# VPN # 9. VPN (WireGuard) The VPN page in SLZB-OS contains a **WireGuard settings helper**, allowing the Zigbee coordinator to securely connect to your Home Assistant server or other remote endpoint. --- [![image.png](https://smlight.tech/support/manuals/uploads/images/gallery/2025-08/scaled-1680-/V8jimage.png)](https://smlight.tech/support/manuals/uploads/images/gallery/2025-08/V8jimage.png) ## 9.1 WireGuard Overview WireGuard is a modern, highly secure VPN protocol. In SLZB-OS, it: - Establishes an encrypted link between your coordinator and a remote server (e.g., Home Assistant). - Protects data in transit across the internet or local networks. - Provides privacy and prevents unauthorized access. > **Note:** You must have the **WireGuard add-on** installed and configured on your Home Assistant or other VPN server. --- ## 9.2 How WireGuard Works for Home Assistant When configured: 1. Your coordinator connects to the WireGuard server. 2. All Zigbee and management traffic is securely tunneled through this encrypted channel. 3. The remote server sees the coordinator as if it were on the same local network. This is useful when: - Your coordinator is in a different physical location than the server. - You want to expose the coordinator to Home Assistant without opening public ports. --- ## 9.3 WireGuard Settings The page provides the following editable fields: 1. **Local IP Address** IP address of the coordinator *inside* the VPN network. 2. **Private Key** Secret key unique to the coordinator. **Keep it confidential.** 3. **Public Key** Coordinator’s public key (share with the WireGuard server so it can authenticate your device). 4. **Peer Public Key** The public key of the VPN server or peer you will connect to. 5. **Endpoint** IP address or domain name of the VPN server, plus port (e.g., `vpn.example.com:51820`). 6. **Allowed IPs** Specifies which IP ranges are routed through the VPN tunnel (e.g., `0.0.0.0/0` to route all traffic). 7. **Persistent Keepalive** Interval in seconds to send keepalive packets and maintain connection (useful behind NAT). --- ## 9.4 Save & Connect - After filling all fields, click **Save** to store settings. - The VPN will attempt connection automatically using the provided details. --- ## 9.5 Security Recommendations - Use a strong **Private/Public key pair** generated for the device only. - Limit **Allowed IPs** to the networks actually needed for Zigbee control. - Keep **Persistent Keepalive** enabled if the device is behind NAT or in networks with aggressive idle timeouts.