for either OS. In the WireGuard add-on configuration, add a new peer with the same options from the other peers. Set a name and an IP for that device.

peers:
  - name: Device-1-Android
    public_key: 
    addresses:
      - 172.27.66.2
    allowed_ips: []
    client_allowed_ips: []
  - name: Device-2-iOS
    public_key: 
    addresses:
      - 172.27.66.3
    allowed_ips: []
    client_allowed_ips: []
  - name: Device-3-Windows/Mac
    public_key: 
    addresses:
      - 172.27.66.4
    allowed_ips: []
    client_allowed_ips: []

On your computer, download and open the WireGuard application. Where it says Add Tunnel, click on the upside-down triangle next to it and then click on Add empty tunnel. The app generates the private and public keys. Set up a name for the VPN. Then, enter the following options and add the assigned IP address and the DNS servers:

[Interface]
PrivateKey = 2FoGc7sgpIjv+MLU4hofjdYlRxzgPGrSugAWIFEQj1U=
Address = 172.27.66.4/24
DNS = 1.1.1.1,1.0.0.1

Below that, add the information from the server, so enter the following options:

[Peer]
PublicKey = Your_Server_Public_Key
AllowedIPs = 0.0.0.0/0
Endpoint = your.duckdns.org:51820

Add the server’s PublicKey. Set the AllowedIPs to 0.0.0.0/0 and add your DuckDNS URL with the WireGuard port to the Endpoint. And that’s about it. Copy the Public Key and Save the changes. Then, in the WireGuard configuration in Home Assistant, add the computer’s public key, Save the changes, and restart the add-on. When the add-on is back online, You can press on Activate under the WireGuard application on your computer, and the device will connect to your VPN.

Set up a port forwarding rule for WireGuard

The last thing you need to do to connect from outside the home network is to create a port forwarding rule in your router. So, open the router’s settings and locate the Port forwarding configuration. Add a new rule and set the name to WireGuard. The incoming port set it to 51820. For the forwarding IP, set it to your Home Assistant IP address, the forwarding port to 51820, and the Protocol set it to UDP.

Port forwarding config

Save the new port forwarding rule, and you might need to restart your router to apply the changes. After that, you can disconnect from your WiFi and turn on the VPN on your devices to see if it connects with no problem.

Final thoughts

The WireGuard VPN is all set, and you configured several devices to connect to it. Now, how can you make the VPN even better? You could set up the AdGuard add-on that blocks ads in the home network, and at the same time, it would block ads for the devices connected via VPN. That would be something to cover in a separate guide. If you guys are interested, let me know in the video comments or via social media.

Want to support my work?