Add Wireguard support

is there going to be any management of DDNS with Endpoints?. In case of DDNS, Wireguard only translate and store the IP of an endpoint when the connection is established, what means that if the endpoint has a dynamic dns, in case it changes it isn't able to re-establish the tunnel automatically by itself. For such reason there are some scripts, like the official one watchdog, for managing these cases. Is there any away with the future Libreelec module to do something similar?.

Regards,

Hi MrThreepwood,

I use a shell script to check the dyndns adress.

replace the *variable* with your values.

script is called in autostart.sh:

nohup /storage/.config/checkDynDns.sh &

#!/bin/sh
while true
do
sleep 60
check=`ping  -c 1 *IP.Adr.wg0.peer* > /dev/null; echo $?`
if [ $check != 0 ]; then
    currentIP=$(wg show wg0 endpoints | grep *PublicKeyPeer* | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
    checkIP=$(nslookup *dyndns.adr.peer* | grep -i address | tail -n 1 | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}")
    if [ $currentIP != $checkIP ]; then
        if [ -n $checkIP ]; then
            wg set wg0 peer *PublicKeyPeer*  endpoint "$checkIP:51820"
        fi    
    fi    
fi
done

Hi MrThreepwood. I think you might have provided an incorrect link. The link you provided was to something related to Linux's "watchdog" driver. I believe you meant to link to the reresolve-dns.sh script in the contribs directory. A bit of trivia: Jason wrote this script after I raised the issue of dynamic DNS on the IRC way back in 2017. It was first just on a pastebin, and then he added it to the contribs directory.

Does this support currently work well on the libreelec-9.2 branch? I successfully built the branch and imaged my RPI4. I followed the steps in the linked WIKI to configure WireGuard and I seemingly connect from my LibreElec PI to the WireGuard server.

However, I am not able to ping in either direction and I'm not able to actually get any traffic to flow through the VPN. What are the best diagnostics steps I can take to figure out what's going on? I'm pretty technologically adept so happy to dig through logs and figure out what the potential issues could be.

Quote from adityaag

Does this support currently work well on the libreelec-9.2 branch? I successfully built the branch and imaged my RPI4. I followed the steps in the linked WIKI to configure WireGuard and I seemingly connect from my LibreElec PI to the WireGuard server.

However, I am not able to ping in either direction and I'm not able to actually get any traffic to flow through the VPN. What are the best diagnostics steps I can take to figure out what's going on? I'm pretty technologically adept so happy to dig through logs and figure out what the potential issues could be.

I've been testing since initial support was added. There is a few small issues, but overall it has been working for me on an RPI2, and several other devices.

If you setup the Wireguard server yourself, you may want to try connecting to it from a different device to verify that your server is correctly setup and working. Just to rule out the problem being on the server end.

If everything works with another client, then check the IP addresses used in your config.

There are unfortunately a few inconsistencies with the info on the wiki, in regards to the IP addresses used in the examples. (The config shown, and the commands shown use different IP addresses. So any easy trap for anybody just doing a copy paste)

If in the servers config you have something like the following

[Interface]
Address = 10.10.10.1/24
[Peer]
AllowedIPs = 10.10.10.2/32

Then on your client config you will need to have

WireGuard.Address = 10.10.10.2/24

If you would like I can post full config files for both my server and client setup, in case that might help you spot any possible issue in your own setup.

I'm using a PiVPN setup with WireGuard as the server. It does work with multiple other devices so I'm a bit confused why it doesn't work here. I actually do see the connection coming into the server but no traffic flowing. I've pasted the appropriate snippets here from my WireGuard config for ConnMan. I've got a second VPN set up in my router itself which is based on OpenVPN so I might try and get that set up for now but would really love to see/help get WireGuard set up properly and integrated.

[provider_wireguard]
Type = WireGuard
Name = VPN
Host = NNN.ddns.net
Domain = vpn.apartment
WireGuard.Address = 10.6.0.6/24
WireGuard.ListenPort =
WireGuard.PrivateKey = <KEY>
WireGuard.PublicKey = <KEY>
WireGuard.PresharedKey = <KEY>
WireGuard.DNS = 10.6.0.1
WireGuard.AllowedIPs = 0.0.0.0/0
WireGuard.EndpointPort = 3886
WireGuard.PersistentKeepalive = 25

The actual config from WireGuard is as follows:

[Interface]
PrivateKey = <KEY>
Address = 10.6.0.6/24
DNS = 10.6.0.1

[Peer]
PublicKey = <KEY>
PresharedKey = <KEY>
Endpoint = NNN.ddns.net:3886
AllowedIPs = 0.0.0.0/0

Everything seems ok to me but please do let me know if I missed anything.

The other thing I also noticed is that the /etc/resolv.conf that's updated by ConnMan includes name servers from each of the connections. I'd be curious to see if there's a way to have ConnMan only use the name server specified by WireGuard. Otherwise it's using the DNS from my local internet first before going across the VPN.

I'm happy to tweak code/look at any logs if I can get some pointers where to start. Thanks in advance!

I'm very happy about that update 9.2.1 and the wireguard integration! Thank you very much chewitt!!!

But i have a problem with the connection, too.

I use a opnsense firewall with wireguard for 4 devices (ubuntu-notebook, iPhone, androidTablet).

But with the libreelecPi i have a problem to connect.

[provider_wireguard]
Type = WireGuard
Name = wireguard
Host = xxxxx
Domain = fritz.box
WireGuard.Address = 10.9.8.20/24
WireGuard.ListenPort = 51820
WireGuard.PrivateKey = xxxxx (from /storage/.cache/wireguard/privatekey)
WireGuard.PublicKey = xxxxxx (from my server)
WireGuard.PresharedKey = xxxxxx (from /storage/.cache/wireguard/preshared)
WireGuard.DNS = 192.168.215.1
WireGuard.AllowedIPs = 0.0.0.0/0
WireGuard.EndpointPort = 51821  (yes it's right)
WireGuard.PersistentKeepalive = 15

of cause i use the config on my server (public key /storage/.cache/wireguard/publickey + preshared).

i can see the incomming traffic, but i can't ping (from server or client to the other) and there is no handshake from the client.

strange, i had a connection for 2 secounds and some pings are incoming, when i delete the preshared key on bouth sites. but only for 2-3 pings.

do you have an idea whats wrong?

Hello adityaag and trayntab. Are you using a static IP or a DDNS in the "Host" field? I had the same problem and the solution was using the external IP.

I don't know if there is a way of using the ddns hostname.

Hey Mark83

yes you are right!!!! If i use my IP it's working! perfekt thank you

hmm very sad i need ddns for my external IP and internal, too

trayntab glad to help

At least we know where the issue is. I also hope find the solution with the ddns.

Hey chewitt,

thank you so much! I don‘t know how to build an image by myself. Is there a tutorial for that? Or is it possible that you can upload an image for a raspberryPi 3? That would be great.

Best regards

Trayntab

Please, could you give me a hint how to install/enable the ConnMan VPN plugin (connman-vpn.service)? Unfortunately, I own only some very basic linux skills.

Hi

If you're on 9.2.1 its already installed. You need to ssh in with something like putty. Then cd /storage/.config/wireguard. Put your mywireguard.config in there.

Good luck