Seems to be full of issues, too many to be of use…
Also:
It’s NOT an Inbound Firewall:
I prefer to use Wireguard on OPNsense, where a stable GUI is available…
My 2 cents
Andy
Firezone has a nice UI and is working out of the box. It uses one wireguard interface.
Unfortunately it needs a kernel upgrade, wireguard-dkms is not enough.
ouch!
Hi,
I have been trying to get Wireguard working on my lab NethServer by following the instructions from the Wiki but am having issues getting wg-manager to work. Initially, I missed the virtual host requirement but went back and created one. However, when I run the this command:
config setprop wg-manager mysubdomain.mydomain.internal
I get the following result:
/sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] …
I tried copying the contents from /opt/wg-manager/build to my Virtual Host web root path and can reach the WireGuard Manager dashboard login but there is no response when I try sign-in using the credentials described in the Wiki.
What can I do to get wg-manager configured correctly?
I’m sorry, there were errors in the wiki, I corrected them. Thanks for pointing out.
To configure the virtualhost you need following commands:
config setprop wg-manager VirtualHost subdomain.domain.tld
signal-event nethserver-wireguard-update
The secret for admin is in /var/lib/nethserver/secrets/wg-manager, the path was wrong in the wiki.
Please also remove the virtualhost you created in server manager, it’s not needed and could cause issues.
2 Likes
Thank you Markus, that worked! I am able to authenticate now.
2 Likes
@mrmarkuz or @all, would you have an idea if the wiki procedure is still valid please? I am not sure how I can check if Wireguard is running or check the specific logs to troubleshoot for the status shows as:
Trying to get it to work with GL-MT300N-V2 / Mango - GL.iNet
Thanks in advance.
Unfortunately I don’t use the wiki as set up by @mrmarkuz but instead created my own configuration files, but I can confirm that if everything is set up correctly then connecting from a Mango certainly does work, as that’s what I use when travelling.
One thing to bear in mind, if the NS server is behind any kind of router, then you’ll have to forward the WG port.
Cheers.
2 Likes
Exactly my objective. Thanks for the verification!
If you’re still having issues, then post the 2 configurations for us to check. On NS I’m not sure where that is stored (see above that I don’t use the NS generated version), but you can display it on the console with: wg show.
You can also verify that the private/public key pairs are correct with: “wg keygen < file.containg.privatekey” which will show the corresponding public key.
Thank you for your help. Exactly the questions I was hoping for.
wg show results into nothing. I enter the command and it returns to the prompt.
Good to know, my NS system:
- Is a semi testing server
- Fully up to date
- has many modules installed (incl docker)
- Has many interfaces: aqua0, br0, docker0, dummy0, eth0, vb-nsdc, lo, vethce09040
- Is hosted with 1 real NIC and 1 dummy for the ‘internal network’
This is with wg installed and configured, server + 1 peer ‘mobile’. Food for thought?
Thanks!
Then the wireguard server hasn’t been started, as that’s when it creates the interface.
Sorry I can’t help much further, as I don’t use nethserver-wireguard, so don’t know how it operates internally.
1 Like
Thanks anyways!
I installed wireguard in NS which turns out to be much more tricky than with an ubuntu server before.
The wireguard network is up. “wg show” gives me this:
interface: wg0
public key: …hidden here …
private key: (hidden)
listening port: 42310
peer: … hidden here …
allowed ips: 10.10.10.2/32
persistent keepalive: every 25 seconds
The server can ping to itself, to 10.10.10.1, but not to the peer.
“ping 10.10.10.2” gives me:
From 10.10.10.1 icmp_seq=8 Destination Host Unreachable
ping: sendmsg: Destination address required.
All help appreciated.
Did you install wireguard manually or did you install the module?
If you installed wg manually, you need to configure the firewall:
1 Like
Hi @mrmarkuz,
yes, I installed wireguard manually. Before I tried your nethserver-wireguard package, but that did not work. The server part was signed green and the peer part remained red.
Since I had a working wireguard configuration at hand I thought it would be easier to install manually. But even with the firewall rules in e-smith I don’t get any connection. The peer cannot even telnet to port 42310.
A general question: I have a dummy internal interface (green) and the interface by the VPS provider as red. Which one should go into the firewall rules? And is it correct that wg0 does not show up in the NS interfaces list?
One more question: ‘netstat -nlp’ gives me port 42310 as listened to but without any pid/app behind. Looks strange to me.
Please help me to get this done.
I have a Wireguard server running on my NS which operates correctly. The above is exactly the same as I see for those commands.
Telnet is TCP, Wireguard is UDP.
Again, the same. I’m guessing it’s because Wireguard is kernel based.
Yes.
I have a similar setup, as my NS runs as a server behind my router, not as the router.
My firewall rules set via e-smith custom additions are as follows:
interface:
wg wg+policy:
loc wg ACCEPT
wg loc ACCEPT
wg $FW ACCEPT
$FW wg ACCEPT
wg net ACCEPTsnat:
MASQUERADE - br0zones:
wg ipv4
I then added an NS Service (as documented in the manuals for setting firewall rules) for my port on both red and green interfaces.
Cheers.
1 Like
Thanks for your detailed response. But unfortunately nothing helps.
When trying to ping to the peer I get again and again “destination address required”.
Are there no logs telling me where the connection hangs?
You can only ping once a connection is made.
What does “wg” show at both sides following the connection from the peer.
Have you looked in the firewall log to ensure the connection isn’t being blocked there.
Cheers.
The connection is blocked indeed. How can I unblock in NS firewall the wireguard port in alle directions?
With ufw it’s just ‘ufw allow port’, as easy as that.
Is it possible to replace shorewall with ufw?
The firewall log in NS gives me this:
Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=c4:37:72:be:79:5f:3c:8c:93:7e:b4:40:08:00 SRC=87.78.169.105 DST=178.x.x.85 LEN=176 TOS=0x00 PREC=0x00 TTL=56 ID=10477 PROTO=UDP SPT=42310 DPT=42310 LEN=156
What does that tell me? The ping from the peer never arrives.