Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Wireguard Tunnel #524

Open
wants to merge 49 commits into
base: master
Choose a base branch
from
Open

Adding Wireguard Tunnel #524

wants to merge 49 commits into from

Conversation

janchri
Copy link

@janchri janchri commented Jan 19, 2023

Wireguard is an easy way to connect peers together even behind NATs and all kinds of firewall constructs. A possible use case might be, that one already has a VPS configured somewhere (AWS, Ionos, Netcup, Strato....) and wants to use the server to capture all the data from OpenDTU. This is possible with the fork! One has to simply configure the regular Wireguard VPN network (maybe already done!) and set the MQTT broker of the OpenDTU to the "local Wireguard IP address" of the endpoint/server.

The implementation of the Wireguard function is basically a copy/fork of https://github.com/ciniml/WireGuard-ESP32-Arduino . However, due to strict compile rules within the OpenDTU project, I had to fork the WireGuard-ESP32-Arduino and remove some minor "errors/flaws".
In platformio.ini, one can see I used a forked version of the above Wireguard Arduino library. Additionally to that, I implemented the backend following more or less the general "work flow of OpenDTU". Finally, the frontend is updated, too.

Unfortunatley, if one wants to reconfigure the Wireguard parameters online, the OpenDTU has to reboot. I have really tried to fix this problem, however, "live" changes can occasionally create kernel panics/runtime errors and forced reboots. But, I assume that changing the parameters quite frequently is not needed at all and, therefore, I think the current status is a viable solution.

Happy to discuss the approach and the general idea of using Wireguard + OpenDTU. For me, it does make great sense, as I do not have to buy, configure, and support an additional device such as an Raspi, etc. pp.

@janchri janchri changed the title Added Wireguard Adding Wireguard Tunnel Jan 19, 2023
@T3rm1
Copy link

T3rm1 commented Mar 16, 2023

Why did you choose Wireguard to achieve what you described?
What I did is simply host a MQTT broker on the VPS and set up TLS with a free certificate from Let's Encrypt and enabled password authentication.
What would be the benefit of Wireguard here?

@janchri
Copy link
Author

janchri commented Mar 16, 2023

It is probably quite a personal opinion, but I do not like to open ports at my VPS. My VPS is a remote entry point into my mixed local/remote network, where everyone can communicate with each other. So I really need a "closed environment".
Typically, I only open a random SSH Port and a random Wireguard Port. Rest is closed and a user has to tunnel into my network using Wireguard or SSH to be able to roam around in my local/remote network or use any services like bitwarden/nextcloud etc.

EDIT: I can also access from anywhere and all my devices the regular opendtu local website. Which comes at handy from time to time. Of course, one can make this happen having a tunnel into your home local network as well. But with wireguard everything is nicely organized and orchestrated and imho very secure.

@3DJupp
Copy link

3DJupp commented Jul 17, 2023

I would not choose wireguard on a small microcontroller like the esp32/8266 etc.
Most routers using OpenWRT or similar should have the ability of implementing wireguard.
I mean, of course, that is indeed possible, but you might need some WRT device behind the ESP anyway. (or other Router/Access Point manufacturer)

Copy link
Contributor

@CommanderRedYT CommanderRedYT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whats the reason for implementing Shelly in the same MR as Wireguard?

@@ -28,6 +28,7 @@ lib_deps =
nrf24/RF24 @ ^1.4.5
olikraus/U8g2 @ ^2.34.13
buelowp/sunset @ ^1.1.7
https://github.com/janchri/WireGuard-ESP32-Arduino
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might want to pin the exact version so this stays reproducible

Copy link

@stefan123t stefan123t Sep 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ESPHome uses this in their platformio.ini:

droscy/[email protected]            ; wireguard

@janchri would it be better to use the Library that Tomoyuki Sakurai created for ESP-IDF and Simone Rosetto already maintains for ESPHOME ?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And that is also fork because of some esphome optimizations, but works perfectly.
Maybe it make sense to start new attempt with this "esphome" fork...

@Adminius
Copy link

@janchri any news? I would like to use it wireguard ;)

"InverterSettings": "Wechselrichter Einstellungen",
"SecuritySettings": "Sicherheitseinstellungen",
"DTUSettings": "DTU Einstellungen",
"DeviceManager": "Geräte-Manager",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Einstellungen is already the title of the Settings menü. Do not repeat it in every entry.

@@ -343,6 +362,36 @@
"SynchronizeTime": "Synchroniser l'heure",
"SynchronizeTimeHint": "<b>Astuce :</b> Vous pouvez utiliser la synchronisation horaire manuelle pour définir l'heure actuelle d'OpenDTU si aucun serveur NTP n'est disponible. Mais attention, en cas de mise sous tension, l'heure est perdue. Notez également que la précision de l'heure sera faussée, car elle ne peut pas être resynchronisée régulièrement et le microcontrôleur ESP32 ne dispose pas d'une horloge temps réel."
},
"wireguardadmin": {
Copy link

@stefan123t stefan123t Sep 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

french translation has been filled with english stubs.

@stefan123t
Copy link

stefan123t commented Sep 26, 2024

I would not choose wireguard on a small microcontroller like the esp32/8266 etc. Most routers using OpenWRT or similar should have the ability of implementing wireguard. I mean, of course, that is indeed possible, but you might need some WRT device behind the ESP anyway. (or other Router/Access Point manufacturer)

@3DJupp same for me, I do not see the application of this on the OpenDTU ESP32 (yet?).
We already have to cope with limited memory and may not include a lot of libraries.

@janchri For my understanding (I am not very familiar with Wireguard yet, I mostly use OpenVPN / IPSec with pre-shared keys) this implements a Wireguard Client for an OpenDTU placed in a User Home LAN, which will connect to a Wireguard server somewhere else e.g. on another LAN Router / Access Point, i.e. your Admin Home LAN or the VPS. So you can later contact/connect to and administrate the remote OpenDTU in the other User's Home LAN from your Admin Home LAN / VPS, right ?

Whats the reason for implementing Shelly in the same MR as Wireguard?

@CommanderRedYT the Shelly 3EM is supported by OpenDTU-onBattery too. I would suggest to drop this from the PR or cherry pick / pull the Wireguard specifica only.

@CommanderRedYT
Copy link
Contributor

So in general wireguard is easily possible on any kind of esp32 (maybe even esp8266), it just takes very few kB of program space if not less. I haven't fully looked into this, but for example ESPHome has a integration for this. You can find it here

@Adminius
Copy link

@stefan123t my use case: I have Wireguard server. Some ESPHome esp32 are already connected via WG/internet to my local network, because this ESP32 are far away from my home, but managed by me.
My sister uses openDTU-onBattery. I tried to put extra RasPi with Tailscale or Wiregare to manage and check the installation some time. But to run RasPi with ~4Watt only to manage some times opnDTU is overkill (and it died a while ago)
That why I came with idea again to use Wiregate on esp32 directly.

@stefan123t
Copy link

stefan123t commented Sep 26, 2024

So in general wireguard is easily possible on any kind of esp32 (maybe even esp8266), it just takes very few kB of program space if not less. I haven't fully looked into this, but for example ESPHome has a integration for this. You can find it here

@CommanderRedYT thanks for the explanation. So this way you only get access to the individual OpenDTU instance and not the whole Users Home LAN. And you do not have to configure the Users Home LAN Router to access his/her LAN from your Wireguard Server.
I just had a quick peek at your OpenDTU React App (Android) which would then also allow to connect to your Admin Home LAN and that way both (OpenDTU and OpenDTU-React-Native App) would be able to connect to each other ?

Note that it comes with three CAVEATs:

  • licensing / trademark policy for WireGuard vs. GPL-v2 in OpenDTU and NRF24 libraries
  • need to install a WireGuard server on your Admin Home LAN anyway
  • time has to be synchronized properly for it to work (nonce's), e.g. using SNTP.

These were listed on your esphome link:

Please note that “WireGuard” and the “WireGuard” logo are registered trademarks of Jason A. Donenfeld. See “WireGuard” Trademark Usage Policy for additional information.

Actually the ESPHOME maintained implementation is BSD 3-Clause licensed: https://github.com/droscy/esp_wireguard/

Warning
To successfully use this component you must have WireGuard® also on your remote host (already installed and ready to accept connections). If you don’t have it please read the section Remote peer setup.

Warning
This component requires the system clock to be synchronized.
See Time Component to setup a time source and do not use homeassistant time-platform if Home Assistant is on the remote peer because the time synchronization is a prerequisite to establish the VPN link.
The SNTP Time Source is a valid time-platform choice.

@Adminius
Copy link

and now?
@janchri doesn't answer, and had almost one year no activity...

I would say start a new implementation based on ESPHome lib?

@janchri
Copy link
Author

janchri commented Sep 30, 2024

Hi, I am so sorry. Was totally not aware that this pull request is still up for debate. Feel free to use any part of the code I prepared so far. The wireguard implementation is not writen by myself, instead it was forked by another repo and I simply fixed minor compile time issues. If there is any other solution, like ESPHome, it might be a good idea to use this as a base.

@stefan123t
Copy link

@Adminius / @CommanderRedYT who would like to provide a new PR based on the droscy/[email protected] ; wireguard platformio.ini ?
Most of the Vue code could probably be used verbatim and the Shelly parts can be left out as they are in OpenDTU-OnBattery afaik.

@Adminius
Copy link

Adminius commented Oct 1, 2024

who would like to provide a new PR based

If @CommanderRedYT has no time, I'll try, but I also have limited time...

@CommanderRedYT
Copy link
Contributor

I might have time in evenings, but as I also have other projects I cannot estimate how long it would take. I can try it however, but I would open another PR for this.

@Adminius
Copy link

Adminius commented Oct 1, 2024

new PR make sense. and copy&paste some (UI/settings) from this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants