Scritch Try this instructions:
Worked for me perfectly and it has the benefit that you can use a FDQN / hostname for the VPN server.
Posts by QBJack
-
-
Thanks mglae . I used the description in that post and made it working as it should. It has the big benefit, that you can use hostnames / FQDN for the VPN server host.
Stop blindly copying things from the wiki. It shows general hints not verbatim instructions. Your existing service file results in a connection. You can add move-after or move-before commands to adjust the routing config. You can also run the move-after/before commands from the SSH console to experiment in-situ and see the impact on the routes on your box. Go experiment, figure out what combination you need, then add the same sequence to the file. If you don't need static routes, don't add static routes.
Thanks, but a guide like that wiki page is not very helpful for noob linux users like me and I do not have the time and the patience to become a linux networking and routing expert.
Whatever, I made it working as described in post #14. Thanks for your support.
-
ConnMan adds a route to the WireGuard server so you do not need to.
The code in my last post is taken from here WireGuard | LibreELEC.wiki (known issues part) so I assumed it needs to be in that wireguard.service file to make the routing as expected: do only route the desired network over VPN and not the whole traffic.
All you need is the move-after/move-before connmanctl comands to adjust the interface/service order so WireGuard is not the default route that everything is tunnelled down (and the interface you want to be default, is the default.
Hmm, is there maybe a typo in the wiki as I only see two "move-after" and not one "move-before" commands in the example from the above mentioned wiki page:
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/bin/sleep 5
ExecStart=/usr/bin/connmanctl connect vpn_service_name
ExecStartPost=/usr/bin/connmanctl move-after vpn_service_name ethernet_b827eb10c45a_cable
ExecStartPost=/usr/bin/connmanctl move-after vpn_service_name ethernet_b827eb10c45a_cable
ExecStartPost=/usr/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2
ExecStartPost=/usr/sbin/route add 64.109.130.11/32 via 192.168.0.1 dev eth0
ExecStop=/usr/bin/connmanctl disconnect vpn_service_nameSo this part is not necessary in a common scenario as this is your TVHeadend special?:
ExecStartPost=/usr/sbin/route add 64.109.130.11/32 via 192.168.0.1 dev eth0
Sorry to bother you about that so much but I want to understand that and make it working "correctly".
-
Thanks for updating the part about routing. As there are many different IPs mentioned in every step, it is very difficult to follow that instructions as it is not clear (for me) which IPs are those mentioned in this part:
CodeExecStartPost=/usr/sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.2 ExecStartPost=/usr/sbin/route add 64.109.130.11/32 via 192.168.0.1 dev eth0In this example code which is which IP?
192.168.2.0 - the remote network I want to reach over VPN?
10.0.0.2 - remote Wireguard VPN network?
64.109.130.11/32 - public IP of the VPN server?
192.168.0.1 - local gateway (where the LE client is)?
-
Thanks for adding the part regarding public IP for the VPN server.
-
-
I followed the guide at WireGuard | LibreELEC.wiki - especially the part "known-issues". I set my config to only route my internal network over the VPN connection - everything else should use the clients local internet breakout.
This does not work - everything is routed through my VPN network. A short check with i.e. curl -4 icanhazip.com shows my VPN networks public IP. Traceroute to "somethingontheweb.com" tells me the same.
Here is some log output:
Code
Display MoreJan 10 14:31:08 LE-Test systemd[1]: Starting wireguard.service... Jan 10 14:31:08 LE-Test connman-vpnd[386]: wg0 {update} flags 32912 <DOWN> Jan 10 14:31:08 LE-Test connman-vpnd[386]: wg0 {newlink} index 12 operstate 2 <DOWN> Jan 10 14:31:08 LE-Test connman-vpnd[386]: wg0 {dellink} index 12 operstate 2 <DOWN> Jan 10 14:31:08 LE-Test connman-vpnd[386]: wg0 {remove} index 12 Jan 10 14:31:13 LE-Test connmand[720]: ipconfig state 2 ipconfig method 1 Jan 10 14:31:13 LE-Test connmand[720]: wg0 {create} index 13 type 65534 <NONE> Jan 10 14:31:13 LE-Test connmand[720]: wg0 {update} flags 144 <DOWN> Jan 10 14:31:13 LE-Test connmand[720]: wg0 {newlink} index 13 address 00:00:00:00:00:00 mtu 1420 Jan 10 14:31:13 LE-Test connmand[720]: wg0 {newlink} index 13 operstate 2 <DOWN> Jan 10 14:31:13 LE-Test connman-vpnd[386]: wg0 {create} index 13 type 65534 <NONE> Jan 10 14:31:13 LE-Test connman-vpnd[386]: wg0 {update} flags 144 <DOWN> Jan 10 14:31:13 LE-Test connman-vpnd[386]: wg0 {newlink} index 13 operstate 2 <DOWN> Jan 10 14:31:13 LE-Test connmand[720]: ipconfig state 2 ipconfig method 1 Jan 10 14:31:13 LE-Test connman-vpnd[386]: wg0 {update} flags 98513 <UP,RUNNING,LOWER_UP> Jan 10 14:31:13 LE-Test connman-vpnd[386]: wg0 {newlink} index 13 operstate 0 <UNKNOWN> Jan 10 14:31:13 LE-Test connmand[720]: wg0 {update} flags 98513 <UP,RUNNING,LOWER_UP> Jan 10 14:31:13 LE-Test connmand[720]: wg0 {newlink} index 13 address 00:00:00:00:00:00 mtu 1420 Jan 10 14:31:13 LE-Test connmand[720]: wg0 {newlink} index 13 operstate 0 <UNKNOWN> Jan 10 14:31:13 LE-Test connmand[720]: wg0 {add} address 192.168.4.2/32 label wg0 family 2 Jan 10 14:31:13 LE-Test connmand[720]: Adding host route failed (Network is unreachable) Jan 10 14:31:13 LE-Test connmand[720]: rp_filter set to 2 (loose mode routing), old value was 0 Jan 10 14:31:13 LE-Test connmanctl[1501]: Connected vpn_XXX_XXX_XXX_XXX Jan 10 14:31:13 LE-Test iwd[400]: udev interface=wg0 ifindex=13 Jan 10 14:31:13 LE-Test connmand[720]: ipconfig state 4 ipconfig method 1 Jan 10 14:31:13 LE-Test connmand[720]: wg0 {add} route 192.168.4.1 gw 0.0.0.0 scope 253 <LINK> Jan 10 14:31:13 LE-Test connmand[720]: eth0 {del} route 0.0.0.0 gw 192.168.8.1 scope 0 <UNIVERSE> Jan 10 14:31:13 LE-Test connmand[720]: wg0 {add} route 0.0.0.0 gw 0.0.0.0 scope 253 <LINK> Jan 10 14:31:13 LE-Test connmanctl[1505]: Moved vpn_XXX_XXX_XXX_XXX after ethernet_dca6326axxxx_cable Jan 10 14:31:13 LE-Test connmanctl[1509]: Moved vpn_XXX_XXX_XXX_XXX after ethernet_dca6326axxxx_cable Jan 10 14:31:13 LE-Test connmand[720]: wg0 {add} route 192.168.200.0 gw 192.168.4.1 scope 0 <UNIVERSE> Jan 10 14:31:13 LE-Test systemd[1]: Finished wireguard.service.192.168.200.0 is my local network.
192.168.4.0 is the VPN network.
192.168.8.0 is the remote clients network.
Any ideas?
-
After playing around a bit, I think that I have found the reason for that behavior. I used my VPN server's (public) hostname (fqdn) instead of it's public IP address. Using an IP makes the VPN connection work.
Great that it works that way but using an dynamic public IP (which can change from time to time) is not a great solution as you have to check and manually edit those config files again on every IP change.
Is that really so, that this wireshark implementation cannot handle hostnames (fqdn) and must use IPs instead?
-
Hello and a happy new year.
I have updated LE to 12.0.1 and gave that wireguard VPN a second chance. The behavior is the same, connection does not work - exactly the same as in LE 11 over a year ago.
Does somebody has any ideas how to make that work as it is an official supported method and described in LE wiki to be supported.
Thanks.
-
Thanks for this addon. I have installed that on LE12 on my Rpi4B. But the fan does not spin up. The power off / restart function of the button does not work as well. It seems to me, that there is no service running for controlling that. Should there be a service? I am not sure.
What I see in the journal are a lot of these messages:
Dec 13 12:38:11 LibreELEC kernel: i2c-bcm2835 fe804000.i2c: i2c transfer timed out
Dec 13 12:39:13 LibreELEC kernel: i2c-bcm2835 fe804000.i2c: i2c transfer timed out
Dec 13 12:40:14 LibreELEC kernel: i2c-bcm2835 fe804000.i2c: i2c transfer timed out
Dec 13 12:41:15 LibreELEC kernel: i2c-bcm2835 fe804000.i2c: i2c transfer timed outAny help is appreciated.
Cheers
Thomas
-
Unfortunately the same behaviour - could not ping anything. My UDM does not see this VPN client connected anyway. When I connect my Windows client I can see this on my UDM. So I think the VPN connection is not really established at that moment.
-
Of course I have already searched the forums and other discussions about that but did not found any working solution.
-
Hello guys,
I need help to get a working VPN connection from Rpi4 with LE 11 (latest as today) to my Unifi Dreammachine.
I used this instruction to setup the LE side: WireGuard - LibreELEC.wiki
On my Unifi DM I created a new WG client and downloaded the provided config file. This files contains most data for the config on LE side like privatekey, publickey, allowed-ips and so on. UDM version is the latest release as well.
From that information given I created the following wireguard.config file :
Code
Display More[provider_wireguard] Type = WireGuard Name = myvpn Host = <public ip of my UDM> WireGuard.Address = 192.168.4.2/32 WireGuard.PrivateKey = <private key here> WireGuard.PublicKey = <pubic key here> # WireGuard.PresharedKey = WireGuard.DNS = 192.168.4.1 WireGuard.AllowedIPs = 192.168.4.1/32,192.168.4.2/32,0.0.0.0/0 WireGuard.EndpointPort = 51820 WireGuard.PersistentKeepalive = 25When starting the VPN connection I get:
CodeLibreELEC:~/.config/wireguard # connmanctl connect vpn_my_ip_here Connected vpn_my_ip_herebut trying to ping the VPN gateway's private IP or anything else on my private network gives me this:
CodeLibreELEC:~/.config/wireguard # ping 192.168.4.1 PING 192.168.4.1 (192.168.4.1): 56 data bytes ping: sendto: Required key not availableSimple ping is not possible and my UDM shows no VPN clients connected at all.
Using this exact config from my UDM on my Wireguard Windows Installation just works without issues and I can ping and access my network stuff.
Please help on that. Thanks in advance.
Best regards
Thomas
