Add Wireguard support

  • is there going to be any management of DDNS with Endpoints?. In case of DDNS, Wireguard only translate and store the IP of an endpoint when the connection is established, what means that if the endpoint has a dynamic dns, in case it changes it isn't able to re-establish the tunnel automatically by itself. For such reason there are some scripts, like the official one watchdog, for managing these cases. Is there any away with the future Libreelec module to do something similar?.

    Regards,

  • Hi MrThreepwood,

    I use a shell script to check the dyndns adress.

    replace the *variable* with your values.

    script is called in autostart.sh:

    nohup /storage/.config/checkDynDns.sh &

  • Hi MrThreepwood. I think you might have provided an incorrect link. The link you provided was to something related to Linux's "watchdog" driver. I believe you meant to link to the reresolve-dns.sh script in the contribs directory. A bit of trivia: Jason wrote this script after I raised the issue of dynamic DNS on the IRC way back in 2017. It was first just on a pastebin, and then he added it to the contribs directory. :)

  • Does this support currently work well on the libreelec-9.2 branch? I successfully built the branch and imaged my RPI4. I followed the steps in the linked WIKI to configure WireGuard and I seemingly connect from my LibreElec PI to the WireGuard server.

    However, I am not able to ping in either direction and I'm not able to actually get any traffic to flow through the VPN. What are the best diagnostics steps I can take to figure out what's going on? I'm pretty technologically adept so happy to dig through logs and figure out what the potential issues could be.

  • Does this support currently work well on the libreelec-9.2 branch? I successfully built the branch and imaged my RPI4. I followed the steps in the linked WIKI to configure WireGuard and I seemingly connect from my LibreElec PI to the WireGuard server.

    However, I am not able to ping in either direction and I'm not able to actually get any traffic to flow through the VPN. What are the best diagnostics steps I can take to figure out what's going on? I'm pretty technologically adept so happy to dig through logs and figure out what the potential issues could be.

    I've been testing since initial support was added. There is a few small issues, but overall it has been working for me on an RPI2, and several other devices.

    If you setup the Wireguard server yourself, you may want to try connecting to it from a different device to verify that your server is correctly setup and working. Just to rule out the problem being on the server end.

    If everything works with another client, then check the IP addresses used in your config.

    There are unfortunately a few inconsistencies with the info on the wiki, in regards to the IP addresses used in the examples. (The config shown, and the commands shown use different IP addresses. So any easy trap for anybody just doing a copy paste)

    If in the servers config you have something like the following

    Code
    [Interface]
    Address = 10.10.10.1/24
    [Peer]
    AllowedIPs = 10.10.10.2/32

    Then on your client config you will need to have

    Code
    WireGuard.Address = 10.10.10.2/24

    If you would like I can post full config files for both my server and client setup, in case that might help you spot any possible issue in your own setup.

  • I'm using a PiVPN setup with WireGuard as the server. It does work with multiple other devices so I'm a bit confused why it doesn't work here. I actually do see the connection coming into the server but no traffic flowing. I've pasted the appropriate snippets here from my WireGuard config for ConnMan. I've got a second VPN set up in my router itself which is based on OpenVPN so I might try and get that set up for now but would really love to see/help get WireGuard set up properly and integrated.

    The actual config from WireGuard is as follows:

    Code
    [Interface]
    PrivateKey = <KEY>
    Address = 10.6.0.6/24
    DNS = 10.6.0.1
    
    [Peer]
    PublicKey = <KEY>
    PresharedKey = <KEY>
    Endpoint = NNN.ddns.net:3886
    AllowedIPs = 0.0.0.0/0

    Everything seems ok to me but please do let me know if I missed anything.

    The other thing I also noticed is that the /etc/resolv.conf that's updated by ConnMan includes name servers from each of the connections. I'd be curious to see if there's a way to have ConnMan only use the name server specified by WireGuard. Otherwise it's using the DNS from my local internet first before going across the VPN.

    I'm happy to tweak code/look at any logs if I can get some pointers where to start. Thanks in advance!

  • The other thing I also noticed is that the /etc/resolv.conf that's updated by ConnMan includes name servers from each of the connections. I'd be curious to see if there's a way to have ConnMan only use the name server specified by WireGuard. Otherwise it's using the DNS from my local internet first before going across the VPN.

    I've noticed this but resolving it [sic] is complicated. LE does not use the internal DNS proxy in ConnMan, and ConnMan will add/remove the extra DNS servers from the WireGuard config but will not remove the initial (local network entry) at the same time. ConnMan devs are not iterested in looking into this as they regard /etc/resolv.conf as a legacy approach. LE has no plan to switch back to using the DNS proxy; in the past we found lots of bugs but the main issue was consistent user reports of "My DNS is broken" because the Kodi sysinfo screen (correctly) shows 127.0.0.1 as the DNS server and this is attributed as the source of all network issues by inexperienced users. The fix probably requires LE to move to systemd resolvd but that will be a rather invasive and political change .. won't happen overnight. NB: It's not a well-known fact, but libc will only use the first 3x DNS servers listed, even if more are in the file.

    I've experimented with the following systemd service which has some added Pre/Post calls:

    The /storage/fix_dns_leaks script looks like:

    If you only start/stop the connection at boot time via systemd this script appears to work. If you start connecting/disconnecting the connection via dbus (using the connections screen in the settings add-on) the logic is faulty somewhere and at some point you end up with no DNS servers .. I haven't had time to look into it much further due to work and other time commitments. I'd be happy if others started digging around..

  • I'm very happy about that update 9.2.1 and the wireguard integration! Thank you very much chewitt!!!

    But i have a problem with the connection, too.

    I use a opnsense firewall with wireguard for 4 devices (ubuntu-notebook, iPhone, androidTablet).

    But with the libreelecPi i have a problem to connect.

    of cause i use the config on my server (public key /storage/.cache/wireguard/publickey + preshared).

    i can see the incomming traffic, but i can't ping (from server or client to the other) and there is no handshake from the client.

    strange, i had a connection for 2 secounds and some pings are incoming, when i delete the preshared key on bouth sites. but only for 2-3 pings.

    do you have an idea whats wrong?

    Edited once, last by trayntab (March 12, 2020 at 7:53 PM).

  • Hello adityaag and trayntab. Are you using a static IP or a DDNS in the "Host" field? I had the same problem and the solution was using the external IP.

    I don't know if there is a way of using the ddns hostname.

    Edited once, last by Mark83 (March 14, 2020 at 9:13 AM).

  • From ConnMan devs:

    "ConnMan resolves the FQDN on start of the VPN service and hands over the IP address to the WireGuard device. The WireGuard kernel code doesn't do any resolving. I am going to post a patch which reresolves the Endpoint address. If the address changes ConnMan will 'update' the WireGuard device. I've stollen this idea from reresolve-dns.sh « reresolve-dns « contrib - wireguard-tools - Required tools for WireGuard, such as wg(8) and wg-quick(8)"

    There's also a second patch to remove "WireGuard.domain" from the config as "Domain" isn't really needed. NB: After this patch is included the internal service identifier will change needing you to correct any systemd files.

    Patches => [PATCH 0/2] WireGuard/VPN small tweaks. - connman - Ml01.01.Org

    If some of you are self-building images .. it would be good if you can test these patches. Please provide feedback to this thread and if there are positive reports on the DDNS improvement I will ack the changes on the list so things get merged upstream (and then added to the LE codebase).

  • Hey chewitt,


    thank you so much! I don‘t know how to build an image by myself. Is there a tutorial for that? Or is it possible that you can upload an image for a raspberryPi 3? That would be great.

    Best regards

    Trayntab

  • Please, could you give me a hint how to install/enable the ConnMan VPN plugin (connman-vpn.service)? Unfortunately, I own only some very basic linux skills.

  • Hi

    If you're on 9.2.1 its already installed. You need to ssh in with something like putty. Then cd /storage/.config/wireguard. Put your mywireguard.config in there.

    Good luck:)