Wireguard add-on

Hi,

Who created by addon on Wireguard VPN please ?

1 Like

Is this something you would consider, adding wireguard into coreelec kernel?
Would love that feature, since my new vpn provider uses wireguard

1 Like

me too! Works very good and with low resources boxes!!! Will be very usefull, we don’t have any VPN server working on COREELEC. Please use it on coreelec kernel!!!

CoreELEC is already able to act as a wireguard client. It is however an experimental feature that is only available on the nightly builds.

1 Like

Hi, any idea when we can expect Wireguard support in a stable Coreelec version?

The stable release of CoreELEC already has wireguard built in.

For more info on how to use WireGuard on CoreELEC you can follow the configuration guide that LibreELEC has on their wiki, since WireGuard is almost the same in both CoreELEC and LibreELEC.

https://libreelec.wiki/WireGuard

Thank you!

Does anyone suceed with CE wireguard client?

For some reason I cant get it work when connecting to my linux WG server (windows clients connect to that server just fine).

Even when lets say AllowedIPs of client is limited range to some /24 subnet, CE somehow lost all internet connectivity. 10.0.4.x is CE client subnet 10.0.10.x is wg subnet.

Jun 30 20:08:52 hostname connmand[2564]: eth0 {add} route 0.0.0.0 gw 10.0.4.1 scope 0 <UNIVERSE>
Jun 30 20:08:52 hostname connmand[2564]: ntp: adjust (slew): -0.000592 sec
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {update} flags 32912 <DOWN>
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {newlink} index 5 operstate 2 <DOWN>
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {dellink} index 5 operstate 2 <DOWN>
Jun 30 20:08:52 hostname connman-vpnd[2499]: wg0 {remove} index 5
Jun 30 20:09:07 hostname connmand[2564]: ipconfig state 2 ipconfig method 1
Jun 30 20:09:07 hostname connmand[2564]: wg0 {create} index 6 type 65534 <NONE>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {update} flags 144 <DOWN>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 address 00:00:00:00:00:00 mtu 1420
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 operstate 2 <DOWN>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {create} index 6 type 65534 <NONE>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {update} flags 144 <DOWN>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {newlink} index 6 operstate 2 <DOWN>
Jun 30 20:09:07 hostname connmand[2564]: ipconfig state 2 ipconfig method 1
Jun 30 20:09:07 hostname connmand[2564]: wg0 {update} flags 98513 <UP,RUNNING,LOWER_UP>
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {update} flags 98513 <UP,RUNNING,LOWER_UP>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 address 00:00:00:00:00:00 mtu 1420
Jun 30 20:09:07 hostname connman-vpnd[2499]: wg0 {newlink} index 6 operstate 0 <UNKNOWN>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {newlink} index 6 operstate 0 <UNKNOWN>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {add} address 10.0.10.4/24 label wg0 family 2
Jun 30 20:09:07 hostname connmand[2564]: wg0 {add} route 10.0.10.0 gw 0.0.0.0 scope 253 <LINK>
Jun 30 20:09:07 hostname connmand[2564]: rp_filter set to 2 (loose mode routing), old value was 2
Jun 30 20:09:07 hostname connmand[2564]: Setting domainname to doma.vpn
Jun 30 20:09:07 hostname connmand[2564]: ipconfig state 4 ipconfig method 1
Jun 30 20:09:07 hostname connmand[2564]: eth0 {del} route 0.0.0.0 gw 10.0.4.1 scope 0 <UNIVERSE>
Jun 30 20:09:07 hostname connmand[2564]: wg0 {add} route 0.0.0.0 gw 0.0.0.0 scope 253 <LINK>
Jun 30 20:09:17 hostname connmand[2564]: Connect reply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. (org.freedesktop.DBus.Error.NoReply)

ping google.com
PING google.com (216.58.201.78): 56 data bytes
ping: sendto: Required key not available

BTW., this workaround works, but (propably because wg-quick is missing) routes needs to be handled manualy, after WG interface UP.

If someone wants to use workaround, without learning a bit about routing, here is quick setup. I really hope, that some day it will be fixed with connmann, but main thing is, that wg itself works :slight_smile:

You can skip first step, if you name wg interface like some of already blacklisted names (vmnet,vboxnet,virbr,ifb,docker,veth,zt,ve-,vb-)

1]
cp /etc/connman/main.conf /storage/.config/connman_main.conf
vi /storage/.config/connman_main.conf
and add ,wg to the NetworkInterfaceBlacklist section. Reboot device.

2] create file <privatekey> with peer private key

3] wg_up.sh

ip link add dev <wg interface name> type wireguard
ip address add dev <wg interface name> <CE subnet>/24
wg set <wg interface name> private-key <privatekey> <server public key> allowed-ips '<subnet you want to use with wg>/24' endpoint <hostname>:<port>
ip link set up dev <wg interface name>

In case, that <subnet you want to use with wg> is from public internet, not wg server subnet, add
ip route add <subnet you want to use with wg>/24 via <wg server subnet>.1 dev <wg interface name>

4] wg_down.sh
ip link set down dev <wg interface name>

5] You can refer .sh scripts in system.d wireguard.service.

Seems wg-quick is “just” a bashscript, however it chokes on ‘shopt’.

I’ll give your parchment of spells a whirl.

However…

Some lovely wholesome developer has included: connmanctl.

Which really makes it easy to setup a wireguard vpn

connmanctl watches: /storage/.config/wireguard

And has its own config system, just create a: nano myvpn.config in that directory.

[provider_wireguard]
Type = WireGuard
Name = VPNNAME
Host = (The IP of the VPN Server. Ping its hostname)
Domain = ThisMustHaveANameAndByGawdANYNAME
WireGuard.Address = The VPN internal server IP (ends with 24 or 32 usually)/32
WireGuard.PrivateKey = yourPrivateKeyHere
WireGuard.PublicKey = yourPublickeyThere
WireGuard.DNS = DNS_IP1, DNS_IP12
WireGuard.AllowedIPs = 0.0.0.0/0
WireGuard.EndpointPort = TheServerPort
WireGuard.PersistentKeepalive = 25

(There shall be no () in the config!)
Then you save it.
Type connmanctl whack enter.
Now you should be able to see it by typing: services (and whack enter)
If everything is ok, it should be listed.

Now you can type:
connect (first letter of config & press TAB) autocompletedConfigname
Likewise, you type disconnect to disconnect.

And then it should say: Connected
Type: quit to Quit.

You can check your external ip by:
nslookup myip.opendns.com resolver1.opendns.com