NS8-wg-easy App (WireGuard VPN)

App
,
4

Thanks for your feedback.

In ../systemd/user/wg-easy-app.service the line --env-file=%S/state/environment adds the environment file variables, they should be persistent AFAIK.

WEBUI_HOST defines the web UI binding, it didn’t work using localhost so I’d keep the default. Wrong URLs are filtered by traefik anyway.
PASSWORD and WG_HOST are already implemented in the web UI.
As regards WG_DEVICE, I don’t think we need to change the network device in the container…
The WG_PORT and WG_DEFAULT_ADDRESS variables could also be interesting to have more instances on one node but I’d put it to advanced settings in the UI. Same for WG_DEFAULT_DNS.
WG_ALLOWED_IP seems really important as it sets the VPN client routes.
A language selector would be nice…
The UI_TRAFFIC_STATS are already implemented and set to true. This way the traffic transferred in total is shown.

1 Like
5

Thanks for the work !!
I installed Wg-Easy from you repo.
Unfortunately it is not starting.
Error log below:

2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] Started Podman  wg-easy-app.service.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.594Z Server Listening on http://0.0.0.0:51821
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.596Z WireGuard Loading configuration...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.603Z WireGuard Configuration loaded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.604Z WireGuard Config saving...
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] 2024-05-12T16:03:09.605Z WireGuard Config saved.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick down wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] $ wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Error: Command failed: wg-quick up wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link add wg0 type wireguard
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] wg setconf wg0 /dev/fd/63
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip -4 address add 10.8.0.1/24 dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link set mtu 1420 up dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] iptables v1.8.10 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] Perhaps iptables or your kernel needs to be upgraded.
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] [#] ip link delete dev wg0
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at ChildProcess.exithandler (node:child_process:422:12)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at ChildProcess.emit (node:events:517:28)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at maybeClose (node:internal/child_process:1098:16)
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]     at ChildProcess._handle.onexit (node:internal/child_process:303:5) {
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   code: 3,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   killed: false,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   signal: null,
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app]   cmd: 'wg-quick up wg0'
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy-app] }
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Main process exited, code=exited, status=1/FAILURE
2024-05-12T18:03:09+02:00 [1:wg-easy2:wg-easy2] 16052c52ee8aa8431de654c0933be1f9d70f9904235e28f43e614599e407ea17
2024-05-12T18:03:09+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Failed with result 'exit-code'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Scheduled restart job, restart counter is at 15.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman  wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopping Podman wg-easy.service...
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Removed slice cgroup user-libpod_pod_ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67.slice.
2024-05-12T18:03:10+02:00 [1:wg-easy2:podman] ccc600ea10caf827b76f1bb14e84aacc66dff9d2caebd72191433ced4289de67
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Stopped Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Start request repeated too quickly.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy.service: Failed with result 'start-limit-hit'.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Failed to start Podman wg-easy.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] Dependency failed for Podman  wg-easy-app.service.
2024-05-12T18:03:10+02:00 [1:wg-easy2:systemd] wg-easy-app.service: Job wg-easy-app.service/start failed with result 'dependency'.

The errors above disappeared by running at the command line:

  1. modprobe ip_tables
  2. modprobe iptable_filter
  3. modprobe iptable_nat

I’m not sure if all 3 commands are needed. I will check this and let you know.

After the installation i was not able to open the WG-Easy Web UI.
The Firewall setting at the cluster shows 51821 UDP.
I guess for the WG-Easy Web UI it should be TCP.

Again Thanks for your work.

1 Like
6

Thanks for testing!

IIRC I didn’t need them during testing…which distro are you using for NS8?
I need to recheck…

Thanks in advance!

It should be reachable under the hostname/FQDN you set in the app settings like https://wg-easy.domain.tld

The WireGuard VPN uses port 51820 UDP so the firewall should open that port.
The wg-easy container publishes port 51821 TCP for the web UI.

If you need to use another wireguard vpn port than the default 51820/udp you can define something like WG_PORT=23232 but you’d need to open the right firewall port manually.
I’m going to add the port to the UI so it’s changeable if already in use.

1 Like
7

Same here.

This is the only command I used that got the issues resolved. Using Rocky 9.4

HTH

8

I did a fresh install of nethserver 8 on Rocky 9.4.
Added your repo and installed WG-Easy.

Configured
settings.wg-easy_fqdn,
settings.wghost,
settings.password.

Left settings.lets_encrypt disabled, settings.http_to_https disabled.

After Saving, cluster UI shows wg-easy-app inactive, disabled and wg-easy failed, inactive, disabled.

Then on command line modprobe iptable_nat (thanks LayLow)

Saving settings in wg-easy → settings again.
The UI shows:
wg-easy-app active, disabled
wg-easy active, enabled

The wg-easy UI is accessible !

Hope that helps.

1 Like
9

A word of caution, the kernel module (iptable_nat) is not loaded permanently. After a reboot, it must be loaded manually again. (cc @mrmarkuz )

What would be the best/most efficient way to load the module at boot time using /etc/modules.d or /etc/modules or /etc/modules.conf etc.

using rc.local is not my desired route for I consider that as a last resort when all other methods fail.

edit:

For now I simply created /etc/modules-load.d/iptable_nat.conf with 1 line only

iptable_nat

Now the module loads automatically at boot time. However, I d agree with @davidep on:

1 Like
10

It would be nice without those modules. Wireguard is already installed by NS8, and iptables could be replaced by nft with equivalent commands.

2 Likes
11

as a reference

2 Likes
12

@mrmarkuz , what to do best pls?

image
image1642×378 31.8 KB

ps. The update button leads to:

1 Like
13

Hi all,

What if I want to close off ALL services to be accessed from the outside world, and ONLY provide availability to users that are connected through the VPN? This goes for all modules/apps.

TIA

14

For now you can do the following to get the new image:

runagent -m wg-easy1 bash -c "systemctl --user stop wg-easy && podman rmi wg-easy && systemctl --user start wg-easy"

In future I’m going to provide updated releases in Software Center.

Thanks guys. As regards RH-based distros, they don’t autoload iptable_nat anymore as for example Debian still does. So the solution for now is manually adding it as explained by @LayLow to make it persistent.

The iptables command runs in the provided container where nft is not available. I think I need to change/extend the container and add nft as proposed here. I’ll give it a try…

1 Like
15

I must say, the VPN simply works. Tried Android, MAC, Windows, Google Chromecast, Firestick

1 Like
16

@mrmarkuz could it be there needs additional performance finetuning to be done?

Without wg-easy vpn active I have a throughput of 300/300Mbps, and with wg-easy vpn active I only get around 20/20Mpbs performance, a HUGE difference.

1 Like
17

I can confirm about 20/20Mbps over Wireguard VPN using different devices.

Currently wireguard is configured to send all traffic to the vpn, this can be changed by the WG_ALLOWED_IPS env variable.
It seems changing the MTU can increase performance a lot, see also https://www.reddit.com/r/WireGuard/comments/153jgzw/wireguard_slows_1gbps_internet_down_to_30mbps/

Here are some perfomance tuning hints, we need to test them:

18

A little bit off topic, but see here: How do I prevent the administration page from being accessible from the Internet?

I guess you have to add the Wireguard network to the relevant files.

1 Like
19

Thanks, I tried that already, ranging from 1300 up to 1500 in small steps. If at all a change, it is for the worst.

1 Like
20

The difference with normal non VPN performance is so huge, it must be something obvious. Unfortunately I’n not a VPN/WG expert

21

can you post your test method please ?
I want to give it a try here.

Thanks in advanced.

22
  1. add iptable_nat to /etc/modules-load-d/iptable_nat.conf
  2. modprobe iptable_nat
  3. lsmod | grep iptable_nat
  4. install wg-easy module via software center
  5. add ‘MTU = 1420’ to /etc/wireguard/wg0.conf (default of wireguard)

→ testing commands
ip a show wg0 to show values of the wg0 adapter
ip link set dev wg0 mtu 1500 to set the various MTU values to test
ip -4 route show table all to look at all the routes (IPv4)

----> speedtest

With this I tried setting various MTU values with ip link set and the wg0 config file. Using Mac, Android WG clients and this device with build in WG client.

HTH

23

Maybe i misunderstood something here… :thinking:

Isn’t wg0 the wireguard device from Nethserver default installation ?
If i do wg show the output is:
interface: wg0
public key: xyz
private key: (hidden)
listening port: 55820

My downloaded config from wg-easy shows a peer port of 51820.
I thought the wg-easy “module” is somewhat of a container (even if it’s not shown with podman ps -a)?
If so, changing the MTU in /etc/wireguard/wg0.conf would do nothing, because this is not the interface for wg-easy connections.
My guess, changing the MTU for wg-easy has something to do with:

I might be wrong, i’m still learning…

1 Like