Ah OK. But I don’t understand why it would work on a PC on the same subnet as the CE box…
Anyways, I noticed I have a stability problem with my Internet box at home, it reboots spontaneously and randomly. More headaches. Will see if I can find a stable window to do my trials while I am still on holiday here. More to come haha.
Thanks and sorry to take up too much of your time for what seems a simple thing.
And I explained to you that Ubuntu include wg-quick script that handles this stuff. And you need to do this yourself because LibreELEC hasn’t added it because they want connman to handle it. Well it doesn’t work for beginners. Just delete the other route then add the correct route.
I read what you write but I still don’t understand your problem. For me, with WireGuard, I don’t need to set any routes, I only need to indicate the accessible subnets or devices in the server’s wg0.conf file, but only if necessary.
For clients there is also no need to configure anything. It is only necessary to check the client connection file.
If clients use CE/LE they are handled by ‘connman’ and it is he who prevents you from changing the default route. Execute the ‘connmanctl services’ command to check that the connection service to the server has been configured, and type the command ‘connmanctl connect vpn_123_45_67_89’ where 123_45_67_89 is the IP address of your server. As far as I know you can’t do anything, just change the order of the interfaces so that ‘connman’ sets a default route to another interface, eg ethernet, instead of the wireguard interface.
In entware you can install ‘wireguard-tools’ and you will be able to run the ‘wg-quick’ command but you will get other errors. In short I don’t know of any way to avoid ‘connman’.
Well, thx to you guys, I have finally been able to solve my two problems it seems. As soon as I changed the holiday home subnet to 192.168.1.0/24 (192.168.0.0/24 at home) everything worked. A modified exports file allowed me to see my NFS shares at home. I made the mistake of assuming that since it worked on my Ubuntu PC, on the same 192.168.0.0/24 subnet as my home, it should also work on the CE box. But apparently that is not the case and is beyond my competence.
Now I tried to make the WG tunnel start at boot from the Coreelec settings => connections => Wireguard VPN => Edit => Connect automatically => Save, but the settings doesn’t stick and I have to reconnect the VPN after the CE box has booted. What can I do to remedy this? By running connmanctl connect vpn_<IP of WG server> in autostart.sh?
Just tried that and the result is:
Error 'connect': Invalid argument
Sorry, didn’t see the underscores in IP address of server but works now, VPN is established.
Doesn’t work from autostart.sh but does from command line.
This is what I have in autostart.sh:
(
mount /dev/data /storage/emmc
mount /dev/sda2 /storage/BackupPlus
connmanctl connect vpn_<IP_of_WG_server>
)&
journalctl -u kodi-autostart -l --no-pager
prints
Error /net/connman/service/vpn_<IP_of_WG_server>: Input/output error
The Problem is that the implementation with connman is just shit. wg-quick makes more sense and it’s the way other distro’s are doing it. All those solutions through docker or entware is just unacceptable.
Anyways I am happy the Problem is solved.
Yes @Ray, it seemed so easy on Ubuntu(or Android, for that matter). The thing with having to create a different config file is annoying also. Sigh.
Anyway, before I mark the thread as solved there is the matter of my inability to run connmanctl from autostart.sh as per my previous post. Any idea on how to solve that problem? I obviously want the vpn connection established prior to Kodi loading the movie database.
autostart.sh is used widely wrong. What you need is a systemd service. Same as wg-quick is handled.
Hmmm…
I have found this service file /usr/lib/systemd/system/connman-vpn.service with this content:
[Unit]
Description=ConnMan VPN service[Service]
Type=dbus
BusName=net.connman.vpn
ExecStart=/usr/sbin/connman-vpnd -n
StandardOutput=null
CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID
ProtectHome=read-only
ProtectSystem=full[Install]
WantedBy=multi-user.target
Shall I just copy this file under a different name and edit the content to suit my needs, ie edit the ExecStart= entry with /net/connman/service/vpn_<IP_of_WG_server>? What about the other entries, shall I delete them? I’m in at the deep end here …
Sorry, I try to do everything in autostart.sh, sometimes I can’t and I prepare some script that is executed from autostart.sh or through cron. I understand that professionals use services but I have not yet had this need.
I agree with @Ray in his opinion about ‘connman’. I simultaneously use three types of vpn client networks 10.10.10.0/24 for zerotier, 10.10.20.0/24 for wireguard, and 10.10.30.0/24 for openvpn. I like zerotier the most because of the flexibility it offers but it doesn’t always work well with media streams. OpenVPN has the advantage that my Asus home router can work as a server, the configuration is very simple, and I only have to export the .ovpn file to the client devices; for CE/LE I don’t need the thoradia addon, just activate the service, which I already said I don’t like, or use the run command in autostart.sh. Worst of all is configuring wireguard clients if you need to use DDNS on CE/LE.
So that you can analyze how I solve the problems, I leave you my autostart.sh and my wg-check-ddns.sh
autostart.sh
#!/bin/sh
# /storage/.config/autostart.sh
(
# only once this prevents power off
# systemctl mask poweroff.target kodi-poweroff.service
# systemctl restart systemd-logind.service
sleep 20s
# upload wrong data for prepare force connect wireguard client at first time
fw_setenv VPNDDNS vpn
# start wireguard client
/storage/.config/scripts/wg-check-ddns.sh > /dev/null 2>&1
# start openvpn client
/usr/sbin/openvpn --daemon --config /storage/.config/OV-DDNS.ovpn &
fw_setenv hdmimode 1080i50hz
fw_setenv outputmode 1080i50hz
echo 1080i50hz > /storage/.kodi/userdata/disp_cap
# create directories if necessary
mkdir -p /storage/.config/downloads
ln -sn /storage/.config/downloads /storage/downloads
mkdir -p /storage/.config/dockers
ln -sn /storage/.config/dockers /storage/dockers
mkdir -p /storage/shared
# prepare reboots, full backups and reconnects wireguard every 10 minutes if necessary
crontab /storage/.config/scripts/crontab.conf
# load remote kodi playlists
/storage/.config/sync-iptv.sh
# load epg
cp -upr /storage/.config/scripts/tv_grab* /storage/.kodi/addons/service.tvheadend42/bin
# route bridge -> eth0 for vpn zerotier
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.rp_filter=2
sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0
sysctl -w net.ipv6.conf.eth0.disable_ipv6=0
sysctl -w net.ipv6.conf.all.forwarding=1
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -I POSTROUTING -o lo -j ACCEPT
iptables -A FORWARD -i wg+ -j ACCEPT
iptables -A FORWARD -i zt+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
systemctl restart systemd-sysctl
# start join zerotier vpn network
docker exec 9993-zerotier-one zerotier-cli join a0.bf.b6.ab.9b.0
# mount remote media with native ssh server
# ssh-keygen -f "/storage/.ssh/known_hosts" -R "[10.10.20.1]:22"
# echo n | ssh-keygen -t rsa -f /storage/.ssh/id_rsa
# ssh root@10.10.20.1 "mkdir -p /storage/.ssh"
# cat /storage/.ssh/id_rsa.pub | ssh root@10.10.20.1 "cat >> /storage/.ssh/authorized_keys"
/opt/bin/sshfs root@10.10.20.1:/storage/shared /storage/shared -o reconnect,delay_connect
pkill -f aml-vnc
)&
wg-check-ddns.sh
#!/bin/sh
# /storage/.config/scripts/wg-check-ddns.sh
# run every 10 minutes via cron
myipstr=$(getent hosts myddns.duckdns.org | grep -o '^[^\.]*.[^\.]*.[^\.]*.[^\ ]*')
servicename=$(echo "vpn_${myipstr}" | tr . _)
oldservice=$(fw_printenv -n VPNDDNS)
if [ $servicename != $oldservice ]; then
connmanctl disconnect $oldservice
fw_setenv VPNDDNS $servicename
sed -i '4s/.*/Host = '$myipstr'/' /storage/.config/wireguard/WG-DDNS.config
connmanctl services > /dev/null 2>&1
sleep 2s
connmanctl connect $servicename
connmanctl move-after $servicename ethernet_c4.ea..4d2.a_cable
sleep 2s
connmanctl move-after $servicename ethernet_c4.ea..4d2.a_cable
fi
Hi @cubimol
since I could not get connmanctl to run from autostart.sh, I wrote a tiny bash script which I made executable and made it run from autostart.sh. Unfortunately, it doesn’t get excuted and I have to run connmanctl connect vpn_<IP of WG server>
from the command line to get the tunnel up and running. I am at a loss here.
My autostart.sh:
(
#!/bin/sh
/storage/start_WG_VPN.sh > /dev/null 2>&1
mount /dev/data /storage/emmc
mount /dev/sda2 /storage/BackupPlus
)&
start_WG_VPN.sh:
#!/bin/sh
/usr/bin/connmanctl connect vpn_\<IP of WG server>
Run ‘connmanctl services’ to see the services recognized by connman. If a vpn service is missing, it means that there is a .config file that is not configured correctly or is non-existent in the /storage/.config/wireguard directory.
Sigh. What this Thread showed me is that the current wg implementation is not acceptable. I will try to find some time to clean it up. We need to do it like common linux distros do it. I honestly never tried it in CE and it seems devastating.
connmanctl can only be called after network is up and running and autostart service can run before if wait for network service is not used. That’s why autostart.sh is not recommended if you need reliable services.
…the 20 second timeout is to make sure the network is enabled, this may not be professional, neither am I, and for me this has been working great for years 
1 Like
Whatever works for you. Not judging. Whatever works.
I repeat again, I am not a computer professional just a hobbyist retired who graduated in engineering (= things are good if they work good) 46 years ago 
when mathematical operations were done with a slide rule.
Never doubted you. Sorry if that came out wrong.
Well @cubimol, the 20s sleep did it and now the VPN is up and running at boot time but I don’t think Kodi takes the remote database into account. I have to enter Movies twice on the welcome screen to see the remote database populating the list. So, my question is when is Kodi started, is it after autostart.sh or at the same time? How can I make sure Kodi starts after autostart.sh?
@Ray
Yes, there must be a more simple, straightforward way to do these things, like it is done on Ubuntu. Unfortunately I will be of little help to make that happen, sorry. But I’m learning stuff along the way and that is always a bonus.