connect remotely to your home network using the WireGuard add-on in Home Assistant

Why do this? At an early point on the journey to network heaven you may have a need to connect from some holiday location say, to a camera, your computer, a home automation setup or the router exactly as you normally do back at home. You may instead want to access a service such as Netflix which works well at home, but for some reason you can’t get to it from where you are. Maybe, for example, the hotel you’re at, has things in place to stop you mucking about like this. When you set up Wireguard you create a connection back to your home network that is safe and so obscured that no one knows what you’re doing inside your network. If you use this to access Netflix, outside your network, your home ISP will know just as they know anyway. You’ve created a secure tunnel back to your home.

I now use an alternative method that Wireguard is embedded within – see my post on Tailscale

In another post about nginx proxy I explained how you can have access to your home automation system in a secure way. If you want to extend that access to other network devices or services such as Netflix you can do that by setting up Wireguard. A strapline says that Wireguard is simple when really it’s tricky, but below I explain it, show you my setup and point you to a video tutorial that helped me.

Summary of the procedure to set up Wireguard in Home Assistant:

  • Already have Home Assistant – eg running from an SD card in a Raspberry Pi computer
  • Create an account and a subdomain at DuckDNS
  • Install the DuckDNS add-on in Home Assistant and configure that
  • Install the Wireguard add-on in Home Assistant and configure the server and the peer settings
  • Forward UDP port 51820 to the IP address of the computer running Home Assistant (eg
  • Install the Wireguard peer app on your phone and scan a QRcode hidden away in Home Assistant
  • When all this is set up, turn off the wifi on your phone; turn on Wireguard and connect to your home network cameras or other devices or Netflix or anything you normally only access from home. For example, use the browser to access your router on or Home Assistant on 192.168.1.x:8123.

connect Home Assistant to a subdomain at

When you’re away from home, the first problem to solve is to be able to find your home network. You can do that by having an easy to remember network name (e.g So create an account at, invent a subdomain and get the token (or long password) from your DuckDNS page.

The second problem to solve is that your home IP address can change. If it changes, thankfully the Home Assistant DuckDNS add-on updates this for us – it will tell DuckDNS what your current home IP address is. Go to Home Assistant > Supervisor > Add-on Store > Install Duck DNS. Then, on the Duck DNS Configuration tab fill in the information shown in bold below:

  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
aliases: []
seconds: 3000

As long as the DuckDNS add-on is running, you can now find your home network from anywhere… however we still need to secure the connection.

open up the port for Wireguard in your router

Go to your home router admin page and find the port forwarding section. Forward the public inward UDP port 51820 to your internal private port 51820 on the IP address of your Home Assistant computer. Do forward public UDP port and not TCP 51820 and not ‘Both’.

install the Wireguard add-on in Home Assistant

Go to Home Assistant > Supervisor > Add-on Store > Install Wireguard. Type your DuckDNS subdomain for the host entry then add your router IP address for the DNS plus a name for the device (ie phone) you’ll use. The rest needs explaining…

You don’t want Wireguard to assign IP addresses that will clash with those set by your router (typically so we’ll tell Wireguard to operate on an IP address eg on a different subnet. You want your phone ‘peer’ to have an IP address in that same subnet so we’ll set that at

Lastly, set the IP addresses that the phone peer/client is then allowed to browse when it’s connected – I suspect these will be on your router’ network range ie up to and also the Wireguard subnet up to The shorter way to write these ranges is and

When you’ve set the following, save your configuration and restart the Wireguard add-on

give your phone the credentials it needs to be a peer/client on your Wireguard connection

The configuration above will create a folder, somewhere in Home Assistant, that contains the credentials that your phone needs to connect. To find these go to Home Assistant > File Editor. Now browse the folder tree to get to the root of the file system. Look for a folder marked ssl/wireguard/‘name of peer’. In my case that’s ssl/wireguard/oneplus6. In this folder click the file qrcode.png and an image should appear in the browser.

If Home Assistant File Editor doesn’t allow deeper browsing, go to the File Editor add-on configuration text and see that you have a line that says ‘enforce_basepath: false’.

Install Wireguard on your phone. Open the app and choose scan QRcode. When the QRcode is recognised you can name the connection eg homeassistant51820.

start using Wireguard to access your network remotely

To simulate connecting to Wireguard remotely, turn off your phone wifi and turn on the switch in the Wireguard app. Use a browser to access (or the IP of your router). Run the Netflix app. Appreciate that you’re using data from your phone and your home broadband supplier. Remember that the DuckDNS add-on needs to run to refresh your certificates and your changing IP address. If DuckDNS fails, Wireguard will also fail.

there’s another way to do this using nginx proxy manager

If you want to connect to devices on your home network you can also be using nginx proxy manager with home assistant

here’s a tutorial video by Everything Smarthome

A brilliant video with as much an explanation as one needs for success. Thanks to Everything Smarthome

here’s a tutorial video by JuanMtech showing how to set up a Wireguard peer on IOS and Windows desktop

Thanks to Juan M Tech

2 Responses

  1. Viking says:

    Is it possible to skip the DuckDNS part during setup and just enter the public IP instead of a valid domain name?

Leave a Reply

Your email address will not be published. Required fields are marked *