Wireguard add-on

Kodi Add-ons
14

Wireguard from entware (CoreELEC):

Use this: https://www.wireguardconfig.com/
to generate configs.

The config files for WG entware in CoreELEC are placed in:
/storage/.opt/etc/wireguard

and you can rename them as:
wg0.conf

You can créate the file:
wireguard-wg0.service

in:
/storage/.config/sysctl.d

with this content:

[Unit]
Description=wireguard-wg0
After=network-online.service
Requires=network-online.service

[Service]
ExecStart=/opt/bin/wg-quick up wg0
Restart=always
RestartSec=10
StartLimitInterval=30
StartLimitBurst=20

[Install]
WantedBy=kodi.target

Enable the service, start the service, etc.

Using this “service” wg0 will start with CoreELEC.

  1. CoreELEC WG Server side:
    You have something like this:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = EPw6sQ4GnE5PEVfMuAtj1n4uSsobyNUxULim/EuipnQ=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = pSJnQvq/uFJ6/ydXyFynZy+rA59/GkxIpcOQgMdZ338=
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = vMmlmltgAOsCS/lqgqxAilpW4oaeL1JnVL5HPsHfagg=
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = FVYgOsoyb05FiA+2eXmBPk5RxU5qBfpYt2kOzl5fzh4=
AllowedIPs = 10.0.0.4/32

In:
/storage/.config/sysctl.d

You must have this in the file:
ip_forward.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.src_valid_mark = 1

You have to “open” the UDP port (in this example case: 51820 in the router), and redirect it to the internal IP of the CoreELEC server.

All done for the server side.

  1. CoreELEC WG Client side:

You have a wg0.conf like this:

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = QBhIx4krH1JCKL3uLV7sDoPSxKBen/dKvhbJq+gOxGE=

[Peer]
PublicKey = ODZ9M8olgLVr5/qeM69nFScFlrbhdpOfIow6KfaWsEU=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820

  • If you have a:
    DNS = …

line, YOU MUST DELETE THAT LINE in wg0.conf in the client.
With a DNS = … line it does NOT work for CE WG client.

You MUST replace:
AllowedIPs = 0.0.0.0/0, ::/0
with:
AllowedIPs = 10.0.0.0/24

in the wg0.conf file
for the clients.

I don’t know why, but using:
AllowedIPs = 0.0.0.0/0, ::/0
it does NOT work for me.

With
AllowedIPs = 10.0.0.0/24
you can connect devices only in WG subnet. You cand NOT route all your traffic using the server.
With CoreELEC clients, in my experience, this is not posible (at least, not for me).

  1. Other clients (Windows, Android, etc.):
    In other clients, yo do NOT have to remove:
    DNS = …
    line.

And you can use:
AllowedIPs = 0.0.0.0/0, ::/0
to route all the traffic of the client using the WG server.

Kind regards