Add Wireguard support

  • Question regarding Wireguard. Is Libreelec able to act as a Wireguard Server? No need for traffic tunneling, I just want to be able to remotely support a Libreelec system from external networks (elderly user, check logs, reboot, fix accidental settings changes etc).

    • Official Post

    Cranial there is nothing to prevent LE being a WireGuard server, but there is no packaging/scripts/etc. in the distro to support that so you'll need to handle it yourself. NB: Our SSH daemon listens on all interfaces by default so if the elderly user "client" end connects to a WireGuard "server" when support is needed you can always SSH from the server to the private (remote) IP of the WG client in a "reverse tunnel" arrangement.

  • Cranial there is nothing to prevent LE being a WireGuard server, but there is no packaging/scripts/etc. in the distro to support that so you'll need to handle it yourself. NB: Our SSH daemon listens on all interfaces by default so if the elderly user "client" end connects to a WireGuard "server" when support is needed you can always SSH from the server to the private (remote) IP of the WG client in a "reverse tunnel" arrangement.

    Thanks chewitt, that might be a better way to handle this. Connecting to a server on my end negates the need for a static ip or ddns on their end. I'll have a think about how to best accomplish this.

  • Some rough patches to address using an FQDN were posted to the connman mailing list about two months ago. I shared links to them at the same time and so-far received zero feedback. From this I conclude that nobody cares enough to contribute a little effort to testing. I blow hot/cold on my desire to do everything and have other priorities on my to-do list, so I suggest someone else pulls a finger out for once.

    That's a shame. Being able to use FQDN would be superb. I spent a while earlier thinking I'd gone mad before realising that was the reason I couldn't establish the connection. I'd be happy to help test if you were still looking for someone?

  • Thanks for this, worked perfectly. Though can't seem to get Cron working in LE. I've enabled the systemd for Cron to run and have tasks scheduled to run this script both on boot and periodically, and Cron shows that they are queued but they never fire. The script works fine if I run it manually, so I know it's not a script issue or a permissions issue (tried chmod 777 just in case), so I have no idea what is wrong with Cron under LE. If anyone knows, please let me know.

  • Is there a fix on the horizon for the issue with using a domain name for Host? This cost me several hours of headache today although fortunately I came across this thread which helped me figure out why I couldn't ping or route any traffic. I tweaked novalis' script and am running it on a cron job that runs every 15 minutes and on reboot, I'm using this instead of a systemd service.

  • I can confirm that the Domain name issue is still not fixed.
    Thankfully i came across this post, it took me a few hours of debugging to find out that the main issue was the domain name. replacing it with the host IP worked.

    I _think_ the issue might be with ConnMan not setting the route for the Wireguard server IP, I noticed that replacing the domain name with the IP added this route

    PUBLIC_IP_WG_SERVER HOME_ROUTER_IP 255.255.255.255 UGH 0 0 0 eth0

  • I _think_ the issue might be with ConnMan not setting the route for the Wireguard server IP, I noticed that replacing the domain name with the IP added this route

    Thanks, this helped me. The way connman is managing the route tables just doesn't look right. Wireguard's AllowedIPs setting and the connman Networks setting are the same thing - entries to be added to the route table - and for my needs I only want it to add the entry to the VPN server (where my tvheadend lives).

  • I was thinking about this further and for my use case (remote access to my tvheadend server), I have created a short systemd service script that just configures Wireguard directly. This leaves the DNS resolution to Wireguard entirely and adds routes as directed by the allowed-ips setting.

    One of Wireguard's features is the way it handles roaming. This means that the (supposedly) either endpoint can change IP addresses and it all just works because of its Cryptokey Routing meaning it uses the cryptographic keys to get the packets where they need to be. There's a section on the website about it here: Built-in Roaming

    I'm not 100% sure this would work through NAT though. I tried adding a listen-port to line 3 below and it just broke everything.

    Bash: /storage/.config/my_wireguard/wg0_up
    #!/bin/bash
    ip link add dev wg0 type wireguard
    wg set wg0 private-key /storage/.config/my_wireguard/private_key peer SERVER_PUBLIC_KEY endpoint SERVER_DNS_ADDRESS:SERVER_LISTEN_PORT allowed-ips 192.168.5.0/24 persistent-keepalive 25
    ip addr add dev wg0 192.168.5.6/24
    ip link set up dev wg0

    The systemd service file is one I copied from the wireguard.service.sample.

    I also configured connman to ignore the wg0 interface in its blacklist:

    Code: /storage/.config/connman_main.conf
    # List of blacklisted network interfaces separated by ",".
    # Found interfaces will be compared to the list and will
    # not be handled by ConnMan, if their first characters
    # match any of the list entries. Default value is
    # vmnet,vboxnet,virbr,ifb,ve-,vb-.
    NetworkInterfaceBlacklist = vmnet,vboxnet,virbr,ifb,docker,veth,zt,ve-,vb-,wg0

    Anyway I hope this helps someone.