Converting Wireguard conf to connmanctl syntax

  • I have this .conf file from my VPN provider but I'm unsure how to convert it to the syntax explained in the wiki.

    i have tried with this, putting it under /.config/wireguard but it does not work.

    I'm not sure if it's because the original configuration specifies an address for the endpoint and the connmanctl syntax doesn't support that or if I'm making other mistakes. The thing I'm unsure of is the line "WireGuard.Address". I left it as I found it in the wiki but I'm not sure if that's the correct way to go.

    The connection is created and connmanctl doesn't give errors when connecting, ifconfig shows it but ping doesn't work and it basically stops the machine from connecting to the internet and that's it.

  • See if this ^ works. Host is the WireGuard server that you connect to, so you need to resolve nl3.vpn.airdns.org to an IP (not possible to use an FQDN with ConnMan) and WireGuard.Address is the IP allocated to you, and since you are not connecting to access an internal subnet I'm making an educated guess that this should be /32 not /24.

  • See if this ^ works. Host is the WireGuard server that you connect to, so you need to resolve nl3.vpn.airdns.org to an IP (not possible to use an FQDN with ConnMan) and WireGuard.Address is the IP allocated to you, and since you are not connecting to access an internal subnet I'm making an educated guess that this should be /32 not /24.

    It appears to be working. Is there a way to check external IP like one can do through a web browser, connecting, for instance, to ipleak.org?

    Also, I see that nl3.vpn.airdns.org can resolve to several different addresses. I have to ask my provider if that means that it selects the server with less load. In that case I might probably need to script something (far above my capabilities) to resolve the address before connecting, in order to then modify the configuration accordingly, before connecting.

  • The VPN provider probably does DNS round-robbin to distribute load. I wouldn't worry about trying to script/handle different IPs unless things stop working; then re-resolve the host, update the conf, then restart the WireGuard systemd service.

  • Can't edit the above post but I've managed to download an updated version of the plugin from here: https://github.com/Space2Walker/p…ases/tag/v1.1.2

    And yes, there's DNS leaks. Seeing a mix of my ISP's and my VPN's DNS in there...

    Problem is I can't see resolve.conf anywhere on the machine. You wrote it was supposed to be in /etc in the old post but I cannot find the file anywhere (used find command).

  • Code
    RPi5:~ # cat /etc/resolv.conf 
    # Generated by Connection Manager
    nameserver 172.16.20.1
    nameserver 8.8.8.8
    nameserver 1.1.1.1

    resolv.conf not resolve.conf ^

  • I return to this subject as I'm trying to wrap my head around /etc/resolv.conf.

    As far as I can tell, that it's just a symlink to /run/connman/resolv.conf.

    I have not abandoned my desire for using Wireguard but, in the meantime, I'm using the Kodi VPN Manager addon, which works.

    DNS leaks problem remains and I tried modifying the above resolv.conf, finding a configuration for it that it works (no DNS leaks when connected to VPN, still capable of resolving when not connected).

    I then set permissions for /run/connman/resolv.conf to 444 (read-only) and executed chattr  -f   +i   /run/connman/resolv.conf, in order to make it immutable.

    I rebooted and... the file had been modified back to its original state and permissions where once more 644 (read/write for the owner).

    Is there a way around this, chewitt?

  • Maybe instructions in autostart.sh to modify resolv.conf after the system modifies it back? Problem is I don't know when exactly that happens but I could probably resort to trial and error to find the correct timing.

    By the example in the wiki, using the {sleep} formulation would do what I need? Meaning, it will pause autostart.sh for 20 seconds while the boot procedes and then execute, correct?

  • Code
    [Unit]                                                                                    
    Description=Kodi user autostart script                                                    
    Before=kodi.service                                                                       
    After=network-online.target graphical.target                                                                                      
    ...                                                                                                                 
    [Install]                                                                                 
    WantedBy=kodi.service

    ^ that explains when autostart.sh is run; after the network is online but before Kodi starts. It used to be at the start of userspace boot (much earlier) but users were always trying to schedule things that depended on the network so it was changed.

    The contents of /run are (re)created at boot time based on scripts embedded in the read-only SYSTEM file (which expands on boot to create userspace) so all changes made there are intentionally lost on shutdown. The resolv.conf file is also managed by ConnMan so any changes to it can/will be overwritten when ConnMan feels like it, and since everything in the OS including ConnMan runs as root changing file perms to prevent changes to the file probably won't achieve much as you cannot restrict change from root.

    The correct way to effect change to resolve.conf is making changes through ConnMan, using connmanctl. If you need to e.g. reorder services to ensure the tunnel has priority, you may need to execute a sequence of reorder commands to move things around into the correct sequence. Such things are a bit clunky, but ConnMan was originally created for phone devices where such wizardry isn't needed, so it's not blessed with highly scriptable controls.

    In terms of boot timing: /run/libreelec/resolv.conf is created by the connman-setup script which is executed by connman.service. If you want to understand more about OS plumbing and boot scripts the easiest method (as I have just done myself) is to "git clone" our sources and then use "git grep" in the sources folder to find mentions of binaries and paths.

  • In terms of boot timing: /run/libreelec/resolv.conf is created by the connman-setup script which is executed by connman.service. If you want to understand more about OS plumbing and boot scripts the easiest method (as I have just done myself) is to "git clone" our sources and then use "git grep" in the sources folder to find mentions of binaries and paths.

    I have used systemd-analyze plot > startup_order.svg to check the order of services loading. Apparently connman.service is run before kodi-autostart.service. So I'll try to edit resolv.conf in autostart.sh and see if that sticks. I will report back, in case other people might find this useful. Thanks a lot for all the help.

  • Yes, I think I've managed to solve it.

    I created a resolv.conf file under a directory I use for various scripts and I copy that, overwriting the one in /run/connman, by putting this in autostart.sh.

    cp -f /storage/.config/scripts/resolv.conf /run/connman/

    I know it's a bit of a hack, but it seems to serve the purpose.

    Edit: in case other people use Zomboided's VPN Manager for Kodi, the above hack survives disconnection and reconnection of the VPN. I guess the resolv.conf file is written by connman just at the execution of connman.service and no more until the next reboot, where we proceed to overwrite it once more.

    Edited once, last by ashlar (June 3, 2024 at 11:07 PM).

  • Yes, I think I've managed to solve it.

    I created a resolv.conf file under a directory I use for various scripts and I copy that, overwriting the one in /run/connman, by putting this in autostart.sh.

    cp -f /storage/.config/scripts/resolv.conf /run/connman/

    I know it's a bit of a hack, but it seems to serve the purpose.

    Edit: in case other people use Zomboided's VPN Manager for Kodi, the above hack survives disconnection and reconnection of the VPN. I guess the resolv.conf file is written by connman just at the execution of connman.service and no more until the next reboot, where we proceed to overwrite it once more.

    hey could you happen to note what code is required that you have for the autostart.sh script, resolv.conf script and other scripts to prevent dns leaks? I'm also getting dns leaks