Add Wireguard support

novalis Yes something like this also was my first though, also it only is a workaround.

Thanks for sharing this.

Question regarding Wireguard. Is Libreelec able to act as a Wireguard Server? No need for traffic tunneling, I just want to be able to remotely support a Libreelec system from external networks (elderly user, check logs, reboot, fix accidental settings changes etc).

Quote from chewitt

Cranial there is nothing to prevent LE being a WireGuard server, but there is no packaging/scripts/etc. in the distro to support that so you'll need to handle it yourself. NB: Our SSH daemon listens on all interfaces by default so if the elderly user "client" end connects to a WireGuard "server" when support is needed you can always SSH from the server to the private (remote) IP of the WG client in a "reverse tunnel" arrangement.

Thanks chewitt, that might be a better way to handle this. Connecting to a server on my end negates the need for a static ip or ddns on their end. I'll have a think about how to best accomplish this.

Quote from chewitt

Some rough patches to address using an FQDN were posted to the connman mailing list about two months ago. I shared links to them at the same time and so-far received zero feedback. From this I conclude that nobody cares enough to contribute a little effort to testing. I blow hot/cold on my desire to do everything and have other priorities on my to-do list, so I suggest someone else pulls a finger out for once.

That's a shame. Being able to use FQDN would be superb. I spent a while earlier thinking I'd gone mad before realising that was the reason I couldn't establish the connection. I'd be happy to help test if you were still looking for someone?

Quote from novalis

my quickshot on this was to get the ip myself and write it to the conf file like this:

myipstr=$(getent hosts my.dynip.com | grep -o '^[^\.]*.[^\.]*.[^\.]*.[^\ ]*')

#hosts is here my local hosts file, you might have to change that to your needs

# replace line 4 in wireguard.config with actual ip

sed -i '4s/.*/Host = '$myipstr'/' /storage/.config/wireguard/wireguard.config

# make servicename by replacing . with _ assuming your domainname in wireguard.conf is kodi.tv

servicename=$(echo "vpn_${myipstr}_kodi_tv" | tr . _)

# put connman commandos into two little switches

echo connmanctl connect $servicename > wgon

echo connmanctl disconnect $servicename > wgoff

now you can use those switches to start and stop wireguard.

If you cron schedule above script you are always equipped with your current ip.

Display More

Thanks for this, worked perfectly. Though can't seem to get Cron working in LE. I've enabled the systemd for Cron to run and have tasks scheduled to run this script both on boot and periodically, and Cron shows that they are queued but they never fire. The script works fine if I run it manually, so I know it's not a script issue or a permissions issue (tried chmod 777 just in case), so I have no idea what is wrong with Cron under LE. If anyone knows, please let me know.

Used the quickshot from novalis and it works.

Many Thx.

Is there a fix on the horizon for the issue with using a domain name for Host? This cost me several hours of headache today although fortunately I came across this thread which helped me figure out why I couldn't ping or route any traffic. I tweaked novalis' script and am running it on a cron job that runs every 15 minutes and on reboot, I'm using this instead of a systemd service.

newipstr=$(getent ahosts yourdomain.name | grep -o '^[^\.]*.[^\.]*.[^\.]*.[^\ ]*' -m 1)
oldipstr=$(sed -n 4p /storage/.config/wireguard/wg0.config | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b")

# make servicename by replacing . with _
newservicename=$(echo "vpn_${newipstr}" | tr . _)
oldservicename=$(echo "vpn_${oldipstr}" | tr . _)
#echo "new service $newservicename"
#echo "old service $oldservicename"

if [ "$newipstr" = "$oldipstr" ]; then
  iseq=true
  #echo "ips same"
else
  # replace line 4 in wireguard.config with actual ip
  sed -i '4s/.*/Host = '$newipstr'/' /storage/.config/wireguard/wg0.config

  iseq=false
  #echo "ips different"
fi

if [ -z "$(wg)" ]; then
  # wireguard is not connected
  connmanctl connect $newservicename
else
  # wireguard is connected
  if [ "$iseq" != true ]; then
    connmanctl disconnect $oldservicename
    connmanctl connect $newservicename
  fi
fi

I can confirm that the Domain name issue is still not fixed.
Thankfully i came across this post, it took me a few hours of debugging to find out that the main issue was the domain name. replacing it with the host IP worked.

I _think_ the issue might be with ConnMan not setting the route for the Wireguard server IP, I noticed that replacing the domain name with the IP added this route

PUBLIC_IP_WG_SERVER HOME_ROUTER_IP 255.255.255.255 UGH 0 0 0 eth0

Quote from eredi93

I _think_ the issue might be with ConnMan not setting the route for the Wireguard server IP, I noticed that replacing the domain name with the IP added this route

Thanks, this helped me. The way connman is managing the route tables just doesn't look right. Wireguard's AllowedIPs setting and the connman Networks setting are the same thing - entries to be added to the route table - and for my needs I only want it to add the entry to the VPN server (where my tvheadend lives).

I was thinking about this further and for my use case (remote access to my tvheadend server), I have created a short systemd service script that just configures Wireguard directly. This leaves the DNS resolution to Wireguard entirely and adds routes as directed by the allowed-ips setting.

One of Wireguard's features is the way it handles roaming. This means that the (supposedly) either endpoint can change IP addresses and it all just works because of its Cryptokey Routing meaning it uses the cryptographic keys to get the packets where they need to be. There's a section on the website about it here: Built-in Roaming

I'm not 100% sure this would work through NAT though. I tried adding a listen-port to line 3 below and it just broke everything.

#!/bin/bash
ip link add dev wg0 type wireguard
wg set wg0 private-key /storage/.config/my_wireguard/private_key peer SERVER_PUBLIC_KEY endpoint SERVER_DNS_ADDRESS:SERVER_LISTEN_PORT allowed-ips 192.168.5.0/24 persistent-keepalive 25
ip addr add dev wg0 192.168.5.6/24
ip link set up dev wg0

The systemd service file is one I copied from the wireguard.service.sample.

[Unit]
Description=WireGuard VPN Service
After=network-online.target nss-lookup.target connman-vpn.service time-sync.target
Wants=network-online.target nss-lookup.target connman-vpn.service time-sync.target


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/storage/.config/my_wireguard/wg0_up
ExecStop=ip link del wg0


[Install]
WantedBy=multi-user.target

I also configured connman to ignore the wg0 interface in its blacklist:

# List of blacklisted network interfaces separated by ",".
# Found interfaces will be compared to the list and will
# not be handled by ConnMan, if their first characters
# match any of the list entries. Default value is
# vmnet,vboxnet,virbr,ifb,ve-,vb-.
NetworkInterfaceBlacklist = vmnet,vboxnet,virbr,ifb,docker,veth,zt,ve-,vb-,wg0

Anyway I hope this helps someone.

---

novalis many thanks for the script

Wireguard works great ... thanks LibreElec !

Have there been any progress on this?

I still have trouble to get an systemd.service to autostart with the right routes.