ANSWERED Connecting WireGuard using just wg, on CoreELEC.

[tranquivox69 27]

After weeks of trying different solutions, I'm close to raise white flag and get by with OpenVPN. But the nature of the hardware (Amlogic S922XJ), with limited power, pushes me to try and use Wireguard.

CoreELEC does not allow for the solution I used for Vero4K (https://discourse.osmc.tv/t/openvpn-or-wireguard-tutorial/93939/14). It uses a strange approach through connmanctl (https://wiki.libreelec.tv/configuration/wireguard), which forces to input a single address (numerical IP) for the connection, thus making it impossible to use AirVPN load balancer at nl3.vpn.airdns.org:1637.

This led me to try this way: https://discourse.coreelec.org/t/wireguard-client-service-up-in-four-steps-with-entware/18355. But I had constant disconnections, maybe due to my not full understanding of the steps involved and what I should be using in the conf file. I was using the following but, again, it wasn't working very well (don't know if it could be due to Entware's builds for the tools needed:
 

[Interface]
Address = 10.173.72.95
PrivateKey = removed
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = removed
PresharedKey = removed
Endpoint = nl3.vpn.airdns.org:1637
AllowedIPs = 0.0.0.0/1,128.0.0.0/1
PersistentKeepalive = 15

If anybody has suggestions to try for the above, I would surely test them. But the main point of my post is this: considering CoreELEC comes with a wg build out of the box (1.0.20210219), I thought about using this approach, going fully "manual", so to say: https://discourse.coreelec.org/t/wireguard-add-on/2203/10.
 

Quote

1]

cp /etc/connman/main.conf /storage/.config/connman_main.conf
vi /storage/.config/connman_main.conf

and add ,wg to the NetworkInterfaceBlacklist section. Reboot device.

2] create file <privatekey> with peer private key

3] wg_up.sh
 

ip link add dev <wg interface name> type wireguard
ip address add dev <wg interface name> <CE subnet>/24
wg set <wg interface name> private-key <privatekey> <server public key> allowed-ips '<subnet you want to use with wg>/24' endpoint <hostname>:<port>
ip link set up dev <wg interface name>

In case, that <subnet you want to use with wg> is from public internet, not wg server subnet, add
ip route add <subnet you want to use with wg>/24 via <wg server subnet>.1 dev <wg interface name>

4] wg_down.sh

ip link set down dev <wg interface name>

5] You can refer .sh scripts in system.d wireguard.service.

Now, I've tried my best to fill in the blanks in the above. I managed to connect (the https://airvpn.org/sessions/  address showed the WireGuard connection up) but no traffic was going through it.

Anybody up to the task in helping me fill in the blanks correctly and maybe set correctly the "ip route" thing? I am absolutely clueless when people start talking about subnets, I have to admit. Like... my eyes go empty looking and I stare into space, sorry.

I already have a script configured that should take care of DNS, by replacing the default one from the router with the AirVPN one (this works in OpenVPN, at least). For the rest... I'd like all traffic to go through WireGuard, except that from my local network (192.168.178.x).

If anybody could help, I would be deeply grateful. I don't want to surrender. Thanks in advance.

[tranquivox69 27]

Anyone? Maybe @NaDre who, to my eyes, is like the God of Networking? 🙂

[NaDre 157]

I hadn't thought about this stuff for a while. I hoped you might sort it out yourself.

Are you aware of wg-quick?

https://www.man7.org/linux/man-pages/man8/wg-quick.8.html

This is part of the wireguard package for full Linux distros. It might be all you need.

But it is not compatible with the scripts from here:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-Non-Specific-VPN-on-Linux-without-VPN-as-Default-Gateway

The reason is because the config files contain lines like this:
 

[Interface]
...
DNS = 10.128.0.1, fd7d:76ee:e68f:a993::1

[Peer]
...
AllowedIPs = 0.0.0.0/0,::/0
...

For the Windows client it is enough to remove the "DNS =" line and replace the "AllowedIPs =" line with:
 

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1,::/1, 8000::/1

But wg-quick does not set up a route for the server when the "AllowedIPs =" line is replaced. The Windows client does.

EDIT: Just read your first post more thoroughly. This issue with "wg-quick" (which it appears you were using, with "AllowedIPs =" replaced), would definitely cause your "constant disconnections". It is the stuff about "ENDPOINT" that should fix this.

Maybe wg-quick has had that short coming fixed though by now.

In the past I have used a wrapper around wq-quick. I pasted them in below. I just gave them a quick try. They seemed to work. I have a couple of versions of these. Not sure which was meant to be the improvement.

Maybe try these on a system you have used Eddie/Wireguard on first? As a way to leave Eddie out of it.

The "wireguard_up" script wants the name of the config file from AirVPN as an argument.

If you don't have wg-quick, I could put together a script that avoids wq-quick. Might be good to have.

EDIT: I just realized that "wireguard_up" does not remove the "DNS =" line. Not sure why not. And I see that wg-quick does not remove the DNS override when you tell it to take the VPN down. To remove any DNS override left behind you could do:
 

sudo /sbin/resolvconf -d tun.wgclient

To bring Wireguard up:
 

#!/bin/bash

CFG=$1

echo === using $CFG

mkdir -p /tmp/wireguard_up

CFGTMP=/tmp/wireguard_up/wgclient.conf
#echo CFGTMP=$CFGTMP

cat $CFG | sed -e "s@0.0.0.0/0@0.0.0.0/1, 128.0.0.0/1@" | sed -e "s@::/0@::/1, 8000::/1@" | sed -e "s@::0/0@::/1, 8000::/1@" > $CFGTMP

echo === $CFGTMP
cat $CFGTMP

chmod og-r $CFGTMP
echo === wg-quick up $CFGTMP
sudo wg-quick up $CFGTMP

rm $CFGTMP
rmdir /tmp/wireguard_up

ENDPOINT=$(sudo wg showconf wgclient | grep "^ *Endpoint *= *" | \
             sed -e "s@ @@g"  | sed -e "s@Endpoint=@@" | sed -e "s@:[0-9]*\$@@" | sed -e "s@^\[@@" | sed -e "s@\]\$@@")
#echo ENDPOINT=$ENDPOINT

PROTO=-4
if echo $ENDPOINT | grep -q ":"; then PROTO=-6; fi
#echo PROTO=$PROTO

ROUTE=`ip $PROTO route show default`
#echo ROUTE=$ROUTE
token () {
N=$1
shift
eval echo \$${N}
}
GW=`token 3 $ROUTE`
#echo GW=$GW
IF=`token 5 $ROUTE`
#echo IF=$IF

echo === ip $PROTO route add $ENDPOINT via $GW dev $IF
sudo ip $PROTO route add $ENDPOINT via $GW dev $IF

To bring Wireguard down:
 

#!/bin/bash

mkdir -p /tmp/wireguard_down

CFGTMP=/tmp/wireguard_down/wgclient.conf
#echo CFGTMP=$CFGTMP

sudo wg showconf wgclient > $CFGTMP

echo === $CFGTMP
cat $CFGTMP

ENDPOINT=$(sudo wg showconf wgclient | grep "^ *Endpoint *= *" | \
             sed -e "s@ @@g"  | sed -e "s@Endpoint=@@" | sed -e "s@:[0-9]*\$@@" | sed -e "s@^\[@@" | sed -e "s@\]\$@@")
#echo ENDPOINT=$ENDPOINT

PROTO=-4
if echo $ENDPOINT | grep -q ":"; then PROTO=-6; fi
#echo PROTO=$PROTO

ROUTE=`ip $PROTO route show default`
#echo ROUTE=$ROUTE
token () {
N=$1
shift
eval echo \$${N}
}
GW=`token 3 $ROUTE`
#echo GW=$GW
IF=`token 5 $ROUTE`
#echo IF=$IF

echo === ip $PROTO route del $ENDPOINT via $GW dev $IF
sudo ip $PROTO route del $ENDPOINT via $GW dev $IF

chmod og-r $CFGTMP
echo === wg-quick down $CFGTMP
sudo wg-quick down $CFGTMP

rm $CFGTMP
rmdir /tmp/wireguard_down