[WireGuard] Virtual Private Network

WireGuard server for YunoHost

:warning: :construction: Read the whole thread carefully, some limitations are present.

Maintenance status Status

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN.
https://www.wireguard.com/

Features

  • WireGuard’s linux package with its standard features
  • WireGuard UI, an unofficial management web app to configure the server and create client credentials.

Installation

This WireGuard package can be installed through:

  • Install WireGuard with YunoHost
  • YunoHost’s webadmin, in the Community listing
  • YunoHost’s CLI: yunohost app install wireguard.

Required parameters are:

  • domain
  • :construction: path: leave it to / for the time being, the web UI can only be installed at the root of the domain
  • admin, among YunoHost’s users

After installation, open your browser to WireGuard’s page. You can configure the server, and manage clients whose credentials can be downloaded or read as a QR code.

:warning: :electric_plug: During the installation, WireGuard will add its own kernel module. A manual reboot of the server may be needed.

Client software can be found on the installation page of WireGuard’s website. Mobile clients are available on the Play Store, F-Droid, and the App Store.

Configuration

WireGuard can be configured via the non-official web UI. Avoid altering the configuration files via the command line, though.

If you are behind a modem, or an ISP box, open WireGuard’s port in its firewall. The port number can be found in the Listen Port field, under WireGuard Server menu. Do not alter it, it has been assigned by your YunoHost server.

:warning: :twisted_rightwards_arrows: If you want to allow Internet connection through the server (usual use case for a VPN), click below:

Routing instructions for server

Enable port forwarding:

sudo nano /etc/sysctl.conf
# Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
# Save and quit (CTRL+O, CTRL+X)
sudo sysctl -p

Copy the following commands in WireGuard Server menu, and replace eth0 with the interface connected to the Internet. If you do not know it, check the command ip a.

Save and apply configuration to restart the server after setting up the commands.

Post Up Script

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Post Down Script

iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Documentation

YunoHost specific features

Multi-user support

  • Are LDAP and HTTP auth supported? No, use YunoHost permissions panel to allow users to access the web UI.
  • Can the app be used by multiple users? Yes, any user allowed to access the web UI will be able to alter the VPN settings and access the clients credentials.

Supported architectures

  • x86-64 - Build Status
  • ARMv8-A - Build Status - you may need to manually do wg-quick up wg0 after configuring WireGuard

Limitations

  • :construction: The web UI can only be installed at the root of a domain.
    • I have opened an issue in the upstream app about it.
  • :construction: Only one network interface, wg0 can be created with this app.
    • I will investigate the possibility to have the app installed multiple times, one instance per interface. Or maybe the web UI could handle multiple interfaces.

Links

Troubleshooting

Feel free to post about it in this thread or on Github (preferred). Remember to add your logs and error messages to help me help you help us all. :robot:

13 Likes

Hello !
Thanks for the app :smiley:
I tested it yesterday, without success.

I installed the app at the root of it’s own domain, redirected port 8095 on my box, created a client and flashed the code on my phone (using wireguard app)
I also copy/pasted the 2 conf for routing (even if I don’t understand what this means) without success.

Do I have some more configuration to do ? (like adapt the server ip interface ?)

Hi, and thanks for trying it out. :slight_smile: Good point regarding the VPN port behind a modem/box, I will add that to the Configuration! Regarding the routing commands, they are to allow Internet connection through the VPN, it will only allow clients to talk to each other without it.

So, when you say you tested it without success, either you cannot connect to the VPN with your phone (error upon connection), or you cannot access the Internet after connecting to it? What’s the error message?

First ideas:

  1. Easy one, but I forgot twice about it already: do not forget to Apply changes (top right corner) after either altering the clients or the server configuration.
  2. Can you check that your wg0 interface is up with ip a in your terminal ? What’s the output regarding wg0? Check that you do not have a conflict with IP addresses. By default I set the VPN addresses to the 10.10.10.0 range, but indeed you can change it if needed.

I thought about saving.
In the WireGuand app on my phone, there is a continuous log :

peer(ABCD…XYZ) - Sending handshake initiation
peer(ABCD…XYZ) - Handshake did not compleet after 5 seconds, retrying (try 2)
peer(ABCD…XYZ) - Sending handshake initiation
peer(ABCD…XYZ) - Handshake did not compleet after 5 seconds, retrying (try 2)

When I run ip a I do not have any other endpoint

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f4:4d:30:66:6b:39 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.101/24 brd 192.168.1.255 scope global dynamic noprefixroute enp3s0
       valid_lft 56853sec preferred_lft 56853sec

(then multiple ipv6)

Do I have to change the VPN addresses to match my local network ?

I tried with 192.168.1.120/28 (then deleted user, re created it, same on my phone)
Same result about handshake.

Oh, weird. The wg0 interface is missing.

  1. Try running sudo wg-quick up wg0 and report any error.
  2. That will not solve your problem, but prevent a subsequent one with Internet connection. Have you replaced eth0 by enp3s0 in the Post Up and Down commands?
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

And yes, I replaced eth0 with enp3s0

Somehow the WireGuard installation was not complete. What is your server hardware? Did you have warnings or errors during the installation of the app? After a quick search let’s try: sudo modprobe wireguard and try sudo wg-quick up wg0 again.

If that fails, I will need some time to investigate.

modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.19.0-11-amd64

But I remember having a 3rd interface yesterday evening

Here is the install log : https://paste.yunohost.org/pimobiboca

Definitely weird. Do you mind coming over the IRC support room, so that we can be a bit less spammy here? :slight_smile:

@tituspijean
I have installed this app on my server and it works fine. Thanks for the job.
I have configured my computer and my smartphone too. It’s OK.
I still can’t access the internet when I configure my router because it doesn’t route ip (although it works with openvpn).

@Mamie
Did you update your kernel ? Did you installed kernel-headers ?

Thanks for your feedback! Regarding routing:

  1. Check that your main ethernet connection is eth0 on your server, or something else, with ip a command;
  2. Check that you have implemented the “Routing instructions for server” and applied the changes.
  3. Check that you have opened WireGuard’s port on the router too. The port can be read in the webapp’s server section.

@tituspijean
I don’t know what’s wrong with my router. It works with a mullvad configuration file but it does not with my yunohost server’s one. I will continue my investigations.

Edit: An update of the router and its reset solved the problem. :wink:
Everything works fine!

1 Like

Hello @Mamie!
did you finally solved your problem? I’m facing the same problem.
I believed first that here is a problem : https://github.com/YunoHost-Apps/wireguard_ynh/blob/master/conf/wireguard.service#L7 , for me systemctl is in /bin/ instead of /usr/bin/ . But I’m still unable to reload the wireguard service:

Nov 09 22:45:09 xxx.ynh.fr systemd[1]: Starting WireGuard restart…
Nov 09 22:45:10 xxx.ynh.fr systemctl[24732]: Job for wg-quick@wg0.service failed because the control process exited with error code.
Nov 09 22:45:10 xxx.ynh.fr systemctl[24732]: See “systemctl status wg-quick@wg0.service” and “journalctl -xe” for details.
Nov 09 22:45:10 xxx.ynh.fr systemd[1]: wireguard.service: Main process exited, code=exited, status=1/FAILURE
Nov 09 22:45:10 xxx.ynh.fr systemd[1]: wireguard.service: Failed with result ‘exit-code’.
Nov 09 22:45:10 xxx.ynh.fr systemd[1]: Failed to start WireGuard restart.

and anyway the module wireguard is also not found. Thanks for your feedback.

With respect to this error message, can you try to run : journalctl -u wg-quick@wg0.service --no-pager --no-hostname | tail -n 30

The result :

Nov 10 12:05:14 systemd[1]: Starting WireGuard via wg-quick(8) for wg0…
Nov 10 12:05:14 wg-quick[7099]: [#] ip link add wg0 type wireguard
Nov 10 12:05:14 wg-quick[7099]: RTNETLINK answers: Operation not supported
Nov 10 12:05:14 wg-quick[7099]: Unable to access interface: Protocol not supported
Nov 10 12:05:14 wg-quick[7099]: [#] ip link delete dev wg0
Nov 10 12:05:14 wg-quick[7099]: Cannot find device “wg0”
Nov 10 12:05:14 systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE
Nov 10 12:05:14 systemd[1]: wg-quick@wg0.service: Failed with result ‘exit-code’.
Nov 10 12:05:14 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.

Well I think the main problem was actually that the module is built for kernel 5.8.0-0.bpo.2-amd64 but I was still running 4.19. So a reboot seems to be the solution.

In addition, from the .conf file downloaded from the Wireguard UI, I had to remove the lines Adress and DNS in order to be able to wg setconf wg0 wg0.conf (Line unrecognized: `Address=192.168.2.2/32’
Configuration parsing error…)

I’ll test more but it looks like it is working now, thanks very much for this app !

Sorry to reply to an older thread, but I’m having the same problems as above. I’ve done clean YNH installs on 2 different VPS’s and have the exact same problem = cannot connect to the internet.

Debian 10
Everything updated

Confirmed eth0 by running ip a.
Set the Post Up and Down Scripts

Can actively connect to the server with Wireguard and packets are sent (but not received …) Cannot connect to the outside internet. It’s almost like a port is closed but I can’t see anything wrong in the firewall.

Any ideas or help?

Hi @Strathy, no worries about the thread being old, you are at the right place. Thanks for your report!

We have an ongoing PR that should fix most of the issues: Pass all checks, use DKMS module, and minor improvements by tituspijean · Pull Request #9 · YunoHost-Apps/wireguard_ynh (github.com)

If you are feeling adventurous you could try it, but do read and understand the discussion over there beforehand. Otherwise, be patient. :wink:

Thanks! I have a clean fresh install here … so nothing to lose. Can you give me a quick instruction how to ‘try it?’ I’m like a bull in a china shop and break things constantly, but learning as I go along. lol.

Thanks!

You will be a perfect testing subject then! :angel: There you go:

yunohost app install https://github.com/YunoHost-Apps/wireguard_ynh/tree/testing --force