The opinion of a firewall builder about WireGuard.
Take a tea o some long soft drink before start
(it’s a man biased, but i think get some points)
2 Likes
And Firefox published Firefox VPN.
Firefox Private Network
Beta app for USA market, currently
Based on Wireguard…
1 Like
Yea,
look like easier and not for complex work, I’ts like VM vs Docker 
but still need a serverless 
Hi all, new test user here. I am planning/hoping to migrate to Nethserver from a well running 9-year-old MacOS Server running several websites, Nextcloud, low volume email and fileserver, all of which get traffic via a Wireguard PersistentKeepalive tunnel from a DigitalOcean VPS with static IP running as a gateway.
I have been watching this thread for a year now and have tried to follow the posts that it “works” but am having no luck figuring it out. Wireguard is set up and starts with no errors, but can’t ping anything when it’s up. It may be I don’t fully understand Nethserver’s networking/firewall yet.
Has anyone had anymore luck with this recently or have any new tips? Is it even possible to connect my Nethserver (as a peer/client) to my Wireguard gateway?
Hi,
welcome to Nethserver Community.
Here are the relevant firewall settings:
# Firewall config
config set fw_wireguard service TCPPort 51820 access green,red status enabled
signal-event firewall-adjust
and Wireguard support in Nethserver
If the Nethserver is behind a router you may need static routes on the router:
2 Likes
That sounds like you are using NS as the client side. If so, then you may have to specify a listen port, as opposed to letting Wireguard pick a random one, in the peer stanza and also open it to the firewall instead of 51820 as shown by mrmarkuz above.
*** Update ***
Sorry, that should be “in the interface stanza”, not the peer.
But also another question. Is this just a client to the VPS, or does the VPS also act as a client to an NS server. In other words, is there a separate tunnel in each direction.
Cheers.
2 Likes
Thanks, yes that’s the # firewall config that you posted before that I have been trying to use… I will study up on the static routes and try again.
Unfortunately, every time I mess with it, I lose all connectivity and have to go to the server and reset. I may just do a clean install and start over because I probably have it too far gone at this point.
Thnaks for your help, Not sure I understand your question.
The nethserver should be the “client” of the VPS, but of course the traffic would go both ways in that tunnel. IPtables on the VPS sends the web/mail server traffic to the wiregard IP on the nethserver. It’s a way to keep the static ip the same no matter where the server is located and get past whatever port limitations may be on the local ISP connection. And the netserver should send the reply’s back through the wireguard tunnel.
Correct that in a VPN tunnel the traffic goes in both directions, but only 1 side initiates the traffic, which is the client. All the traffic from the other side, the server, will be a reply to whatever is received. It will never send unsolicited traffic to the client.
So I was just verifying that the only server that initiates the traffic is NS, the client and that you were not expecting the VPS to initiate any unsolicited contact to NS. Which if it were the case, then both servers would need to run a Wireguard server.
If that is the case, then you need what I mentioned previously. Add the ListenPort parameter to the interface stanza, so the server will always send it’s replies there and use that port number to open the firewall rules, which BTW would only be needed on the red interface if the Wireguard client is NS itself and not another server behind that, in the LAN space.
Cheers.
How to install and use this wireguard module?
The module is not finished yet.
Howto is in this thread:
Ok, but how to install the module files?
It’s explained here:
curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install wireguard-dkms wireguard-tools
See also the wireguard page.
1 Like
I try to realize a fixed IP with a VPS with wireguard. Should I change the zone to red to have two WANs? One for general outgoing traffic and one incoming traffic for SMTP and other services or should I use a separate zone?
1 Like
I used a separate zone as openvpn and ipsec does.
Another example where a separate zone is used:
1 Like
Sorry, it’s still not finished…
You need to compile, I can compile the module and provide it on my server as a base for your tests, if you like.
1 Like
Yes please.
By the way: How to compile it? Are there any scripts?
1 Like
You need a dev environment:
https://wiki.nethserver.org/doku.php?id=developer:developer_howto
Here’s some information about building RPMs:
https://docs.nethserver.org/projects/nethserver-devel/en/latest/building_rpms.html
For the package to work you need to install an external repository, see Wireguard documentation.
I used the dkms package option some time ago, maybe there’s a better option nowadays.
Installation:
curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
yum install https://mrmarkuz.dynu.net/mirror/devtest/nethserver-wireguard-1.0.0-1.ns7.noarch.rpm