[COMPLETED] WireGuard beta testing available

[Staff 9971]

@monstrocity

Hello!

Watch out, the fact that WireGuard's transport layer is UDP does not prevent (as it happens with OpenVPN, on the other hand) both TCP and UDP wrapping, of course. TCP and UDP packet forwarding must work both with WireGuard and OpenVPN in the same way Please feel free to open a ticket if they don't.

Kind regards
 

[go558a83nk 362]

6 hours ago, monstrocity said:

11 hours ago, autone said:

Anyone managed to get port forwarding to work with wireguard? I am getting connection refused errors. It works fine on openVPN.

I opened UDP port 1637 on the router that's behind a W10 machine, and WG worked fine through Eddie.  I'm not sure if that port needs to be open or not on your end - worth a shot if nothing else works.

don't open a port on your router for eddie.  it's not needed for anything if everything's going through the VPN tunnel.

[monstrocity 31]

4 hours ago, Staff said:

@monstrocity

Hello!

Watch out, the fact that WireGuard's transport layer is UDP does not prevent (as it happens with OpenVPN, on the other hand) both TCP and UDP wrapping, of course. TCP and UDP packet forwarding must work both with WireGuard and OpenVPN in the same way Please feel free to open a ticket if they don't.

Kind regards
 

I'm not following. UDP ports are blocked by an institution level firewall, and I have never been able to obfuscate it using UDP tunnels with any VPN service provider - I've tried several besides AirVPN in the past.  I get almost no throughput on UDP with OpenVPN or Wireguard. This has always been the case. With Eddie I have to use TCP server entry points or I can't establish a connection to anything. 

[go558a83nk 362]

1 hour ago, monstrocity said:

6 hours ago, Staff said:

@monstrocity

Hello!

Watch out, the fact that WireGuard's transport layer is UDP does not prevent (as it happens with OpenVPN, on the other hand) both TCP and UDP wrapping, of course. TCP and UDP packet forwarding must work both with WireGuard and OpenVPN in the same way Please feel free to open a ticket if they don't.

Kind regards
 

I'm not following. UDP ports are blocked by an institution level firewall, and I have never been able to obfuscate it using UDP tunnels with any VPN service provider - I've tried several besides AirVPN in the past.  I get almost no throughput on UDP with OpenVPN or Wireguard. This has always been the case. With Eddie I have to use TCP server entry points or I can't establish a connection to anything. 

It sounds like your ISP or something on your network is harsh to UDP traffic if TCP VPN tunnels are faster.

[Staff 9971]

Quote

I'm not following. UDP ports are blocked by an institution level firewall,

@monstrocity

Hello!

That's irrelevant for the problem @autone mentioned. Regardless of the tunnel transport layerl, inbound packet forwarding must work both with TCP and UDP, and both with WireGuard and OpenVPN. The fact that you can't use WireGuard is related to a possible UDP block but has nothing to do with the packet forwarding problem inside the tunnel experienced by @autone with WireGuard only. We invite @autone to open a ticket if the problem persists. In this way we can check in real time what happens with packet forwarding.

Kind regards
 

[clebretonfr 0]

Hello

Usually using bluetit on a Raspian OS and Raspberry 4B, the bandwidth is better (x2) with wireguard.
But something strange happened : no possible connections on duckduckgo.com ???
Any ideas ?

Thank you
Regards

[Jacker@ 6]

On 11/7/2021 at 4:07 AM, autone said:

Anyone managed to get port forwarding to work with wireguard? I am getting connection refused errors. It works fine on openVPN.

I too have been unable to get port forwarding to work.

I have installed Tailscale on the required devices instead and it works perfectly. This may be an option for you?

[autone 4]

10 hours ago, Jacker@ said:

I too have been unable to get port forwarding to work.

I have installed Tailscale on the required devices instead and it works perfectly. This may be an option for you?

I just tested it again and it works flawlessly now. Good job AirVPN!

[Staff 9971]

@autone

Hello!

Can you confirm that remote inbound port forwarding works as expected even in WireGuard subnets?

Kind regards
 

[autone 4]

6 hours ago, Staff said:

@autone

Hello!

Can you confirm that remote inbound port forwarding works as expected even in WireGuard subnets?

Kind regards

Yes. I can confirm it works as advertised now. 👍

[Staff 9971]

2 hours ago, autone said:

Yes. I can confirm it works as advertised now. 👍

Thank you, we're very glad to know it. We have not changed anything on our side so the cause of the problem remains unknown. If it wasn't on your side, the problem might re-appear. Open a ticket if it does to let us investigate more properly.

Kind regards

[Oblivion 2013 8]

I too enabled DNS filtering in the devices section, and that works with OpenVPN or Humminbird when using EDDIE v2.21.2beta.

However when I use Wireguard the DNS filtering does not work.

I did look in:
cat /etc/resolv.conf
# Generated by Eddie v2.21.2beta - https://eddie.website - Sunday, November 14, 2021 2:04:45 AM UTC
nameserver 10.xxx.x.x
nameserver xxxx:xxxx:xxxx:xxxx::1

I tried flushing DNS with:
sudo systemd-resolve --flush-caches

Sometimes the idea is that it looks as if it's working, however it then is not. Not compared to OpenVPN or Hummingbird.

Rest of Wireguard seems functional and browserleaks and so on show same behavior accept with ads as unfiltered DNS has ads.

When I test for DNS filtering I enabled several lists that do work but not with WireGuard. I search for 'adblock test page' and go there to test.

I looked in browser to see if anything could bypass DNS like browsers nowadays like Firefox or Chrome have builtin Secure DNS Provider. Which was disabled. Also no proxy used.

[Kjhjsllsjjsjsj 0]

On 10/29/2021 at 4:40 AM, cqs said:

Generated an Android profile for Nahn and Wireguard refused to import it until it got renamed to Nahn.conf

They addressed it later i think, their WG config generator generates much too complex names for WG .conf files which isn't usable on WG client app without renaming it manually on your own. Edited ... by Kjhjsllsjjsjsj

[SurprisedItWorks 49]

I can confirm that when using the one Air-account device for which I have adblocking configured, I can switch back and forth between OpenVPN -> Air server and wireguard -> Air server and watch the results of running dig on "ad-delivery.net", one of the domains listed by Air as blocked, and see the result toggle between 0.0.0.0 and three IPv4 addresses. I'm getting DNS adblocking via openVPN but not via wireguard. Experiments with newspaper apps confirm. Adblocking works with OpenVPN but not with wireguard. 

Experiments used iOS 15.1 and the ISC Dig app, the WireGuard app, and the OpenVPN Connect app, and Firefox Mobile. I verified at ipleak.net that the wireguard experiment is using Air DNS and not  my router's DNS setup.  

iOS is IPv6 capable, but my router setup is not, and my Air wireguard configs specify IPv4 transport but IPv[46] both on exit from the Air server.  In ipleak.net, both IPv4 and IPv6 addresses show for the wireguard server (labeled Chamaeleon), but the single DNS server IP shown matches the wireguard server IPv4 address (again labeled Chameleon).  I have not modified the wireguard config from Air's config generator (other than config name). The DNS field in the config is indeed the .1 address of the Addresses subnet, but the DNS server listed by dig is a different 10.X.Y.Z address, one that is not in the Addresses subnet. Doesn't seem shocking to me, but maybe staff will read and infer something that I cannot. 

[Alex0901 0]

Am 4.11.2021 um 21:48 Uhr sagte LcKHUNy7:

Danke Personal für die großartige Arbeit. Mein Synology NAS mit einer schwachen CPU (Celeron J3455) verwaltete vielleicht 30 MB/s über OpenVPN UDP mit AES oder ChaCha20, mit Wireguard erreichte ich gerade 80 MB/s (~640 Mbit/s). Ich hatte auf eine leichte Verbesserung gehofft, aber das übertrifft meine Erwartungen viel!

Hello, how did you get Wireguard installed on Synology?

Greetz

[oldsweatyman 0]

Excellent speeds, thank you so much for implementing WireGuard. I'm hitting 72 MB/s easily. I think my max with OpenVPN was half of that.

Edited ... by oldsweatyman

[Oblivion 2013 8]

When testing the DNS adblock service AirVPN has, when using OpenVPN your operating system DNS cache becomes populated with DNS addressesses which resolve to nothing and are blocked. If you then de-connect and connect over WireGuard, the operating system DNS cache is still using this populated DNS look-ups which go nowhere and hence when you have connected with OpenVPN your operating system cache is full with resolved domains blocked. Then you connect over WireGuard and it seems as if WireGuard does block as AirVPN DNS offers. However the DNS cache Time To Live will expire, then over Wireguard the DNS cache gets emptied and eventually filled with succesful lookups.

This makes it look as if Wireguard with AirVPN DNS domain blocking options is sometimes working, however it is not yet. As explained, the DNS cache must be flushed to see for sure if domains are blocked as you wish.

Conclusion Wireguard works fine, with exception of this currently beta testing anomaly. Which is totally logical if you consider it again. Meanwhile use an addon in your browser e.g. but as usually I prefer eventually Wireguard with the DNS block option as it is today with OpenVPN or Hummingbird using the EDDIE client.

Tested on Ubuntu GNU/Linux 21.10

Wireguard seems very stable besides this feature to have adblocking service as AirVPN has when using OpenVPN.

A dirty workaround is pushing another DNS server in EDDIE client like the ip addresses of any DNS server that blocks advertisements. However I tested it and it works, but I deleted all tests configurations and use Wireguard now with understanding that DNS Domain block options with Wireguard are not yet functional.

I see no reason why not to use Wireguard instead of OpenVPN, Wireguard seems more resilient.

Edited ... by Obvious
grammar

[Staff 9971]

Hello!

To help us troubleshooting DNS block list issues with WireGuard, please activate at your convenience the DNS List "Air ADV", and try from terminal (Linux and macOS)
# dig ad-delivery.net @10.128.0.1
or in Windows
# nslookup ad-delivery.net 10.128.0.1

Then publish the output.

Kind regards


 

[SurprisedItWorks 49]

Not seeing an "Air ADV" DNS block list.

[LcKHUNy7 1]

On 11/17/2021 at 5:48 PM, Alex0901 said:

Hello, how did you get Wireguard installed on Synology?

Greetz

There is a github repository with a kernel module for the old synology kernels here: https://github.com/runfalk/synology-wireguard
For the userspace, I chose to run wireguard in a docker container (any docker container with wireguard tools will work here).

[Oblivion 2013 8]

Hello!

To help us troubleshooting DNS block list issues with WireGuard, please activate at your convenience the DNS List "Air ADV", and try from terminal (Linux and macOS)
# dig ad-delivery.net @10.128.0.1
or in Windows
# nslookup ad-delivery.net 10.128.0.1

Then publish the output.

Kind regards

===========
This is with DNS disabled at Global Account DNS adblocking, but with adblocking via DNS enabled for current connection device.

:~$ dig ad-delivery.net @10.128.0.1

; <<>> DiG 9.16.15-Ubuntu <<>> ad-delivery.net @10.128.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50427
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ad-delivery.net.               IN      A

;; ANSWER SECTION:
ad-delivery.net.        300     IN      A       104.26.3.70
ad-delivery.net.        300     IN      A       172.67.69.19
ad-delivery.net.        300     IN      A       104.26.2.70

;; Query time: 80 msec
;; SERVER: 10.128.0.1#53(10.128.0.1)
;; WHEN: Fr Nov 19 04:11:34 CET 2021
;; MSG SIZE  rcvd: 92

====
This is with DNS ENABLED at Global Account DNS adblocking, but with adblocking via DNS enabled for current connection device.

; <<>> DiG 9.16.15-Ubuntu <<>> ad-delivery.net @10.128.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3002
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ad-delivery.net.               IN      A

;; ANSWER SECTION:
ad-delivery.net.        3600    IN      A       0.0.0.0

;; Query time: 64 msec
;; SERVER: 10.128.0.1#53(10.128.0.1)
;; WHEN: Fr Nov 19 04:19:06 CET 2021
;; MSG SIZE  rcvd: 60

===
I am not sure, but it looks like only global account DNS settings can block advertisements but specific per device DNS does not work yet.

[Guest]

Blocklist is working here.

nslookup ad-delivery.net 10.128.0.1
Server:  UnKnown
Address:  10.128.0.1

Non-authoritative answer:
Name:    ad-delivery.net
Addresses:  ::
          0.0.0.0

[SurprisedItWorks 49]

I'm also seeing per-device blocking working via wireguard now.  Looks like we're all set.

[Guest]

Hi!
Does WireGuard work with Eddie-cli on GNU/Linux? I got it working with Eddie-ui but I can't figure out proper parameters for CLI version. It always connects via openvpn. I've tried the following:
eddie-cli --netlock=true --advanced.expert=true --mode.alt=1 --mode.type=wireguard --mode.port=1637 --mode.protocol=udp

Edit. Just got it working... 😅 eddie-cli --netlock=true --mode.type=wireguard --mode.port=1637
Leaving out '--mode.alt=1' made it work. No idea why it didn't work few days ago when I tried the same command.

Edited ... by theprodigalson

[inc 3]

I have been trying again to get this working. The problem seems to be all the Debian howtos are installing a server and client generating keys etc and creating a wg.0 configs but my understanding is that this is already in the Airvpn config file when I attempt to start wireguard I get the following error

#] ip link add car type wireguard
[#] wg setconf car /dev/fd/63
[#] ip -4 address add 10.155.173.95/10 dev car
[#] ip -6 address add fd7d:76ee:e68f:a993:56a7:3428:9bd9:5f17/48 dev car
[#] ip link set mtu 1420 up dev car
[#] resolvconf -a tun.car -m 0 -x
[#] wg set car fwmark 51820
[#] ip -6 route add ::/0 dev car table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
/dev/fd/63:5:101-114: Error: Could not process rule: No such file or directory

[#] resolvconf -d tun.car -f
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev car

It looks like it may be a firewall config but there is no firewall on the PC    (it is on the router) Has anyone successfully got this running on Debian and suggest  where to look to get this running. When I search the net for the error the only one that comes up is mine.
I had this running on Android in less than a minute and Hummingbird has been faultless for years  this should be simpler but is proving to be anything but.