[WireGuard] Virtual Private Network

WireGuard for YunoHost

:warning: :bug: The app is has been tested on at least two servers, but still fails continuous integration tests.
:warning: :construction: Read the whole thread carefully, some limitations are present.

Maintenance status Status

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
https://www.wireguard.com/


Features

  • WireGuard’s linux package with its standard features
  • WireGuard UI, an unofficial management web app to configure the server and create client credentials.

Installation

This WireGuard package can be installed through:

  • :construction: Install WireGuard with YunoHost
  • :construction: YunoHost’s webadmin, in the Community listing
  • YunoHost’s CLI: yunohost app install https://github.com/YunoHost-Apps/wireguard_ynh.

Required parameters are:

  • domain
  • :construction: path: leave it to / for the time being, the web UI can only be installed at the root of the domain
  • admin, among YunoHost’s users

After installation, open your browser to WireGuard’s page. You can configure the server, and manage clients whose credentials can be downloaded or read as a QR code.

Client software can be found on the installation page of WireGuard’s website. Mobile clients are available on the Play Store, F-Droid, and the App Store.

Configuration

WireGuard can be configured via the non-official web UI. Avoid altering the configuration files via the command line, though.

If you are behind a modem, or an ISP box, open WireGuard’s port in its firewall. The port number can be found in the Listen Port field, under WireGuard Server menu. Do not alter it, it has been assigned by your YunoHost server.

If you want to allow Internet connection through the server (usual use case for a VPN), click below:

Routing instructions for server

Copy the following commands in WireGuard Server menu, and replace eth0 with the interface connected to the Internet. If you do not know it, check the command ip a.

Save and apply configuration to restart the server after setting up the commands.

Post Up Script

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Post Down Script

iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Documentation

YunoHost specific features

Multi-user support

  • Are LDAP and HTTP auth supported? No, use YunoHost permissions panel to allow users to access the web UI.
  • Can the app be used by multiple users? Yes, any user allowed to access the web UI will be able to alter the VPN settings and access the clients credentials.

Supported architectures

:warning: During the installation, WireGuard will add its own kernel module.

  • x86-64 - Build Status
  • ARMv8-A - Build Status :warning: Not tested, may break your system.

Limitations

  • :construction: The web UI can only be installed at the root of a domain.
    • I have opened an issue in the upstream app about it.
  • :construction: Only one network interface, wg0 can be created with this app.
    • I will investigate the possibility to have the app installed multiple times, one instance per interface. Or maybe the web UI could handle multiple interfaces.

Links

Troubleshooting

Feel free to post about it in this thread or on Github (preferred). Remember to add your logs and error messages to help me help you help us all. :robot:

8 Likes

Hello !
Thanks for the app :smiley:
I tested it yesterday, without success.

I installed the app at the root of it’s own domain, redirected port 8095 on my box, created a client and flashed the code on my phone (using wireguard app)
I also copy/pasted the 2 conf for routing (even if I don’t understand what this means) without success.

Do I have some more configuration to do ? (like adapt the server ip interface ?)

Hi, and thanks for trying it out. :slight_smile: Good point regarding the VPN port behind a modem/box, I will add that to the Configuration! Regarding the routing commands, they are to allow Internet connection through the VPN, it will only allow clients to talk to each other without it.

So, when you say you tested it without success, either you cannot connect to the VPN with your phone (error upon connection), or you cannot access the Internet after connecting to it? What’s the error message?

First ideas:

  1. Easy one, but I forgot twice about it already: do not forget to Apply changes (top right corner) after either altering the clients or the server configuration.
  2. Can you check that your wg0 interface is up with ip a in your terminal ? What’s the output regarding wg0? Check that you do not have a conflict with IP addresses. By default I set the VPN addresses to the 10.10.10.0 range, but indeed you can change it if needed.

I thought about saving.
In the WireGuand app on my phone, there is a continuous log :

peer(ABCD…XYZ) - Sending handshake initiation
peer(ABCD…XYZ) - Handshake did not compleet after 5 seconds, retrying (try 2)
peer(ABCD…XYZ) - Sending handshake initiation
peer(ABCD…XYZ) - Handshake did not compleet after 5 seconds, retrying (try 2)

When I run ip a I do not have any other endpoint

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f4:4d:30:66:6b:39 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.101/24 brd 192.168.1.255 scope global dynamic noprefixroute enp3s0
       valid_lft 56853sec preferred_lft 56853sec

(then multiple ipv6)

Do I have to change the VPN addresses to match my local network ?

I tried with 192.168.1.120/28 (then deleted user, re created it, same on my phone)
Same result about handshake.

Oh, weird. The wg0 interface is missing.

  1. Try running sudo wg-quick up wg0 and report any error.
  2. That will not solve your problem, but prevent a subsequent one with Internet connection. Have you replaced eth0 by enp3s0 in the Post Up and Down commands?
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

And yes, I replaced eth0 with enp3s0

Somehow the WireGuard installation was not complete. What is your server hardware? Did you have warnings or errors during the installation of the app? After a quick search let’s try: sudo modprobe wireguard and try sudo wg-quick up wg0 again.

If that fails, I will need some time to investigate.

modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.19.0-11-amd64

But I remember having a 3rd interface yesterday evening

Here is the install log : https://paste.yunohost.org/pimobiboca

Definitely weird. Do you mind coming over the IRC support room, so that we can be a bit less spammy here? :slight_smile: