[COMPLETED] WireGuard beta testing available

[Daniel15 14]

1 hour ago, Alex0901 said:

I became a error, because it doesen't work with the DSM 7 Linux Kernel

What's the error?

 

[Alex0901 0]

4 minutes ago, Daniel15 said:

What's the error?

 

 

iptables-restore v1.8.3 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

[Alex0901 0]

The Problem is solved. I made a static route in the DSM and now all works fine.

 

[x10 0]

DSM7
Gluetun
fiber 1000/1000
Dutch server
 

docker run -it --rm --network=container:gluetun alpine:3.14 /bin/sh -c "apk add speedtest-cli && speedtest-cli"

Testing download speed................................................................................
Download: 469.52 Mbit/s
Testing upload speed......................................................................................................
Upload: 470.62 Mbit/s

[MrAndersonX 9]

Holy crap Wireguard is running well. Easily hitting over 800mbit down in most cases.

This is over wifi btw, a floor up and a couple rooms over from my router (Wifi6) on gigabit internet.

https://www.speedtest.net/result/12486452078

Suffice to say, I am extremely impressed. Well done guys!
 

[Stan464 2]

Hi All/AirVPN Guys!


Really like that WG is in BETA! just poking about trying myself, has anyone set this up on PFS? Seems i cannot get it to route traffic.

Setup the Peer/Tunnel and NAT/FW but i can Ping from the Interface via Diag --> Ping. But cannot route much else. 


Could anyone provide Screenshots of Example setups (Omitting Private Information of course) Thanks! - Just need to sanity check what I have,


Thanks All!

Edited ... by Stan464
Typo.

[Wolke68 5]

this for Mulvad you can change it for AirVPN with your config

https://airvpn.org/external_link/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DwYe7FzZ_0X8


 

[Stan464 2]

1 hour ago, Wolke68 said:

this for Mulvad you can change it for AirVPN with your config

https://airvpn.org/external_link/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DwYe7FzZ_0X8


 

Absolutely fantastic guide! thanks for the Link! seems I had missed the GW Settings in the Interface!


Thanks Dude!

[yolomedicbear 1]

One big problem with the WireGurard config generator, it's providing the same Interface address for all servers. Because of this multiple tunnels cannot be used on the same device (e.g. pfSense). I was trying to setup two tunnels and ran into this issue. I have also used other VPN providers such as TorGuard and Mullvad and they provide a different address for each config.

Example:
Singapore server 1 config

[Interface]
Address = 10.172.172.199/10
PrivateKey = xxx
DNS = 10.128.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = xxx:1637
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

Singapore server 2 config

[Interface]
Address = 10.172.172.199/10
PrivateKey = xxx
DNS = 10.128.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = xxx:1637
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

Edited ... by coldfire7

[Daniel15 14]

4 hours ago, coldfire7 said:

One big problem with the WireGurard config generator, it's providing the same Interface address for all servers.

 You should get different interface addresses if you configure multiple different "devices" in AirVPN's UI here: https://airvpn.org/devices/. Each device has a details button to view the VPN IP for that device.

Two AirVPN devices should work fine on the same physical device, just remember to use different adapter names if on Linux (eg. wg0 for the first one and wg1 for the second one).

[yolomedicbear 1]

2 hours ago, Daniel15 said:

 You should get different interface addresses if you configure multiple different "devices" in AirVPN's UI. It's mentioned earlier in the thread. It still works fine on the same physical device, just remember to use different adapter names if on Linux (eg. wg0 for the first one and wg1 for the second one).

OK found it (https://airvpn.org/devices/). Thanks!

Edited ... by coldfire7

[Stan464 2]

2 hours ago, coldfire7 said:

OK found it (https://airvpn.org/devices/). Thanks!

Off Topic, how did you split your GW's into Sections like that? is that a feature avail in "

2.5.2-RELEASE

" or is this BETA PFS?

[yolomedicbear 1]

2 hours ago, Stan464 said:

Off Topic, how did you split your GW's into Sections like that? is that a feature avail in " 

2.5.2-RELEASE

" or is this BETA PFS?

Ya, it's available in pfSense 2.5.2.


Here's how you do it:

1. Click the wrench on the top right corner and edit the first widget


2. Add a secondary Gateways widget, and then edit that one


3. Once you are done adding and editing click the save icon on the top right corner of the dashboard
Edited ... by coldfire7

[Opayq 1]

Hi AirVPN @Staff. Please elaborate on this matter.
 

On 10/28/2021 at 12:57 PM, Staff said:

About privacy concerns, we wrote a FAQ answer here . Please make sure to read it.

I read the FAQ but I don't fully understand the privacy implications of the following: "by design it is not ideal for privacy, because it doesn't allocate VPN IP Addresses (10.*) dynamically..."

What privacy risks does that entail?

Every time I reconnect to the VPN, I may be assigned to a different AirVPN server and thus have a different public IP (from the point of view of the websites I visit). Since this public IP address is shared, it adds a layer of anonymity. So what is the big deal with these 10.* ip addresses not being assigned dynamically? And why (and when) would a client want to renew their keys "forcing a new, random IP address reassignment"?

Reading the ProtonVPN WireGuard offering makes it look as if they have solved the privacy issue. "To allow more than two people to be connected to the same VPN server at the same time on WireGuard, we use double network address translation (NAT) to dynamically provision sessions." Wouldn't that be a good solution for AirVPN to implement as well?

Really happy with the VPN performance improvements now that I can use WireGuard with my new router. My old router had AES hardware acceleration, so pretty good OpenVPN performance. But my new router, without AES hardware acceleration, is much faster still thanks to WireGuard

[thetechdude 3]

There seems to be an issue with AirVPN's implementation of wireguard and Steam, the gaming platform.  I have server issues all the time playing Steam games.  I do not have any such issues using ovpn.  I can only assume AirVPN is using WireGuardNT, that has been causing me issues with Steam and other VPNs as well.  Anyone else having these problems?

[Daniel15 14]

35 minutes ago, thetechdude said:

There seems to be an issue with AirVPN's implementation of wireguard and Steam, the gaming platform.  I have server issues all the time playing Steam games.  I do not have any such issues using ovpn.  I can only assume AirVPN is using WireGuardNT, that has been causing me issues with Steam and other VPNs as well.  Anyone else having these problems?

This sounds like an issue with WireGuard rather than AirVPN specifically... I'd suggest posting to the WireGuard mailing list about it.

[thetechdude 3]

29 minutes ago, Daniel15 said:

This sounds like an issue with WireGuard rather than AirVPN specifically... I'd suggest posting to the WireGuard mailing list about it.

Except it isn't.  It's an issue with Wireguard NT version, not regular Wireguard, which is why I wanted to know if Eddie uses Wireguard NT.

[Daniel15 14]

10 minutes ago, thetechdude said:

Except it isn't.  It's an issue with Wireguard NT version, not regular Wireguard, which is why I wanted to know if Eddie uses Wireguard NT

I'd assume so, since WireguardNT has been enabled by default in Wireguard itself for a few months now.

https://mobile.twitter.com/EdgeSecurity/status/1437402720135270403

WireguardNT is part of the Wireguard project and thus bugs should be reported there. https://lists.zx2c4.com/mailman/listinfo/wireguard

[mith_y2k 6]

Quick 👏 to the team, I installed WireGuard on my Pi4. Very quick test connecting to the same Air server and same Speedtest server showed a 3x improvement on downloads and uploads. It went from about 54/59 down/up to 156/159. LOVE IT

[2ovmmcgt*natD9WTA6WDdnvo$ 0]

Download speeds are stellar in Eddie's WireGuard beta, but upload is about half as fast as the wireguard client from https://www.wireguard.com/ with WireguardNT enabled.

[gaywallet 0]

So I set up a container on my DSM 920+  using https://github.com/runfalk/synology-wireguard

I route this containers network to https://github.com/henrywhitaker3/Speedtest-Tracker using network_mode: container:wireguard

however, the speedtest tracker seems to escape the network - results return my webserver instead of airvpn

I tried routing the network to a copy of torrenting software and ipleak returns the right dns, but when downloading a random torrent and paying attention to the vpn sessions page the download/upload doesn't reflect full bandwidth.

does anyone have a similar setup and experiencing similar issues? If you're on DSM 7 can you point me at which docker image you're using for the vpn connection? really not sure what to do here...

edit: also tried https://registry.hub.docker.com/r/cmulk/wireguard-docker and had the same issue

Edited ... by gaywallet
tried another repo

[esjalistas 0]

A question on Wireguard and privacy. In your Wireguard FAQ on https://airvpn.org/faq/wireguard, you state:

"Another privacy concern is that WireGuard stores users' real IP addresses on the VPN server indefinitely.
During a VPN session, it's inevitable that our servers know the user's real IP address (to redirect traffic), this happens also with OpenVPN.
The different issue here is that WireGuard keeps this data even if the session is closed.
In AirVPN servers, if no handshake has occurred within 180 seconds, the peer is removed and reapplied. Doing so removes the real IP address from server memory." 

Now, I wonder what "Wireguard" really refers to in this paragraph. Wireguard is a protocol, or a procedure, right? How can a protocol retain data (a user's real IP address) as soon as it is no longer in use (i.e. as soon as a connection is dropped)? 
I suppose that "Wireguard keeps this data even if the session is closed"  means that the data is stored on a server somewhere. If so, what (whose) server is that? Where is it located?

TIA for your elucidation. Regards,
-- Esjalistas
 

[OpenSourcerer 1435]

3 hours ago, esjalistas said:

Wireguard is a protocol, or a procedure, right?

Should be quite obvious that Wireguard means an app implementing the Wireguard protocol. After all, OpenVPN for example is also both the name of the app and the protocol this app implements.
 

3 hours ago, esjalistas said:

I suppose that "Wireguard keeps this data even if the session is closed"  means that the data is stored on a server somewhere. If so, what (whose) server is that? Where is it located?

It's stored on the VPN server you connect to with Wireguard, just like OpenVPN would store it (though, I'd rather call this cached in the case of OpenVPN).

[gaywallet 0]

On 1/9/2022 at 2:29 PM, gaywallet said:

does anyone have a similar setup and experiencing similar issues? If you're on DSM 7 can you point me at which docker image you're using for the vpn connection? really not sure what to do here...

well I thought I had solved the issue by running wg-quick directly, but stuck on figuring out how to get networking to work for allowedips = 0.0.0.0/1, 128.0.0.0/1
 

On 12/15/2021 at 8:53 AM, Alex0901 said:

The Problem is solved. I made a static route in the DSM and now all works fine.

if you're still around can you explain what you did?

EDIT: apparently got it working with gluetun...
https://www.speedtest.net/result/c/b52f7736-aceb-49a0-bbec-9db866b3ae14 Edited ... by gaywallet

[gaywallet 0]

For anyone running a synology device (I'm running a 920+ on v7), here's a quick guide to get setup:
 

Installing Wireguard App

1. go to https://github.com/runfalk/synology-wireguard
2. if you are in the compatibility list - download the spk and install it, then run the command

sudo /var/packages/WireGuard/scripts/start

then proceed to install gluetun
3. if you are not in the compatibility list- download a copy of https://github.com/runfalk/synology-wireguard.git
     find your architecture https://kb.synology.com/en-global/DSM/tutorial/What_kind_of_CPU_does_my_NAS_have
       for this example I have a ds920+ so I am building geminilake
4. build the spk // create a copy of the files on any device with docker that isn't your synology
    create a folder named 'artifacts' in this folder
    create a folder named 'toolkit' in this folder
      optional: download base_env-7.0.txz, dev.txz and env.txz from https://sourceforge.net/projects/dsgpl/files/toolkit/DSM7.0/ for your version and place in /toolkit folder
  run the command

 docker run --rm --privileged --env PACKAGE_ARCH=geminilake --env DSM_VER=7.0 -v $(pwd)/artifacts:/result_spk -v $(pwd)/toolkit:/toolkit_tarballs synobuild

  note- you may need to convert $(pwd) to the appropriate command depending on if you're compiling this in linux or another operating system. $(pwd) = path to working directory
  note2: if the build fails with a certificate error like it did for me, add --no-check-certificate to lines 26, 39, 42 of Makefile
   
5. after it's built, use package center to install the .spk file (located in artifacts container)
6. ssh in and run the command

sudo /var/packages/WireGuard/scripts/start

Installing Gluetun (establishing wireguard connection)

Gluetun is available on docker  and allows connections for a variety of vpn clients like openvpn and wireguard.

If you're lazy, here's a docker compose for it. You can find all the relevant keys and IPs in the .conf file generated on the AirVPN config generator

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPNSP=custom
      - VPN_TYPE=wireguard

      - WIREGUARD_ENDPOINT_IP= <convert endpoint to IP by pinging address>
      - WIREGUARD_ENDPOINT_PORT= 1637
      - WIREGUARD_PUBLIC_KEY= <copy key>
      - WIREGUARD_PRIVATE_KEY= <copy key>
      - WIREGUARD_PRESHARED_KEY= <copy key>
      - WIREGUARD_ADDRESS= <copy address from interface>

After you have a stack up and running connected to wireguard, all you need to do is route the traffic however you wish (such as by using network_mode: container:<container name> in the docker compose of another stack).