Wireguard support in Nethserver 7

devfx11 · July 31, 2017, 9:38am

Hi

I don’t know how many of you know Wireguard ?

It is a relatively new VPN. I have used it this year with multiple linux distributions.
I would like to know if we could implement it somehow in Nethserver.
That would be awesome.
It is a new thing but i think this will be the future of VPNs, at least i hope so

It seems that it is this simple to install it on CentOS:

Fedora / CentOS [module & tools – v0.0.20170706 – out of date]

$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools

I have yet to test it.
I will be setting up a VPN server soon and i will give it a shot then.

Let me know about your thoughts on this.

m.traeumner · July 31, 2017, 9:51am

Sound good, I missed a fast VPN a long time.

Jclendineng · November 29, 2017, 2:18pm

BUMP

Wireguard is fantastic in concept, a lot less code for easier audits (openvpn has more holes than swiss cheese), a lot smaller attack surface, new crypto that is way better than OpenVPN and IPSec which are all out of the '90’s. 10 or more times faster, more secure, runs in the linux kernel not userspace for faster, more secure transmission, as well as not duplicating packets. Openvpn basically duplicates a lot of stuff and send out a lot of data that it doesn’t need to, because its not a kernel app. Wireguard has been approved and audited by the linux kernel devs, and the reason for the bump is the devs now have a very easy way to integrate into linux systems and phones. This means that android/ios phones will soon have built in support for wireguard, and soon other vpn providers will support it as well. Its very easy to set up a personal server, all we would need is a proper front-end on nethserver. Very exciting development in VPN’s!

devfx11 · December 7, 2017, 11:36am

Yep its nice and getting better and better.
I wouldn’t say that OpenVPN is very bad
I would choose it anytime over IPSec.

You wrote :
“Its very easy to set up a personal server, all we would need is a proper front-end on nethserver. Very exciting development in VPN’s!”

Last time i had difficulties on CentOS 7
But it’s getting there and looks very promising.
How does one build a front-end on Nethserver ?
I have already set up many wireguard tunnels its not even hard its super easy !

First you need to install the wireguard module and the wireguard-tools userland utilites .
Make sure it is working properly.
As i said last time i tried it i had problem on CentOS 7.

Lack of time to test on Nethserver

On the server side you need to have ip forwarding enabled.

$ nano /etc/sysctl.conf
net.ipv4.ip_forward=1

$ sysctl -p
$ mkdir /etc/wireguard/
$ cd /etc/wireguard
$ wg genkey | tee server-private.key | wg pubkey > server-public.key
$ nano /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.199.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o NIC1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o NIC1 -j MASQUERADE
PrivateKey = SERVER_PRIVATE_KEY
SaveConfig = true

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 192.168.199.2/32

$ chmod 700 server-*.key /etc/wireguard/wg0.conf
$ wg-quick up wg0
$ wg show

On the client side :
$ mkdir /etc/wireguard
$ cd /etc/wireguard
$ wg genkey | tee client-private.key | wg pubkey > client-public.key
$ nano /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.199.2
PostUp = echo UP
PostDown = echo DOWN
PrivateKey = CLIENT_PRIVATE_KEY

[Peer]
PublicKey = SERVER_PUB_KEY
AllowedIPs = 0.0.0.0/0
Endpoint = PUBLIC_VPN_IP:51820

$ chmod 700 client-*.key /etc/wireguard/wg0.conf
$ wg-quick up wg0
$ wg show

And it is easy as that to set up a wireguard vpn
You can throw wg genpsk into the mix to make it even more secure.
Then just add that as PresharedKey = on both sides to the INTERFACE part.
Also be sure to change NIC1 to your eth0 or whatever your Network Interace is on the server.
Adding new clients its as easy as with one.
Just keep adding clients to the server config and create new clients as above.

https://git.zx2c4.com/WireGuard/about/src/tools/wg.8

edit : you must enter the long keys into the wg0.conf file , i just stored them for later use or for whatever reason

mrmarkuz · December 7, 2017, 1:10pm

http://nethserver.github.io/nethgui/Documentation/Api/index.html
https://wiki.nethserver.org/doku.php?id=developer

I’ll give it a try when I find time…

mrmarkuz · December 7, 2017, 3:33pm

I tried to install but got the following error, @devfx11 do you know what to do?

[root@testserver ~]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Key is not the correct length or format: `/etc/wireguard/server-private.key'
Configuration parsing error
[#] ip link delete dev wg0
[root@testserver wireguard]# cat server-private.key
YBzjPYaJFTZqn0u1xpLsb33qucPeVvm47Rt7+On8fXE=

I installed wireguard and followed your instructions:

curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install wireguard-dkms wireguard-tools
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
mkdir /etc/wireguard
cd /etc/wireguard
wg genkey | tee server-private.key | wg pubkey > server-public.key
wg genkey | tee client-private.key | wg pubkey > client-public.key  # just to have test client keys
printf "[Interface]\nAddress = 192.168.1.187/24\nListenPort = 51820\nPostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o NIC1 -j MASQUERADE\nPostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o NIC1 -j MASQUERADE\nPrivateKey = /etc/wireguard/server-private.key\nSaveConfig = true\n\n[Peer]\nPublicKey = /etc/wireguard/client-public.key\nAllowedIPs = 192.168.1.155/32\n" > /etc/wireguard/wg0.conf
chmod 700 *.key /etc/wireguard/wg0.conf
wg-quick up wg0

devfx11 · December 7, 2017, 10:31pm

You must actually enter the long keys not the files they are stored in.
You don’t need to store them in any files.
Sorry if I wasn’t clear enough

Make sure you change your keys after posting them online

mrmarkuz · December 7, 2017, 10:41pm

I just shouldn’t believe in false assumptions, I was absolutely sure a file is needed here

Thanks for pointing this out. I’ll go on with wireguard asap. I’d like to win at least a howto (you started already) out of this feature request, so others may try it and share their experiences…

devfx11 · December 7, 2017, 11:39pm

No worries
By the time they get wireguard into kernel (hope it makes it into kernel soon)
We will finish the nethserver-wireguard feature too

mrmarkuz · December 8, 2017, 1:19am

The wireguard centos 7 repo seems to be down

http://copr.fedorainfracloud.org/coprs/jdoss/wireguard/

mrmarkuz · December 9, 2017, 10:58pm

The repo is back up and working again.

Wanted to try from mobile but I have to come back later

Server seems to work but on client I get:

[root@testvm2 wireguard]# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to get device: Protocol not supported

Server:

[root@testserver wireguard]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3
[root@testserver wireguard]# ifconfig
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.0.0.1  netmask 255.255.255.0  destination 10.0.0.1
        inet6 fe80::6175:2002:5bdf:7d00  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 3  dropped 0 overruns 0  carrier 0  collisions 0

Configuration steps:

# Download jdoss wireguard repo
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo

# Install wireguard
yum -y install wireguard-dkms wireguard-tools

# Enable IP forward if not enabled
grep -qF "net.ipv4.ip_forward=1" "/etc/sysctl.conf" || echo "net.ipv4.ip_forward=1" >> "/etc/sysctl.conf"
sysctl -p

# Create wireguard dirs and keys
mkdir /etc/wireguard
cd /etc/wireguard
wg genkey | tee server-private.key | wg pubkey > server-public.key
wg genkey | tee client-private.key | wg pubkey > client-public.key

# Server conf
address=192.168.77.1/24
port=51820
interface=ens33
privatekey=$(cat /etc/wireguard/server-private.key)
publickey=$(cat /etc/wireguard/client-public.key)
allowedips=192.168.77.0/24
printf "[Interface]\nAddress = $address\nListenPort = $port\nPostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE\nPostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D  POSTROUTING -o $interface -j MASQUERADE\nPrivateKey = $privatekey\nSaveConfig = true\n\n[Peer]\nPublicKey = $publickey\nAllowedIPs = $allowedips\n" > /etc/wireguard/wg0.conf

# Client conf
address=192.168.77.2/24
port=51820
interface=ens33
privatekey=$(cat /etc/wireguard/client-private.key)
publickey=$(cat /etc/wireguard/server-public.key)
allowedips=0.0.0.0/0
publicvpnip=1.2.3.4
printf "[Interface]\nAddress = $address\nListenPort = $port\nPostUp = echo UP\nPostDown = echo DOWN\nPrivateKey = $privatekey\nSaveConfig = true\n\n[Peer]\nPublicKey = $publickey\nAllowedIPs = $allowedips\nEndpoint = $publicvpnip:$port\n" > /etc/wireguard/wg1.conf

# Set permissions
chmod 700 server-*.key *.conf

# Firewall config
config set fw_wireguard service TCPPort 51820 access green,red status enabled
signal-event firewall-adjust

# Start up wireguard
wg-quick up wg0

devfx11 · December 14, 2017, 10:29am

This means your wireguard module is not functioning properly.
You can not create the wg0 interface due to that.

mrmarkuz · December 14, 2017, 11:26am

Thanks, I’ll give it another try when I find time…

roobyz · April 5, 2018, 5:00pm

Any luck getting wireguard working on Nethserver?

I’ve gotten wireguard to work from my PC, however I’m trying to connect Nethserver to my VPS and route all traffic from the green interface via wireguard, while traffic from the blue interface goes through the open internet. Seems like Shorewall is clobbering the traffic and dumping insane amounts of log messages to the console making almost impossible to debug. Any thoughts or suggestions? Thanks!

I’ve tried the following firewall rule without success:
config set fw_wireguard service status enabled TCPPorts 53 UDPPorts 53,51820 access green,red

mrmarkuz · April 20, 2018, 9:57pm

Hi @roobyz,

I could establish a wireguard connection between my Nethserver and my Android mobile device.

As you mentioned shorewall blocks so I had to create custom templates to create a new zone and an interface for wireguard and rules to allow the traffic:

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/{zones,interfaces,rules}
echo "wg ipv4" > /etc/e-smith/templates-custom/etc/shorewall/zones/90wireguard
echo "wg wg0 optional" > /etc/e-smith/templates-custom/etc/shorewall/interfaces/90wireguard
echo -e "ACCEPT \$FW wg\nACCEPT wg \$FW" > /etc/e-smith/templates-custom/etc/shorewall/rules/90wireguard
signal-event firewall-adjust

EddieA · April 22, 2018, 2:09am

I just started to look at this, and while searching for an Android version came across AzireVPN who are offering their VPN for free (at the moment) for people to use via wireguard.

Cheers.

Exospecie · July 3, 2018, 1:44am

Has there been any traction on integrating wireguard directly in to NS? I would love to implement this where I work so we can abandon the rather poor Cisco solution that is currently in place.

m.traeumner · July 3, 2018, 8:41am

@dev_team Is there a plan to integrate it?

giacomo · July 3, 2018, 10:14am

I think for now 2 different implementations (well, 3 if we count roadwarrior and tunnels for OpenVPN) are enough.
If anyone wants to try creating an howto use, I will gladly help.

EddieA · July 3, 2018, 2:48pm

I’ve been playing with this for a while, so a couple of my observations:

While Wireguard runs as a kernel module, it still isn’t incorporated into the main tree, so it is currently installed by the DKMS framework. It could be built on a central machine and then just the module distributed.

The helper program, wg-quick, when setting up a client machine relies on an ip feature that doesn’t appear to be work correctly (at least not currently) in the version of iproute/kernel in the CentOS repositories. It issues a command using a suppressor: ‘ip -4 rule add table main suppress_prefixlength 0’, which is actually added to the routing as: ‘from all lookup main’, which completely breaks what is being attempted. So all updates to routing would have to be manually configured.

There is no concept of a roadwarrior service. All connections are PtoP and have to be configured as such.

Cheers.