[COMPLETED] WireGuard beta testing available

[x10 0]

@gaywallet Thanks for your writeup there, ive been running wireguard like this for a while now.

I have some remarks, and some other findings about this method i would like to share.

- Building the spk for wg on the 920 gave me some problems, the advice is to build it
on a different machine. I ended up downloading a pre-build package.
- But actually you can run this without  kernel packages, gluetun also runs in user space.

Could you check (or maybe you already noticed) if gleutun gives every second HDD activity ?
Or, better. I noticed that the container for gleutun makes docker acces the hdd every few seconds.
I moved the stuff over to a nvme volume, to avoid this hdd rumble.

And, maybe you could share with me how you change the endpoints. For now i change it 
one in a while in the container config. Stop/change/start. Not the best way.



  Edited ... by x10

[gaywallet 0]

11 hours ago, x10 said:

Could you check (or maybe you already noticed) if gleutun gives every second HDD activity ?
Or, better. I noticed that the container for gleutun makes docker acces the hdd every few seconds.
I moved the stuff over to a nvme volume, to avoid this hdd rumble.

Pulled up stats for a few minutes and noticed no hdd activity. All ram and cpu.
 

11 hours ago, x10 said:

And, maybe you could share with me how you change the endpoints. For now i change it 
one in a while in the container config. Stop/change/start. Not the best way.

I don't change the endpoints manually at all, I let docker do all the work by simply specifying the network on other containers via docker compose and network_mode: container

[nicolasbrown 6]

Is it normal that the Windows is sending a lot of junk packets into the Wireguard network interface?

I checked with Wireshark and I was seeing NetBIOS, LLMR, LDP etc. IGMPv6 etc. packets being sent into the tunnel.


Not sure any of these have privacy implications but I don't think they should be sent into the tunnel, they don't really make sense when the interface is really just Point to Point.

I did the two following things manually which actually stopped all the weird/junk traffic:

1. disable all superfluous Microsoft "items" on the tunnel interface

• "Client for Microsoft Networks" -> local broadcast discovery packets (?), there are no devices to discover
• "File and Printer Sharing" -> obviously useless junk, there are no printers in the tunnel link-local network
• LLDP-related options -> probably pointless in a point-to-point interface too

2. explicitly disable NetBIOS on the interface (from Administrator prompt)

wmic nicconfig get caption,index,tcpipnetbiosoptions
wmic nicconfig where index=<WireGuard NIC index> call settcpipnetbios 2

 

However, because this interface is ephemeral, changes do not stick

Could these settings be performed by Eddie or WireGuard-NT in some automated way when creating the tunnel interface, at least optionally? Otherwise the only option is to go back to using the WinTun userspace version again (which does not seem possible in "Preferences"), or to OpenVPN, because those interfaces are not recreated on every reconnect.

In general, I see no reason not to disable all of these "extra" things that Windows sends into the tunnel by default. Maybe NetBIOS could stay as something that can be disabled optionally (though I think 99% of windows users don't need NetBIOS on their Internet-facing adapter in any case).

These current settings allow lot of junk packet traffic (5-10 packets per second), but it might also be concerning from a privacy point of view (though I don't know enough about these protocols to say for sure).

Also, on a laptop, it doesn't seem good for battery life that all these junk packets are constantly saturating the wireguard interface (they keep WiFi/5G awake). Edited ... by nicolasbrown
(removed bad wireshark image)

[nicolasbrown 6]

In the meantime, if anyone else wants to see how to solve the above without Eddie support natively, here is a bandaid fix with a powershell script:

$wgAdapterName = "Eddie"  # Name seems hardcoded
$componentIDsToDisable = @(
    # optionally also disable IPv6 if not used:
    #"ms_tcpip6",
    "ms_server", "ms_msclient", "ms_rspndr", "ms_lltdio", "ms_lldp"
)
Foreach($componentID in $componentIDsToDisable){
    Write-Host Disable $ComponentID
    Set-NetAdapterBinding -Name $wgAdapterName -ComponentID $componentID -Enabled $False
}

$wgAdapterConf = Get-WmiObject Win32_NetworkAdapterConfiguration |Where ServiceName -eq WireGuard
Write-Host "(" $wgAdapterConf.Caption ")" ".SetTcpIPNetbios(0):"
$wgAdapterConf.SetTcpIPNetbios(0) | Select ReturnValue

Running this from an Administrator Powershell window works well after connecting.
With some effort it can be hooked into the "VPN Up" event (Preferences => Events), and then it will always force the adapter to be updated. It would be better if this was automatic in the baseline though.

Eddie is not running with Administrative privileges, so the script cannot be invoked directly by Eddie because it will fail. For that "C:\Windows\System32\schtasks.exe" was used which allows to define tasks that run with Admin rights even if triggered by normal users.

VPN Up Event

• Preferences => Events
  • Program
    • C:\Windows\System32\schtasks.exe
  • Arguments
    • /run /tn "User\disableUselessWgAdapterBindings"

Task scheduler

• Put the powershell script in some admin-privileged location eg.:
  "C:\Program Files\disableUselessWgAdapterBindings.ps1"
   
• Create a "User" folder
  
   
• in "User", create task, set run with highest privileges + name "disableUselessWgAdapterBindings"
  
   
• Create an "Action" that runs "powershell.exe" with arguments
  
   
• Arguments for powershell.exe in "Action":
  • -WindowStyle Hidden -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\disableUselessWgAdapterBindings.ps1"

powershell.exe Edited ... by nicolasbrown

[Daniel15 14]

19 hours ago, nicolasbrown said:

Is it normal that the Windows is sending a lot of junk packets into the Wireguard network interface?

Kind of. WireGuard itself does not make any assumptions about how the VPN is used, and just forwards all traffic destined for its interface (traffic to any VPN nodes, plus any traffic that is explicitly routed through it via the routing table). For example, for employees working from home who are connecting to their workplace VPN, you would generally want all traffic to go over the tunnel, for example to allow for accessing internal servers via NetBIOS name, for compliance reasons (eg to block particular sites), etc. Similarly, for a point-to-point VPN (two computers, both of which have each other as a peer in the WireGuard config, no other traffic routed via the VPN), you generally do want all traffic destined for the other system's IP to go via the VPN.

If AirVPN wants to block some types of traffic going over the tunnel, that's fine, but it'd have to be AirVPN-specific as something like that is not really appropriate in WireGuard itself.

On Linux, routing all traffic via the VPN isn't even a built-in feature of WireGuard; it's implemented by iptables or nftables calls in PostUp and PostDown. In that case, blocking particular types of traffic would just be additional iptables/nftables rules, again not actually handled by WireGuard itself.

[use 0]

Does wireguard work eddie windows 7? I just got the beta client 2.21.3 and I enabled beta feature on the website preferences. Then logged out and logged in on eddie but when I go to protocol I dont see wireguard there just openvpn ports only. What else do I need to do to get wg working within eddie?

[Staff 9973]

7 hours ago, use said:

Does wireguard work eddie windows 7? I just got the beta client 2.21.3 and I enabled beta feature on the website preferences. Then logged out and logged in on eddie but when I go to protocol I dont see wireguard there just openvpn ports only. What else do I need to do to get wg working within eddie?

Hello!

Currently not, we're sorry. At the moment Windows 7 users should run native WireGuard programs with a configuration file generated by our Configuration Generator.

Kind regards
 

[use 0]

3 hours ago, Staff said:

Hello!

Currently not, we're sorry. At the moment Windows 7 users should run native WireGuard programs with a configuration file generated by our Configuration Generator.

Kind regards

👍

[use 0]

Hello again,
I'm trying to get wireguard working now on eddie-ui_2.21.3_linux_armv7l_debian but it gets stuck with "Checking route IPv4" . I can connect with openvpn protocol but both wireguard ports gets stuck at that line and fails.

 

[nva 0]

On 12/14/2021 at 5:17 AM, Daniel15 said:

@Staff Are there any plans to allow users to provide their own private keys, so that you only have the public key on your end and are never in possession of the private key?

I have same question, currently i'm using Mullvad and they got an API to let us add our own key, which is attached to fixed IP allocation.

[k0lovratok 5]

Hi folks,
first of all thank you staff for implementing Wireguard...
As for testing... I stumbled upon weird problem. If I`m connected through OpenVPN protocol, everything work as expected, but if I switch to Wireguard (same server - Zuben) some sites won't load up ( for example duckduckgo.com). I'm using router as OpenVPN/Wireguard client so anybody on LAN/Wifi can use VPN services in my house. 
Have anybody experienced something similar ? What this could be ? MTU problem ?
Thanks

//Edit : Nevermind - MSS clamping took care of the problem
//Edit2 : I'm using Openwrt and configuring MSS clamping can be configured here : Network -> Firewall -> click Edit on wan or vpn zone -> check MSS clamping

[bdika 1]

20 hours ago, k0lovratok said:

Hi folks,
first of all thank you staff for implementing Wireguard...
As for testing... I stumbled upon weird problem. If I`m connected through OpenVPN protocol, everything work as expected, but if I switch to Wireguard (same server - Zuben) some sites won't load up ( for example duckduckgo.com). I'm using router as OpenVPN/Wireguard client so anybody on LAN/Wifi can use VPN services in my house. 
Have anybody experienced something similar ? What this could be ? MTU problem ?
Thanks

//Edit : Nevermind - MSS clamping took care of the problem

Hi k0lovratok:

I had a similar problem.

What is MSS clamping and how do I go about implementing it?

Thanks.

bdika

Edit: I think I got it. For those looking for a solution using OPNsense, see this post. Edited ... by bdika
Solved

[Guest]

I've just switched to Debian Sid from Debian Bullseye. I had been using a bash script that I had written to bring up/down wireguard vpn connections with various airvpn wireguard.conf files. Since the move to Sid, I've been unable to get the scripts  to work and have been unable to get wq-quick to work. I have been able to get networkmanager to import your wireguard.conf files and it will succeed in providing a connection, but I'd rather not use networkmanager.  I prefer the command line if possible.

This is the output from wq-quick:

wg-quick up /VPN/America.conf

[#] ip link add America type wireguard
[#] wg setconf America /dev/fd/63
[#] ip -4 address add 10.148.126.156/10 dev America
[#] ip -6 address add fd7d:76ee:e68f:a993:305f:8715:5237:7f2/48 dev America
[#] ip link set mtu 1420 up dev America
[#] resolvconf -a tun.America -m 0 -x
[#] wg set America fwmark xxxxx
[#] ip -6 route add ::/0 dev America table xxxxx
[#] ip -6 rule add not fwmark xxxxx table xxxxx
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
/dev/fd/63:5:108-121: Error: Could not process rule: No such file or directory

[#] resolvconf -d tun.America -f
[#] ip -6 rule delete table xxxxx
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev America

I've run the first line on the command line and it creates the America interface, but the second line fails with "no file found". I'm using nftables.
Can you help me fix this issue?

 

[OpenSourcerer 1435]

7 hours ago, henrythemouse said:

I've just switched to Debian Sid from Debian Bullseye.

It looks like a Debian sid-specific thing:No workarounds or solutions so far.

[inc 3]

19 hours ago, henrythemouse said:

I've just switched to Debian Sid from Debian Bullseye. I had been using a bash script that I had written to bring up/down wireguard vpn connections with various airvpn wireguard.conf files. Since the move to Sid, I've been unable to get the scripts  to work and have been unable to get wq-quick to work. I have been able to get networkmanager to import your wireguard.conf files and it will succeed in providing a connection, but I'd rather not use networkmanager.  I prefer the command line if possible.

This is the output from wq-quick:

wg-quick up /VPN/America.conf

[#] ip link add America type wireguard
[#] wg setconf America /dev/fd/63
[#] ip -4 address add 10.148.126.156/10 dev America
[#] ip -6 address add fd7d:76ee:e68f:a993:305f:8715:5237:7f2/48 dev America
[#] ip link set mtu 1420 up dev America
[#] resolvconf -a tun.America -m 0 -x
[#] wg set America fwmark xxxxx
[#] ip -6 route add ::/0 dev America table xxxxx
[#] ip -6 rule add not fwmark xxxxx table xxxxx
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
/dev/fd/63:5:108-121: Error: Could not process rule: No such file or directory

[#] resolvconf -d tun.America -f
[#] ip -6 rule delete table xxxxx
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev America

I've run the first line on the command line and it creates the America interface, but the second line fails with "no file found". I'm using nftables.
Can you help me fix this issue?

 

I am using sid and had the same error as you it turned out to be resolv.conf issue. I don't use network manager I just created a folder for the airvpn files and start a vpn with sudo wg-quick up /folder/file.conf

 

[Guest]

9 minutes ago, inc said:

I am using sid and had the same error as you it turned out to be resolv.conf issue. I don't use network manager I just created a folder for the airvpn files and start a vpn with sudo wg-quick up /folder/file.conf

 

Exactly what I do, I'm only using networkmanager because I can't get wg-quick to work. Do you recall the issue you were having with resolv.conf?

[frpergflf 8]

Hi All,

For people on OpenBSD 7.0, a minor adjustment to these instructions will make WG work fine.

https://airvpn.org/linux/wireguard/terminal/

Before starting 'wg-quick up' you should execute this:

$ doas /usr/sbin/rcctl stop resolvd

And after stopping 'wg-quick up', you should execute this:

$ doas /usr/sbin/rcctl start resolvd

Stopping resolvd(8) will allow connections to work seamlessly without leaks as far as I can tell.  Without stopping resolvd(8) you will be unable to even ping.  And starting resolvd(8) will reset your network.

Version 7.0 no longer uses dhclient(8) but defaults to dhcpleased(8) and resolvd(8), and additions above works well with the new defaults in OpenBSD 7.0.

I understand the privacy concerns, and I think I am OK with it.  Thanks for adding WG, it make using AirVPN with OpenBSD much easier.
 

Edited ... by frpergflf
grammer

[inc 3]

14 hours ago, henrythemouse said:

Exactly what I do, I'm only using networkmanager because I can't get wg-quick to work. Do you recall the issue you were having with resolv.conf?

Yes it wasn't installed, I installed it then ran dpkg-reconfigure resolvconf


 

[Guest]

Thanks, I'll give that a try..

[Guest]

On 2/5/2022 at 8:49 PM, inc said:

I am using sid and had the same error as you it turned out to be resolv.conf issue. I don't use network manager I just created a folder for the airvpn files and start a vpn with sudo wg-quick up /folder/file.conf

 

The above is not necessary: /folder/file/.conf (only the file name is necessary, not the path)

This is the correct procedure to use Wireguard with wg-quick:

First copy your wireguard config file to etc/wireguard (with root privileges). Then rename the config file to a simpler name. For example the America config file, you would rename to AirVPN-America.conf

Then connect to this server (random server in America) by issuing:

sudo wg-quick up AirVPN-America

To disconnect from this server, issue:

sudo wg-quick down AirVPN-America

To auto-connect to this server, after your system has booted up, issue:

sudo systemctl enable wg-quick@AirVPN-America

To disable auto-connecting to this server, after your system has booted up, issue:

sudo systemctl disable wg-quick@AirVPN-America

To check the status of the auto-connect feature, issue:

sudo systemctl status wg-quick@AirVPN-America

To show which endpoint you are connected to, issue:

sudo wg show






 

[helmax 2]

i am have some troubles config with pfsense
maybe i am doing some wrong for interfaces and gateway 
any guide?

[Wolke68 5]

Yes it is in the thread
 
 

[inc 3]

14 hours ago, Television said:

This is the correct procedure to use Wireguard with wg-quick:

  Either way is fine, I prefer to have the config files in userspace.
 

[Guest]

On 2/10/2022 at 10:27 AM, inc said:

  Either way is fine, I prefer to have the config files in userspace.
 

Sure, if it works for you from userspace, I guess you're good to go.

I wrote my comment to you because I thought you, like another user you were commenting to, couldn't get wg-quick to work.

If you are using networkmanager, and you experience DNS leaks, you should modify the networkmanager config file to avoid DNS leaks, which could occur because your router through DHCP will try to push your ISPs IP address.

etc/networkmanager/networkmanager.conf edit to 

[main]
dns=default

If the line does not exist, add it (with root privilieges) and save the change.

Personally, I haven't used network manager with a VPN since many years. In particular I used to get DNS leaks with OpenVPN when using network manager.

With wg-quick and Wireguard, I haven't experienced  DNS leaks.


 

[neonicacid 0]

On 2/9/2022 at 11:29 PM, Wolke68 said:

Yes it is in the thread
 

 

Wolke,

I was able to use that guide to set up one tunnel, but adding subsequent tunnels (for a bridge setup) causes the next tunnels to get a non-standard port (44471 instead of 1637) and fail to handshake. I've made new devices on AirVPN, but it doesn't seem to help. Do you/anyone else have any tips on how to get multiple WireGuard interfaces working with AirVPN? I've tried probably 10x to get this working, so any assistance would be appreciated.