Wireguard add-on

terasky · 31 October 2018 12:34

Hi,

Who created by addon on Wireguard VPN please ?

prynn · 7 February 2019 11:18

Is this something you would consider, adding wireguard into coreelec kernel?
Would love that feature, since my new vpn provider uses wireguard

psycmos · 5 March 2020 23:22

me too! Works very good and with low resources boxes!!! Will be very usefull, we don’t have any VPN server working on COREELEC. Please use it on coreelec kernel!!!

cdu13a · 5 March 2020 23:44

CoreELEC is already able to act as a wireguard client. It is however an experimental feature that is only available on the nightly builds.

jandehekkerman · 18 June 2020 20:26

Hi, any idea when we can expect Wireguard support in a stable Coreelec version?

cdu13a · 18 June 2020 21:31

The stable release of CoreELEC already has wireguard built in.

cdu13a · 18 June 2020 21:39

For more info on how to use WireGuard on CoreELEC you can follow the configuration guide that LibreELEC has on their wiki, since WireGuard is almost the same in both CoreELEC and LibreELEC.

https://libreelec.wiki/WireGuard

jandehekkerman · 19 June 2020 07:26

Thank you!

JimmyS · 30 June 2020 18:23

Does anyone suceed with CE wireguard client?

For some reason I cant get it work when connecting to my linux WG server (windows clients connect to that server just fine).

Even when lets say AllowedIPs of client is limited range to some /24 subnet, CE somehow lost all internet connectivity. 10.0.4.x is CE client subnet 10.0.10.x is wg subnet.

Jun 30 20:08:52 hostname connmand[2564]: eth0 {add} route 0.0.0.0 gw 10.0.4.1 scope 0 <UNIVERSE>
Jun 30 20:08:52 hostname connmand[2564]: ntp: adjust (slew): -0.000592 sec
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {update} flags 32912 <DOWN>
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {newlink} index 5 operstate 2 <DOWN>
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {dellink} index 5 operstate 2 <DOWN>
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {remove} index 5
Jun 30 20:09:07 hostname connmand[2564]: ipconfig state 2 ipconfig method 1
Jun 30 20:09:07 hostname connmand[2564]: wg0 {create} index 6 type 65534 <NONE>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {update} flags 144 <DOWN>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 address 00:00:00:00:00:00 mtu 1420
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 operstate 2 <DOWN>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {create} index 6 type 65534 <NONE>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {update} flags 144 <DOWN>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {newlink} index 6 operstate 2 <DOWN>
Jun 30 20:09:07 hostname connmand[2564]: ipconfig state 2 ipconfig method 1
Jun 30 20:09:07 hostname connmand[2564]: wg0 {update} flags 98513 <UP,RUNNING,LOWER_UP>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {update} flags 98513 <UP,RUNNING,LOWER_UP>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 address 00:00:00:00:00:00 mtu 1420
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {newlink} index 6 operstate 0 <UNKNOWN>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 operstate 0 <UNKNOWN>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {add} address 10.0.10.4/24 label wg0 family 2
Jun 30 20:09:07 hostname connmand[2564]: wg0 {add} route 10.0.10.0 gw 0.0.0.0 scope 253 <LINK>
Jun 30 20:09:07 hostname connmand[2564]: rp_filter set to 2 (loose mode routing), old value was 2
Jun 30 20:09:07 hostname connmand[2564]: Setting domainname to doma.vpn
Jun 30 20:09:07 hostname connmand[2564]: ipconfig state 4 ipconfig method 1
Jun 30 20:09:07 hostname connmand[2564]: eth0 {del} route 0.0.0.0 gw 10.0.4.1 scope 0 <UNIVERSE>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {add} route 0.0.0.0 gw 0.0.0.0 scope 253 <LINK>
Jun 30 20:09:17 hostname connmand[2564]: Connect reply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. (org.freedesktop.DBus.Error.NoReply)

ping google.com
PING google.com (216.58.201.78): 56 data bytes
ping: sendto: Required key not available

BTW., this workaround works, but (propably because wg-quick is missing) routes needs to be handled manualy, after WG interface UP.

JimmyS · 1 July 2020 04:16

If someone wants to use workaround, without learning a bit about routing, here is quick setup. I really hope, that some day it will be fixed with connmann, but main thing is, that wg itself works

You can skip first step, if you name wg interface like some of already blacklisted names (vmnet,vboxnet,virbr,ifb,docker,veth,zt,ve-,vb-)

1]
cp /etc/connman/main.conf /storage/.config/connman_main.conf
vi /storage/.config/connman_main.conf
and add ,wg to the NetworkInterfaceBlacklist section. Reboot device.

2] create file <privatekey> with peer private key

3] wg_up.sh

ip link add dev <wg interface name> type wireguard
ip address add dev <wg interface name> <CE subnet>/24
wg set <wg interface name> private-key <privatekey> <server public key> allowed-ips '<subnet you want to use with wg>/24' endpoint <hostname>:<port>
ip link set up dev <wg interface name>

In case, that <subnet you want to use with wg> is from public internet, not wg server subnet, add
ip route add <subnet you want to use with wg>/24 via <wg server subnet>.1 dev <wg interface name>

4] wg_down.sh
ip link set down dev <wg interface name>

5] You can refer .sh scripts in system.d wireguard.service.

danielpub · 30 July 2020 15:07

Seems wg-quick is “just” a bashscript, however it chokes on ‘shopt’.

I’ll give your parchment of spells a whirl.

danielpub · 30 July 2020 18:51

However…

Some lovely wholesome developer has included: connmanctl.

Which really makes it easy to setup a wireguard vpn

connmanctl watches: /storage/.config/wireguard

And has its own config system, just create a: nano myvpn.config in that directory.

[provider_wireguard]
Type = WireGuard
Name = VPNNAME
Host = (The IP of the VPN Server. Ping its hostname)
Domain = ThisMustHaveANameAndByGawdANYNAME
WireGuard.Address = The VPN internal server IP (ends with 24 or 32 usually)/32
WireGuard.PrivateKey = yourPrivateKeyHere
WireGuard.PublicKey = yourPublickeyThere
WireGuard.DNS = DNS_IP1, DNS_IP12
WireGuard.AllowedIPs = 0.0.0.0/0
WireGuard.EndpointPort = TheServerPort
WireGuard.PersistentKeepalive = 25

(There shall be no () in the config!)
Then you save it.
Type connmanctl whack enter.
Now you should be able to see it by typing: services (and whack enter)
If everything is ok, it should be listed.

Now you can type:
connect (first letter of config & press TAB) autocompletedConfigname
Likewise, you type disconnect to disconnect.

And then it should say: Connected
Type: quit to Quit.

You can check your external ip by:
nslookup myip.opendns.com resolver1.opendns.com

ashlar · 4 June 2024 01:21

Hi @JimmyS
I don’t know if you are still using this setup but I’ve been banging my head everywhere in the past few days, trying to have Wireguard working.
Reading your solution made me think “ok, let’s try to get to the basics”.

But I’m very far from being an expert here and while I’ve managed to establish a connection to my VPN provider, traffic wasn’t going through it. Now, I’ve seen your note about “In case the subnet you want to use with wg is from public internet, not wg server subnet” but I’m not sure if it applies to my case.

I have a .conf file from my VPN provider that I use with no problem on a Vero4K, with wg-quick. But in CE (even installing from Entware), I’m having several problems. The suggested connmanctl from LE’s wiki forces me to use a single address, which stops my provider’s load balancing to work among its servers and so… I’m trying to see if this approach would work.

How should your wg_up.sh script be modified when using with a VPN provider, in order to have all traffic go through WG and the VPN’s servers?
Thanks for the help in advance and thanks anyway for sharing your solution online.

roisiano · 29 June 2024 17:17

Wireguard from entware (CoreELEC):

Use this: https://www.wireguardconfig.com/
to generate configs.

The config files for WG entware in CoreELEC are placed in:
/storage/.opt/etc/wireguard

and you can rename them as:
wg0.conf

You can créate the file:
wireguard-wg0.service

in:
/storage/.config/sysctl.d

with this content:

[Unit]
Description=wireguard-wg0
After=network-online.service
Requires=network-online.service

[Service]
ExecStart=/opt/bin/wg-quick up wg0
Restart=always
RestartSec=10
StartLimitInterval=30
StartLimitBurst=20

[Install]
WantedBy=kodi.target

Enable the service, start the service, etc.

Using this “service” wg0 will start with CoreELEC.

CoreELEC WG Server side:
You have something like this:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = EPw6sQ4GnE5PEVfMuAtj1n4uSsobyNUxULim/EuipnQ=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = pSJnQvq/uFJ6/ydXyFynZy+rA59/GkxIpcOQgMdZ338=
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = vMmlmltgAOsCS/lqgqxAilpW4oaeL1JnVL5HPsHfagg=
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = FVYgOsoyb05FiA+2eXmBPk5RxU5qBfpYt2kOzl5fzh4=
AllowedIPs = 10.0.0.4/32

In:
/storage/.config/sysctl.d

You must have this in the file:
ip_forward.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.src_valid_mark = 1

You have to “open” the UDP port (in this example case: 51820 in the router), and redirect it to the internal IP of the CoreELEC server.

All done for the server side.

CoreELEC WG Client side:

You have a wg0.conf like this:

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = QBhIx4krH1JCKL3uLV7sDoPSxKBen/dKvhbJq+gOxGE=

[Peer]
PublicKey = ODZ9M8olgLVr5/qeM69nFScFlrbhdpOfIow6KfaWsEU=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820

If you have a:
DNS = …

line, YOU MUST DELETE THAT LINE in wg0.conf in the client.
With a DNS = … line it does NOT work for CE WG client.

You MUST replace:
AllowedIPs = 0.0.0.0/0, ::/0
with:
AllowedIPs = 10.0.0.0/24

in the wg0.conf file
for the clients.

I don’t know why, but using:
AllowedIPs = 0.0.0.0/0, ::/0
it does NOT work for me.

With
AllowedIPs = 10.0.0.0/24
you can connect devices only in WG subnet. You cand NOT route all your traffic using the server.
With CoreELEC clients, in my experience, this is not posible (at least, not for me).

Other clients (Windows, Android, etc.):
In other clients, yo do NOT have to remove:
DNS = …
line.

And you can use:
AllowedIPs = 0.0.0.0/0, ::/0
to route all the traffic of the client using the WG server.

Kind regards

ashlar · 30 June 2024 11:29

Thanks for taking the time, really.

Am I mistaken in understanding that this configuration is meant to work in a personal client/server situation? My use case is of a commercial VPN provider, so I have zero control on the server side of the equation.

roisiano · 30 June 2024 19:03

Yes, is for server - clients situation.
If your commercial VPN provider use wireguard configs (as a server), and you want use CoreELEC as a client, perhaps you have problems with:
AllowedIPs = 0.0.0.0/0, ::/0
or with:
DNS = …

parts.

I use WG server - clients por personal use; to connect clients with the server in different sites, basically (tvheadend server and clients, too).