Converting Wireguard conf to connmanctl syntax

I have this .conf file from my VPN provider but I'm unsure how to convert it to the syntax explained in the wiki.

[Interface]
Address = 10.173.72.95,fd7d:76ee:e68f:a993:819a:8f51:d102:3f6
PrivateKey = REDACTED
MTU = 1320
DNS = 10.128.0.1, fd7d:76ee:e68f:a993::1
[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
Endpoint = nl3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 15

i have tried with this, putting it under /.config/wireguard but it does not work.

[provider_wireguard]
Type = WireGuard
Name = AirVPN
Host = 10.173.72.95
WireGuard.Address = 10.2.0.2/24
WireGuard.ListenPort = 1637
WireGuard.PrivateKey = REDACTED
WireGuard.PublicKey = REDACTED
WireGuard.PresharedKey = REDACTED
WireGuard.DNS = 10.128.0.1
WireGuard.AllowedIPs = 0.0.0.0/0
WireGuard.EndpointPort = 1637
WireGuard.PersistentKeepalive = 15

I'm not sure if it's because the original configuration specifies an address for the endpoint and the connmanctl syntax doesn't support that or if I'm making other mistakes. The thing I'm unsure of is the line "WireGuard.Address". I left it as I found it in the wiki but I'm not sure if that's the correct way to go.

The connection is created and connmanctl doesn't give errors when connecting, ifconfig shows it but ping doesn't work and it basically stops the machine from connecting to the internet and that's it.

Quote from chewitt

Code

[provider_wireguard]
Type = WireGuard
Name = AirVPN
Host = 213.152.162.12
WireGuard.Address = 10.173.72.95/32
WireGuard.ListenPort = 1637
WireGuard.PrivateKey = REDACTED
WireGuard.PublicKey = REDACTED
WireGuard.PresharedKey = REDACTED
WireGuard.DNS = 10.128.0.1
WireGuard.AllowedIPs = 0.0.0.0/0
WireGuard.EndpointPort = 1637
WireGuard.PersistentKeepalive = 15

Display More

See if this ^ works. Host is the WireGuard server that you connect to, so you need to resolve nl3.vpn.airdns.org to an IP (not possible to use an FQDN with ConnMan) and WireGuard.Address is the IP allocated to you, and since you are not connecting to access an internal subnet I'm making an educated guess that this should be /32 not /24.

It appears to be working. Is there a way to check external IP like one can do through a web browser, connecting, for instance, to ipleak.org?

Also, I see that nl3.vpn.airdns.org can resolve to several different addresses. I have to ask my provider if that means that it selects the server with less load. In that case I might probably need to script something (far above my capabilities) to resolve the address before connecting, in order to then modify the configuration accordingly, before connecting.

Thanks a lot for the help.

Is the dns leak problem described here still ongoing? RE: Wireguard DNS leak

Apparently the DNS Leak plugin is not available anymore (I guess it has to do with it being in Python 2), so I'm not sure how I could test.

Can't edit the above post but I've managed to download an updated version of the plugin from here: https://github.com/Space2Walker/p…ases/tag/v1.1.2

And yes, there's DNS leaks. Seeing a mix of my ISP's and my VPN's DNS in there...

Problem is I can't see resolve.conf anywhere on the machine. You wrote it was supposed to be in /etc in the old post but I cannot find the file anywhere (used find command).

I return to this subject as I'm trying to wrap my head around /etc/resolv.conf.

As far as I can tell, that it's just a symlink to /run/connman/resolv.conf.

I have not abandoned my desire for using Wireguard but, in the meantime, I'm using the Kodi VPN Manager addon, which works.

DNS leaks problem remains and I tried modifying the above resolv.conf, finding a configuration for it that it works (no DNS leaks when connected to VPN, still capable of resolving when not connected).

I then set permissions for /run/connman/resolv.conf to 444 (read-only) and executed chattr  -f   +i   /run/connman/resolv.conf, in order to make it immutable.

I rebooted and... the file had been modified back to its original state and permissions where once more 644 (read/write for the owner).

Is there a way around this, chewitt?

Maybe instructions in autostart.sh to modify resolv.conf after the system modifies it back? Problem is I don't know when exactly that happens but I could probably resort to trial and error to find the correct timing.

By the example in the wiki, using the {sleep} formulation would do what I need? Meaning, it will pause autostart.sh for 20 seconds while the boot procedes and then execute, correct?

Quote from chewitt

In terms of boot timing: /run/libreelec/resolv.conf is created by the connman-setup script which is executed by connman.service. If you want to understand more about OS plumbing and boot scripts the easiest method (as I have just done myself) is to "git clone" our sources and then use "git grep" in the sources folder to find mentions of binaries and paths.

I have used systemd-analyze plot > startup_order.svg to check the order of services loading. Apparently connman.service is run before kodi-autostart.service. So I'll try to edit resolv.conf in autostart.sh and see if that sticks. I will report back, in case other people might find this useful. Thanks a lot for all the help.

Yes, I think I've managed to solve it.

I created a resolv.conf file under a directory I use for various scripts and I copy that, overwriting the one in /run/connman, by putting this in autostart.sh.

cp -f /storage/.config/scripts/resolv.conf /run/connman/

I know it's a bit of a hack, but it seems to serve the purpose.

Edit: in case other people use Zomboided's VPN Manager for Kodi, the above hack survives disconnection and reconnection of the VPN. I guess the resolv.conf file is written by connman just at the execution of connman.service and no more until the next reboot, where we proceed to overwrite it once more.