Hi all,
I have started to research setting up a WireGuard VPN between a CoreELEC device when I am on holiday and my Internet box at home. Must I add that I am a total noob when it comes to VPNs.
The WireGuard server that is set up on my internet box provides a conf file for a client which is pretty much standard. This is it:

[Interface]
PrivateKey = xxxxxxxxxxxxxx
Address = 192.168.27.66/32
DNS = 212.27.38.253
MTU = 1360

[Peer]
PublicKey = yyyyyyyyyyyyyy
Endpoint = <IP of the WG server>:6090
AllowedIPs = 0.0.0.0/0, 192.168.27.64/27, 192.168.0.0/24
PersistentKeepalive = 25

I imported this conf file in Ubuntu and in my Android phone and when I run the VPN I am able to remotely ping all the hosts on my private network at home (they all have IP’s in the 192.168.0.0/24 range, including my NFS file servers)
Now I cannot do the same from a CoreELEC box (running matrix 19.3 stable) using the following conf file:

[provider_wireguard]
Type = WireGuard
Name = WireGuard VPN
Host = <IP of the WG server>
WireGuard.Address = 192.168.27.66/32
WireGuard.PrivateKey = xxxxxxxxxxxxxx
WireGuard.PublicKey = yyyyyyyyyyyyyy
WireGuard.DNS = 212.27.38.253
WireGuard.AllowedIPs = 0.0.0.0/0, 192.168.27.64/27, 192.168.0.0/24
WireGuard.EndpointPort = 6090
WireGuard.PersistentKeepalive = 25

The creation of the VPN seems successful, CoreELEC settings => Connections shows state:ready and Type:fixed with the address 192.168.27.66 but from a console on CoreELEC I cannot ping any of the hosts at the end of the tunnel at home. On a Ubuntu PC at the same remote location (same address range as the kodi box) I can perfectly ping my PC’s at home. I am at a complete loss. Can anybody point me in the right direction or tell me what I did wrong ?

This is what the command route prints:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 wg0
1.1.1.1         192.168.0.254   255.255.255.255 UGH   0      0        0 eth0
8.8.8.8         192.168.0.254   255.255.255.255 UGH   0      0        0 eth0
<IPofWGserver>  192.168.0.254   255.255.255.255 UGH   0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.0.254   *               255.255.255.255 UH    0      0        0 eth0
212.27.38.253   *               255.255.255.255 UH    0      0        0 wg0

TIA

There is no server/clients in wireguard. Wireguard works as a peer to peer network as default. If you need “server” capabilities you need to set up one client to forward traffic. Clients need to set the route correctly. In Ubuntu this is done by wg-quick. In Android it is also done automatically. Afaik CE has no helper script. So you need to setup routes yourself. Iirc there is another wireguard thread on this forum where someone did a HowTo.

Thanks for taking the time Ray but I got the idea from user @cubimol here who refers to a server-client implementation but there is nothing in his howto pertaining to setting up routing on the CoreELEC and I am afraid I know nothing about using iptables… So, pretty much stuck here, waiting for someone else to chime in

I have the wireguard peer set on CE devices. The only problem I had (and I’be read it’s fix d but didn’t confirm) was with ddns. There was a problem with resolving the address so the IP needed to be entered. I don’t have static IP but it’s not altered many times so I just enter it and change when needed. Can you try with the IP for testing purposes?

Start with a simple p2p network. Take your “server” whatever that is or a computer and set in up with a fixed ipv4 or/and ipv6. If you have no fixed IP use ddns.

Give both of them a wg private ip address. Now see if you can ping each other. Please take note that you won’t be able to ping the CE box (unless it has a fixed public ip) until they contacted each other before. wg is not very chatty and unless you ping or something you will not see anything on the interface.

If that works then at least you know you don’t have issues in the handshake or address resolution.

Next you need to setup your “server” to do your forwards. There is no way around using iptables or nftables to forward and masquerade the traffic.
But you said Ubuntu and Android work with your “server” so I would think it is setup fine.

In your CE client you need to look that the subnet you are trying to reach is in the AllowedIPs and make sure your netmask is correct. For instance if you wanna contact every address from 192.168.1.1-192.168.1.254 you will have to write 192.168.1.0/24. If pings doesn’t work then it’s most likely that you have no routes for them. In Ubuntu wg-quick script adds them but you can run a command through PostUp:
ip route add …

@Nanouk @Ray @Vasco

The WireGuard setup with docker that I wrote is a server setup, no one should have any doubts about this. This is not about peer-to-peer communications like in ZeroTier. (1) Clients must connect to the server, (2) unresolved routes are always sent to the server’s internet exit, and (3) the server (and other clients) knows the subnets the clients are connected to when they are declared in the variables ‘AllowedIPs’ from the server’s wg0.conf file.

Another thing is the server statement on client devices. In all operating systems the WireGuard server can be declared by its DDNS without any problems, except in CoreELEC/LibreELEC because it is poorly managed by the ‘connmanctl’ service. To partially solve this, and as long as it is not solved, I use the following:

myipstr=$(getent hosts myddns.duckdns.org | grep -o '^[^\.]*.[^\.]*.[^\.]*.[^\ ]*')
sed -i '4s/.*/Host = '$myipstr'/' /storage/.config/wireguard/WG-DDNS.config
servicename=$(echo "vpn_${myipstr}" | tr . _)
sleep 5s
connmanctl services > /dev/null 2>&1
connmanctl connect $servicename

Note.- My WireGuard network is made with a LibreELEC server and several CoreELEC client devices and an Android tablet. From other clients like my PC, sometimes Linux, sometimes Windows, and from my Android smartphone I access any device on the WireGuard network, my remote surveillance camera that is on a subnet of one of my devices, or the configuration of remote SAT>IP tuners that are on various subnets. Obviously the subnets have different domain addresses so that there are no collisions (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, …).

@cubimol I was not aware of the ddns issues caused by connman. In fact I am using connman over network manager on my Debian Desktop and I have zero issues with wireguard and connman. Can you elaborate what the issue is?

But the issue we have here are routes. I have to admit that I never needed wg on my CE device. If I find some time I can try it out this weekend.

@cubimol
Thanks for your time.
This is what I am trying to do and what brought me to WireGuard which seems really easy to set up.
At home my private LAN is 192.168.0.0/24. I have a couple NFS servers sharing movies and tvshows. My home CoreELEC box gets its database through mysql. Everything works fine.
Now we just bought a holiday home and I thought it would be a great idea to share the same database , sparing me the headache of maintaining two databases, and access the shares through a VPN, namely WireGuard. The WireGuard “server” at home is my internet box from the French Free company with a fixed IP. It provides me with a config file for each “client” I wish to connect to it (see OP)
Now, I am facing a couple hurdles.
First there is the VPN on the holiday home CoreELEC issue as described in my OP. I still don’t know how to solve that. I think it should be working but it doesn’t. I can’t ping my home servers from the holiday home box. Which I can when I use a PC running Ubuntu, on the same lan, after importing the WG config file.
Second, from the PC (since the kodi box has no access to my home LAN), when I run Kodi with the right adancedsettings.xml (pointing to the mysql database server running at home) I see the library is populated with the movies and tvshows, like it would be at home. Trouble is when I want to play one, it fails. I realized that the NFS shares are unavailable to the holiday home Kodi since, at home, /etc/exports tells the NFS server to only allow members of my private LAN. I edited the file to allow access to my WireGuard “interface” IP behind the WG server, ie 192.168.27.66/32 and reloaded exports. But I still can’t browse the share I modified.
I seem to remember a post where you mention moving away and being able to enjoy your movies from anywhere. I am curious as to how you do that. Pulling my hair at the moment.

This is a simplistic schematic to illustrate the situation:
INTERNET—>WG “server”(fixed IP) —> HOME(192.168.0.0/24 LAN inc. NFS servers)
HOLIDAY HOME(192.168.0.0/24 LAN inc. CoreELEC WG “client”) —> INTERNET

Thx

Just saw that. Is that an absolute pre-requisite, or can two similarly addressed LAN’s still see each other like in my experience (see my previous post) if all machines on all the LAN’s have different IP’s?

------UPDATE------
I seem to have solved that issue. Previously I didn’t edit the right file.
Now, for getting WireGuard to work as intended…

You can add exports to include the wg private ip address as well. For instance I ssh to my wg server through the wg network not the public ip. But this should not be a problem if your wg server does proper masquerading of the IPs.

But let me try CE wg for myself. I am pretty sure you guys are missing routes.

Thanks Ray. I already took care of that, see my previous post. So that part is solved. I’m still trying to work out why when the tunnel is established on the holiday home CoreELEC box I can’t reach machines on my home LAN.

Can you at least ping between server and client?
If yes show the output of “ip route” on CE.

Will do when I’m back in the evening. On a day out now.

I remind you that if it is not possible to create different domains in the different subnets, routing is still possible. For example, at my son-in-law’s house (he gives me his satellite channels from different satellite and I give him my satellite channels and my multimedia library) with the domain 192.168.1.0/24, I am not going to modify any of his domains. So, in case another subnet 192.168.1.0/24 exists, the generic domain 192.168.1.0/24 should never be used, but device to device 192.168.1.128/32,192.168.1.200/32, … In the file wg0.conf WireGuard server configuration I would no longer put

[Peer]
# peer_le-h96pp
PublicKey = <publickey>
AllowedIPs = 10.10.20.5/32,192.168.1.0/24

otherwise

[Peer]
# peer_le-h96pp
PublicKey = <publickey>
AllowedIPs = 10.10.20.5/32,192.168.1.200/32, ....others

being

10.10.20.5/32 the address of the client device on the WireGuard network
192.168.1.200/32 the address, for example, of the surveillance camera within the subnet

Obviously, there are more advantages to using different domains because any device on the subnet, including the router, can be accessed transparently.

While this is good advice it can get messy if you have larger subnet. You can also use the whole subnet in AllowedIPs and fine tune the forwards on the “server” with iptables. So don’t forward all but filter by dest and src ip and you can also filter to certain ports.

OK, here is the result of ip route show on the holiday home CoreELEC box, once connected to WG:

CoreELEC (official): 19.3-Matrix (Amlogic-ng.arm)
Kerlouan:~ # ip route show
default dev wg0 scope link
1.1.1.1 via 192.168.0.254 dev eth0
8.8.8.8 via 192.168.0.254 dev eth0
<IP of WG server> via 192.168.0.254 dev eth0
192.168.0.0/24 dev eth0 scope link src 192.168.0.38
192.168.0.254 dev eth0 scope link
212.27.38.253 dev wg0 scope link

Here is a picture of the CoreELEC connections page showing WG VPN connected (or is it?) with address 192.168.27.66:

connections1920×960 71.5 KB

Here is the established connections page on my home internet box (WG server):

server_connection_established1055×576 69.4 KB

I hid the holiday home external IP.
The holiday home CoreELEC can ping all clients on its LAN and the “local IP” address (192.168.27.66), it can’t ping any other machine at the end of the tunnel (home). There is obviously a routing problem but I can’t solve it without the input of someone more savvy than me in these matters.
I do not have these problems when I connect to my home LAN through the WG server from a Ubuntu PC at my holiday home. The CoreELEC box and the PC clearly do not setup the tunnel the same way.

As I thought you have no route for your subnet.

Look here for documentation:

ip route add 192.168.0.0/24 dev wg0

Make sure your subnet ist correct the above routes traffic from 192.168.0.1-192.168.0.254 via wg0.

Look into wireguard PostUp and PreDown configs where you can run those commands to add/del the route.

Thanks @Ray but no dice I’m afraid
This is what I get from running your command after connecting to WG:

##############################################

CoreELEC

https://coreelec.org

##############################################

CoreELEC (official): 19.3-Matrix (Amlogic-ng.arm)
Kerlouan:~ # ip route add 192.168.0.0/24 dev wg0
ip: RTNETLINK answers: File exists
Kerlouan:~ #

It seems to indicate that the routing is already set up?
Anyway, if I can solve this problem, how can I use the PostUp and PreDown since CoreELEC’s implementation of WireGuard relies on a different config file format?

I checked again your output and you have clashing routes. remove the other one or change the subnet. I guess you are using it on the same subnet.