I did go through them both, but it appears this is a coreelec issue or rather specifically coreelec on wetekplay 2 issue. Docker walked me through some of the steps I could take but to no avail.
Wireguard support is far too broad I have looked around and it appears its something to do with iptables legacy vs iptables nft, but tbh this is out of my league.
Reading through the forums here I can see that people have struggled as well setting up wireguard, but then the posts about them stopped so I am assuming they managed to work it out?
Wireguard can be pretty finicky to set up.
One of the problems is that you are running 9.2.8 (legacy) which reached End Of Life beginning this year, so unfortunately we no longer offer support for our legacy product.
When it comes to wireguard I am far from a specialist. I use a different (hardware) VPN solution. The best I can do is provide you with links to their support forums.
The little information I have is this:
In ~/.config/wireguard/ thereâs a sample file that has to be adapted and renamed to wireguard.config
Once thatâs done, an entry for wireguard should appear in the connections tab in the CoreELEC settings addon
There is a bug resolving ddns so static IPâs are needed.
Some more (hopefully useful) links:
Thanks for your response. I think the key bit is the connman vs standard protocol. standard is trying to add routes to the table using iptables / nft (wg-quick script) which may not be suited to an elec system.
Will the ânewâ version be applicable to legacy 9.2.8? Also I understand that its for server plus clients, but I only intend to use it as a client can i strip the config file of it?
I am successfully using WireGuard in client mode with dynamic DNS on my CE devices. For server mode I am using LibreELEC on a x86_64 device. I have no problem with reboots and IP address changes of my domain name although for reliability reasons I still use ZeroTier simultaneously for emergency connections.
For CoreELEC with WireGuard in client mode I follow this: https://discourse.coreelec.org/t/wireguard-client-service-up-in-four-steps-with-entware (today I have been able to verify that the linuxserver/wireguard container in client mode now also works well - it did not work before - as long as the parameter 0.0.0.0/0 AllowedIPs is replaced by 0.0.0.0/1,128.0.0.0/1 or others)
For LibreELEC with WireGuard in server mode I use the linuxserver/wireguard docker container according to this: Docker Hub
WireGuard allows me to have three remote home subnets, each with their own domain, linked together.
kind people over at linuxserver tried to help me for a while. There was something about the container being on coreelec that wasnât working. They said it was a specific issue as they are not seeing it on any other device.
So it could be either coreelec or the implementation of docker on coreelec.
@cubimol I will give it a try. Can i assume that people have been relatively unsuccessful with wireguard unless used with connman?
For months I successfully used WireGuard in client mode with âconnmanctlâ because I had an internet subscription with static IP on the server, which is not normal in my country.
My problems started when I changed my internet subscription with dynamic IP on the server. You can fiddle around and run scripts to watch for changes in the serverâs IP address and act accordingly but I think this is a huge fudge, plus itâs hard to modify routing priorities with âconnmanctlâ. In the end I searched for a new method for my CoreELEC clients.
Later I tried the linuxserver/wireguard docker container in client mode and it didnât work either because of DNS and AllowedIPs configuration errors.
Lastly, another CoreELEC user wrote about setting up WireGuard with âentwareâ services. I studied this issue a bit more in depth and searched for a solution to the crashes due to AllowedIPs=0.0.0.0/0 redirecting all traffic to the wg0 interface, this turned out to be the solution to all my problems and thatâs when I wrote this mini tutorial https://discourse.coreelec.org/t/wireguard-client-service-up-in-four-steps-with-entware, since then I havenât had any problems.
Finally managed to get a working conf file, followed the entware tutorial you sent but it still isnât working for me.
Conf:
[Interface]
Address = 10.17.132.40
PrivateKey = xx...
[Peer]
PersistentKeepalive = 25
PublicKey = 9hp..
AllowedIPs = 0.0.0.0/1,128.0.0.0/1
Endpoint = 143.244.37.77:1337
My result:
Warning: `/storage/.opt/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -4 address add 10.17.132.40 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 128.0.0.0/1 dev wg0
[#] ip -4 route add 0.0.0.0/1 dev wg0
So even though it adds it doesnât connect to anything. I have tried the same config file on android WG and it works.
I see that your WireGuard client service works, there are no errors, so if your configuration does not work I can only explain it by error in the IP address of the server (143.244.37.77:1337), in the connection keys PrivateKey and PublicKey, or error in the IP address assigned to your device in the WireGuard domain (10.17.xxx.xxx).
However I see that you donât use domain names for the WireGuard server (you use 143.244.37.77), this means that CoreELECâs native âconnmanctlâ method should also work and this would be the method I would use in the first place.
You have to recheck the connection parameters to your WireGuard server and follow the instructions that this service gives you. If all is well this could mean someone is spoofing your WireGuard identity on your same IP address 10.17.xxx.xxx. You should contact the help desk of your WireGuard server and note that the different methods of configuring the WireGuard service ( [1] âconnmanctlâ, [2] â/usr/bin/wgâ, [3] â/opt /bin/wg-quickâ, and [4] docker linuxserver/wireguard client mode) use different configuration files.
Do you have an internet subscription through CG-NAT? If your answer is yes and the WireGuard server requires an incoming UDP connection to your device, it could also be an explanation for your problem (I have two WireGuard CE devices in client mode behind CG-NAT and both work fine, although the wg0 interface reports transmission errors for the reason that the server cannot establish an incoming communication towards the client, this is because the devices connected to the internet behind a CG-NAT cannot be contacted from the internet, it is only possible as a response to a request initiated by the client).
Important:
I have searched for information about the server 143.244.37.77 and only found out that it is a Pia VPN and seems to use a private API, but nowhere does it say that this service uses the WireGuard protocol. Obviously if this server does not use WireGuard or your account is not enabled then you will never get it to work with CoreELECâs WireGuard service.
I canât see why my wg0.conf would be incorrect the exact same file works in android. I connected it, checked my ip address and it comes up as the new IP address of the client . It is indeed a pia server, generated using their scripts (pia-foss).
Iâm not interested in server side, at the moment, I use zerotier for that.
Iâm thinking of doing a fresh install. Trying using wg-quick then connman and if all fails libre and if that fails, armbian lol
You will not be able to use wg-quick. We recently added bash into amlogic-ng and your device is EOL. The implementation we inherited from LibreELEC is off standard and due to the fact that they donât want to have bash. You will get a p2p in wg but you will have to take care of routes.
I have had no time to add wq-quick and patch the paths and do the testing.
Itâs a good workaround but it can work natively too.
The information needed is the same but you have to put it as the sample file. It just works that way. Have you tried it yet? I can guarantee that it works. I connect to my home network that way when Iâm out on vacation.
If you only need to act as client itâs quite easy.
I will give it a shot converting the file into a connman equivelant see if it fires up.
Just thought iâd report back that connman works. But its seems very long and laborious to do it this way. Is it not possible to build coreelec with standard ip tables like raw/match etc?
You are using CE9 with 3.14 kernel. Both are EOL and there will be no new builds. You can however try to build a kernel with those modules enabled yourself but there will be no support.
Wait, isnât CE9 4.9 kernel?
CoreELEC (official): 9.2.8 (Amlogic-ng.arm)
CoreELEC:~ # uname -a
Linux CoreELEC 4.9.113 #1 SMP PREEMPT Tue Sep 7 08:55:27 CEST 2021 aarch64 GNU/Linux
Understood, he has a now unsupported device, so some 9.2 users have old kernels.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.