Wireguard support in Nethserver 7

mrmarkuz · December 8, 2017, 1:19am

The wireguard centos 7 repo seems to be down

http://copr.fedorainfracloud.org/coprs/jdoss/wireguard/

mrmarkuz · December 9, 2017, 10:58pm

The repo is back up and working again.

Wanted to try from mobile but I have to come back later

Server seems to work but on client I get:

[root@testvm2 wireguard]# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to get device: Protocol not supported

Server:

[root@testserver wireguard]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip address add 10.0.0.1/24 dev wg0
[#] ip link set mtu 1420 dev wg0
[#] ip link set wg0 up
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3
[root@testserver wireguard]# ifconfig
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.0.0.1  netmask 255.255.255.0  destination 10.0.0.1
        inet6 fe80::6175:2002:5bdf:7d00  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 3  dropped 0 overruns 0  carrier 0  collisions 0

Configuration steps:

# Download jdoss wireguard repo
curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo

# Install wireguard
yum -y install wireguard-dkms wireguard-tools

# Enable IP forward if not enabled
grep -qF "net.ipv4.ip_forward=1" "/etc/sysctl.conf" || echo "net.ipv4.ip_forward=1" >> "/etc/sysctl.conf"
sysctl -p

# Create wireguard dirs and keys
mkdir /etc/wireguard
cd /etc/wireguard
wg genkey | tee server-private.key | wg pubkey > server-public.key
wg genkey | tee client-private.key | wg pubkey > client-public.key

# Server conf
address=192.168.77.1/24
port=51820
interface=ens33
privatekey=$(cat /etc/wireguard/server-private.key)
publickey=$(cat /etc/wireguard/client-public.key)
allowedips=192.168.77.0/24
printf "[Interface]\nAddress = $address\nListenPort = $port\nPostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE\nPostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D  POSTROUTING -o $interface -j MASQUERADE\nPrivateKey = $privatekey\nSaveConfig = true\n\n[Peer]\nPublicKey = $publickey\nAllowedIPs = $allowedips\n" > /etc/wireguard/wg0.conf

# Client conf
address=192.168.77.2/24
port=51820
interface=ens33
privatekey=$(cat /etc/wireguard/client-private.key)
publickey=$(cat /etc/wireguard/server-public.key)
allowedips=0.0.0.0/0
publicvpnip=1.2.3.4
printf "[Interface]\nAddress = $address\nListenPort = $port\nPostUp = echo UP\nPostDown = echo DOWN\nPrivateKey = $privatekey\nSaveConfig = true\n\n[Peer]\nPublicKey = $publickey\nAllowedIPs = $allowedips\nEndpoint = $publicvpnip:$port\n" > /etc/wireguard/wg1.conf

# Set permissions
chmod 700 server-*.key *.conf

# Firewall config
config set fw_wireguard service TCPPort 51820 access green,red status enabled
signal-event firewall-adjust

# Start up wireguard
wg-quick up wg0

devfx11 · December 14, 2017, 10:29am

This means your wireguard module is not functioning properly.
You can not create the wg0 interface due to that.

mrmarkuz · December 14, 2017, 11:26am

Thanks, I’ll give it another try when I find time…

roobyz · April 5, 2018, 5:00pm

Any luck getting wireguard working on Nethserver?

I’ve gotten wireguard to work from my PC, however I’m trying to connect Nethserver to my VPS and route all traffic from the green interface via wireguard, while traffic from the blue interface goes through the open internet. Seems like Shorewall is clobbering the traffic and dumping insane amounts of log messages to the console making almost impossible to debug. Any thoughts or suggestions? Thanks!

I’ve tried the following firewall rule without success:
config set fw_wireguard service status enabled TCPPorts 53 UDPPorts 53,51820 access green,red

mrmarkuz · April 20, 2018, 9:57pm

Hi @roobyz,

I could establish a wireguard connection between my Nethserver and my Android mobile device.

As you mentioned shorewall blocks so I had to create custom templates to create a new zone and an interface for wireguard and rules to allow the traffic:

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/{zones,interfaces,rules}
echo "wg ipv4" > /etc/e-smith/templates-custom/etc/shorewall/zones/90wireguard
echo "wg wg0 optional" > /etc/e-smith/templates-custom/etc/shorewall/interfaces/90wireguard
echo -e "ACCEPT \$FW wg\nACCEPT wg \$FW" > /etc/e-smith/templates-custom/etc/shorewall/rules/90wireguard
signal-event firewall-adjust

EddieA · April 22, 2018, 2:09am

I just started to look at this, and while searching for an Android version came across AzireVPN who are offering their VPN for free (at the moment) for people to use via wireguard.

Cheers.

Exospecie · July 3, 2018, 1:44am

Has there been any traction on integrating wireguard directly in to NS? I would love to implement this where I work so we can abandon the rather poor Cisco solution that is currently in place.

m.traeumner · July 3, 2018, 8:41am

@dev_team Is there a plan to integrate it?

giacomo · July 3, 2018, 10:14am

I think for now 2 different implementations (well, 3 if we count roadwarrior and tunnels for OpenVPN) are enough.
If anyone wants to try creating an howto use, I will gladly help.

EddieA · July 3, 2018, 2:48pm

I’ve been playing with this for a while, so a couple of my observations:

While Wireguard runs as a kernel module, it still isn’t incorporated into the main tree, so it is currently installed by the DKMS framework. It could be built on a central machine and then just the module distributed.

The helper program, wg-quick, when setting up a client machine relies on an ip feature that doesn’t appear to be work correctly (at least not currently) in the version of iproute/kernel in the CentOS repositories. It issues a command using a suppressor: ‘ip -4 rule add table main suppress_prefixlength 0’, which is actually added to the routing as: ‘from all lookup main’, which completely breaks what is being attempted. So all updates to routing would have to be manually configured.

There is no concept of a roadwarrior service. All connections are PtoP and have to be configured as such.

Cheers.

Axel · February 18, 2019, 2:09pm

hello I am reading about WireGuard, did anybody try it with Nethserver ?

mrmarkuz · February 18, 2019, 2:13pm

It worked, see Wireguard support in Nethserver

Axel · February 18, 2019, 2:15pm

sounds good I like 2 try it

Axel · July 31, 2019, 8:09pm

Hello now WireGuard Windows is there (i think a beta).
did anybody try to use it, as a windows client ?

Neustradamus · November 27, 2019, 5:18pm

A package is planned?

dnutan · November 27, 2019, 5:35pm

No planned roadmap. Voluntarily contributing to the community:

Neustradamus · December 11, 2019, 9:22am

For your informations:

NLS · December 11, 2019, 11:58am

Hope to see it in NS.
But is not super important to me because upcoming version of my NS’s host (unRAID) is going to implement it anyway.
Still, cool addition for an “AiO” server like NS.

mrmarkuz · December 11, 2019, 12:35pm

I started to work on it some time ago:

I am going to recheck and report…