How-To
WireGuard + Home Assistant Remote Access 2026
Set up self-hosted WireGuard VPN for private Home Assistant remote access: keys, routing, DNS split, firewall rules, and why this beats exposing HA to the WAN.
Quick answer: What is the most private way to access Home Assistant remotely?
Run WireGuard on your router, NAS, or a small Linux VM at home, issue per-device keys, route only the subnets you need, and open a single UDP port to your WireGuard endpoint. Access Home Assistant over the tunnel using your internal URL—avoid exposing port 8123 to the public internet.
Source: WireGuard project
Executive Summary
This guide is an implementation companion to Tailscale vs WireGuard vs ZeroTier and Cloudflare Tunnel vs DuckDNS vs Nabu Casa. Here we assume you want WireGuard specifically: minimal attack surface, modern cryptography, and no third-party overlay if you self-host the endpoint1.
Bottom line: You are building a private road into your LAN—not port-forwarding the HA UI directly.
Architecture choices
| Deployment | Pros | Cons |
|---|---|---|
| WireGuard on the router (OpenWrt, etc.) | One hop to LAN | Router UI complexity |
| Linux VM / Proxmox LXC | Flexible | Another box to patch |
| Docker / add-on host | Familiar to HA users | Network namespaces need care |
Home Assistant itself does not need to “run” WireGuard; the tunnel terminates on a peer that can route to http://homeassistant.local:8123 or your static HA IP.
Prerequisites
| Item | Notes |
|---|---|
| Static target | Dynamic DNS or stable home IP for the WireGuard endpoint |
| UDP port | Typically 51820/UDP forwarded to the WireGuard host (adjust as you prefer) |
| Key pairs | One keypair per phone/laptop; never reuse private keys1 |
| Internal HA URL | Use HTTPS where possible (reverse proxy, certs) |
Step-by-step (conceptual)
- Install WireGuard on the chosen Linux host using your distribution’s packages or a supported appliance image—follow WireGuard quick start for key generation.
- Configure the server interface with
Address,ListenPort,PrivateKey, and a[Peer]section for each clientPublicKeyandAllowedIPs. - Set AllowedIPs deliberately: many users use split tunneling (only your home
10.x/24) so general browsing does not hairpin through the house. - Port-forward UDP on the ISP router to the WireGuard host.
- Test from cellular data: ping an internal host; open Home Assistant using the LAN hostname or IP over VPN.
- Disable any old inbound 8123 forward unless you fully understand the risk.
Hardening checklist
| Control | Purpose |
|---|---|
| Unique preshared optional PSK | Extra symmetric key per peer (optional, see WireGuard docs) |
| Firewall input rules | Only WireGuard UDP + SSH management from trusted nets |
| Revoke lost devices | Remove peer from server config and reload |
| Updates | Kernel / wireguard-tools on a schedule |
Checklist
- Generate fresh keypairs; never commit private keys to git.
- Forward only UDP to WireGuard, not the whole LAN.
- Verify HA is unreachable on 8123 from the internet after cutover.
- Document peer IPs so DHCP conflicts do not break routing.
- Pair with strong Wi-Fi and router firmware updates.
FAQ
Frequently Asked Questions
Is WireGuard better than Tailscale for privacy?
Tailscale adds identity and coordination servers; self-hosted WireGuard keeps control on your endpoint. Compare tradeoffs in VPN comparison.
Can I use WireGuard with Home Assistant OS directly?
Often you run WireGuard on the network edge or a sibling VM; HA OS focuses on the appliance—check current community add-ons and your risk tolerance.
Do I still need Nabu Casa if I use WireGuard?
No for remote UI if VPN works; Nabu Casa remains a hosted alternative—see Cloudflare vs DuckDNS vs Nabu Casa.
What if my ISP uses CGNAT?
You may need a relay, IPv6, or an overlay—this is why some users pick Tailscale or Cloudflare Tunnel despite extra trust boundaries.
Should I expose Frigate or cameras the same way?
Keep cameras on isolated VLANs; VPN in for management rather than exposing RTSP to WAN—see Frigate comparisons.
Primary sources
| ID | Source | URL |
|---|---|---|
| 1 | WireGuard | wireguard.com |
| 2 | WireGuard quick start | wireguard.com/quickstart |
Conclusion
Self-hosted WireGuard is one of the cleanest ways to reach Home Assistant without a cloud broker—at the cost of you owning key rotation and firewall policy. Stack it with sensible TLS and reverse proxy choices so the session inside the tunnel stays protected end-to-end.