Still possible to use WireGuard from entware?

ashlar · 17 May 2024 22:03

I use an Ugoos AM6b+ with CoreELEC Omega nightly (May 15th).

I have tried following this guide: WireGuard Client service up in four steps with entware by @cubimol

Installing wg-quick, wireguard-tools and wireguard-go went with no problems, I then created the wg0.conf file with my VPN provider configuration and then tried launching with wg-quick up wg0. This is what I got:

Warning: `/storage/.opt/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -4 address add 10.173.72.95 dev wg0
[#] ip -6 address add fd7d:76ee:e68f:a993:819a:8f51:d102:3f6 dev wg0
[#] ip link set mtu 1320 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
/opt/bin/wg-quick: line 32: resolvconf: command not found
[#] ip link delete dev wg0

Is this something I can solve? Thanks in advance.

I have tried using connmanctl but I’d like to avoid DNS leaks, plus connmanctl is unable to use a regular internet address, thus making impossible for me to use the load balancing functionalities from my provider.

Edit: to clarify, using connmanctl method, the first DNS in etc/resolv.conf is always used, as connmanctl simply appends the Wireguard’s one and the first DNS remains the one from my router, which still pings from my country (even if I set it with Quad9).
I hope that using wireguard in the above way solves this, although I’m not sure. Although it should be able to let me access the address for the load balancing of my provider, since it does that on Vero4K+, where wg-quick works and resolvconf is present.

roisiano · 18 May 2024 13:19

Perhaps this is interesting for you…

https://discourse.coreelec.org/t/wireguard-client-not-connected-when-allowedips-0-0-0-0-0/18187/5

I still use Wireguard from Entware with CoreELEC (21.0, ng; S905X3).

For Wireguard CoreELEC clients:
AllowedIPs = 0.0.0.0/0

Does NOT work

But (in my case):
AllowedIPs = 10.1.1.0/24

works perfectly. I use this to connect WG CoreELEC clients as tvheadend clients with a WG CoreELEC server as tvheadend server, too.

For other OS clients (Windows, Linux, Android; NOT CoreELEC):
AllowedIPs = 0.0.0.0/0

is OK.

You can use this tool:
https://www.wireguardconfig.com/

to generate server / clients configs.

In WG CoreELEC clients configs you should change:
AllowedIPs = 0.0.0.0/0
with:
AllowedIPs = 10.1.1.0/24
(this is an example; only the WG subnet)

Kind regards

ashlar · 18 May 2024 17:08

First of all, thanks for taking the time to reply to me.

I suppose your wg-quick script expects to use resolvconf as mine does, since I got it from Entware too.

Good to know about the allowed IPs thing, I had read about it but it’s always useful to have more references.

Problem is arriving to a point where that matters because, as I see it, I am missing a crucial element and I don’t know where I could get it (resolvconf).

The fact it’s working for you on an up to date installation gives me some hope that I can solve this.

roisiano · 18 May 2024 17:14

Before working I made:
echo “net.ipv4.ip_forward = 1” >/storage/.config/sysctl.d/ip_forward.conf
on the server. If not, it did not work.

Have you made this?

WG port (UDP) forwarded in your router software?

vpeter · 18 May 2024 17:38

Try this one. Put it in /storage/.opt/bin and make it executable.

ashlar · 18 May 2024 20:52

Could you please be so kind as to explain what this does and how I can revert from it, in case I want to? Sorry but I have only one year of light experience with Linux Mint and I’m far, very far from understanding everything I do. As such, I try to understand things instead of just copying stuff, because otherwise I would never learn…

From what I gather from the README file inside sysctl.d, I could probably revert by simply deleting ip_forward.conf. Don’t know if I got that right.

Thanks again for all the help. @vpeter file seems to be working (but the wg connection does not seem to work so far, it connects but then it disconnects, while wg0 remains up), thanks for it. Why is it that I don’t have it if it should come from regular installation?

ashlar · 18 May 2024 21:23

Also, how could I determine the WG subnet, I’m not clear on this.
Also, I am seeing the data upload you were witnessing in the other thread. Did you ever find an explanation for that.

Lastly, I think my scenario is different as I want to connect to a commercial VPN, I don’t know if that changes the scenario. What I know is that with Vero4K I did not have any problem with using it :-/

vpeter · 19 May 2024 07:14

It is not in installation but comes from GitHub - NetworkConfiguration/openresolv: POSIX resolvconf implementation

resolvconf is also in systemd package. Need to look more into how to enable it.

roisiano · 19 May 2024 09:42

echo “net.ipv4.ip_forward = 1” >/storage/.config/sysctl.d/ip_forward.conf

adds the line:
net.ipv4.ip_forward = 1

to the file:
/storage/.config/sysctl.d/ip_forward.conf

and makes possible routing WG connections in server device.

You can edit the file:
/storage/.config/sysctl.d/ip_forward.conf

manually to add / remove / what you want n this file.

If you want to see the current content of the file you can use the command:
cat /storage/.config/sysctl.d/ip_forward.conf

When you set a WG server - clients net, you have something like this (this is an example) for the server wg0.conf file:

[Interface]

Address = 10.0.0.1/24

ListenPort = 51820

PrivateKey = AGfFYvrXG0w7PwkBF/sD73hWpBfcALUOv2uuZWsJQXw=

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]

PublicKey = bXl30WpCMlFZql6vmFwxC9wFO6/SLHDUzc54Gmngkw0=

AllowedIPs = 10.0.0.2/32

[Peer]

PublicKey = xYRD3042Y5pmF8QiDs7fQvCeu0pUyROaVSHH09lo+BY=

AllowedIPs = 10.0.0.3/32

[Peer]

PublicKey = x20fI91bc9puV8bF+b5tqNJy+DGRJ5HkUwV4ergv5m8=

AllowedIPs = 10.0.0.4/32

So, your wireguard subnet, in this example, is:
10.0.0.0/24
because all the IPs of the WG subnet are in the range:
10.0.0.1 to 10.0.0.255

Perhaps this could help you:

ashlar · 19 May 2024 10:05

Well… first of all thanks for the explanation regarding ip_forward.conf

My VPN provider gives me this to connect to a group of their servers I tend to use:


[Interface]
Address = 10.173.72.95
PrivateKey = HUKXeSPCgjBgICylEXFBeQGHJiTxhYlOJcECZrWQucrd
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = CUpwVFSbfscpbATZUPjtfhgfknmsZQgEbvRjLVqlasz=
PresharedKey = otltlirAiTLMEsEqfYyrwCyJtaKgQLhnVVLxgcjYELR=
Endpoint = nl3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

All keys have been substituted by me with random ones in the above, for obvious reasons.

Now, this very same configuration file works perfectly on a Vero4K+ by following this guide:

ssh to your Vero
first we install wireguard and openresolv, which you need if you want to provide a DNS in your conf
sudo apt install wireguard-tools
sudo apt install openresolv
now we configure the client (you can name wg0 however you want, just change it accordingly in the following):
sudo nano /etc/wireguard/wg0.conf
paste the config, save and exit nano
you can now establish and test the connection with
sudo wg-quick up wg0
sudo wg

Apart from some slight complication in the service creation part later on, it’s all absolutely straightforward. I took my VPN provider’s config, copied it as wg0.conf and it was working. The beauty of WireGuard (among other things) is that it easy to configure. But here on CoreELEC it doesn’t seem the case, unless I am missing something major.

When using connmanctl method you lose the ability to use a load balanced endpoint (the nl3.vpn.airdns.org thing selects a server among the ones available based on current load), with the method I’m trying to use here… I can’t seem to make it work.

Maybe it’s the “just enough Linux for” thing, maybe Vero has a more complete distribution included? I don’t have the foggiest idea, I’m just sorry that I can’t manage to use WireGuard, which is something I foolishly gave for granted when I bought the Ugoos. Not complaining or whining, it’s on me.

EDIT: at least I see even devs were not happy about connman implementation Wireguard difficulties [SOLVED] - #46 by Ray but since 2022 things have quieted down on this front, it seems. @Ray

borygo · 19 May 2024 20:23

Did you disconnected vero before you enable wireguard on ce?
Your vpn provider will refuse connection from two devices with same keys.

ashlar · 20 May 2024 01:05

I can have up to 5 devices connected.