Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
wireguard [2020/01/23 11:46]
chewitt
wireguard [2020/03/17 05:51] (current)
chewitt
Line 1: Line 1:
-** This is a DRAFT article, pending future merge of WireGuard ​functionality **+=== Configuring ​WireGuard ​in LibreELEC (v9.2.1 and newer) ===
  
 LibreELEC can be configured as a WireGuard VPN client allowing you to accessing media in a remote location or tunnel traffic to avoid local inspection of network activity. This guide assumes configuration of a single WireGuard tunnel that is persistent, i.e. activated on device boot so that Kodi network traffic is routed through the WireGuard VPN tunnel. LibreELEC can be configured as a WireGuard VPN client allowing you to accessing media in a remote location or tunnel traffic to avoid local inspection of network activity. This guide assumes configuration of a single WireGuard tunnel that is persistent, i.e. activated on device boot so that Kodi network traffic is routed through the WireGuard VPN tunnel.
  
-WireGuard tunnels are managed by a ConnMan VPN plugin (connman-vpn.service) that acts as a companion to the main network connection manager daemon (connman.service). The VPN plugin ​reads from /​storage/​.config/​wireguard/​*.conf and will attempt to define ConnMan services from the auto-discovered ​configurations (ConnMan watches the folder and files). Once a valid ConnMan ​service ​has been imported it can be connected ​using the scriptable connmanctl utility; either manually from the SSH conole ​or from a persistent ​systemd service that runs on boot, or manually ​using the network '​Connections'​ tab in the LibreELEC settings add-on which contols ​services via d-bus.+WireGuard tunnels are managed by a ConnMan VPN plugin (connman-vpn.service) that acts as a companion to the main network connection manager daemon (connman.service). The VPN plugin ​watches ​/​storage/​.config/​wireguard/​*.config ​and will attempt to define ConnMan services from auto-discovered ​configuration ​files. Once a valid ConnMan ​WireGuard .config ​has been imported it can be connected; either manually ​using connmanctl ​from the SSH console ​or scripted ​from a systemd service that runs on boot. Connections can also be controlled ​manually ​from the network '​Connections'​ tab in the LibreELEC settings add-on which connects and disconnects WireGuard (ConnMan) ​services via d-bus.
  
 Note: ConnMan uses its own configuration file format (shown below). You cannot import/use the WireGuard configuration files exported from most WireGuard server tools and third-party VPN services - the format is different. The files will contain everything you need, but you must transpose the information into the ConnMan format: Note: ConnMan uses its own configuration file format (shown below). You cannot import/use the WireGuard configuration files exported from most WireGuard server tools and third-party VPN services - the format is different. The files will contain everything you need, but you must transpose the information into the ConnMan format:
Line 10: Line 10:
 [provider_wireguard] [provider_wireguard]
 Type = WireGuard Type = WireGuard
-Name = WireGuard ​VPN Tunnel +Name = WireGuard ​(Home) 
-Host = 3.2.5.6 +Host = 185.210.30.121 
-Domain = my.home.network+Domain = my.home.vpn
 WireGuard.Address = 10.2.0.2/24 WireGuard.Address = 10.2.0.2/24
 WireGuard.ListenPort = 51820 WireGuard.ListenPort = 51820
Line 27: Line 27:
  
 Name = AnythingYouLike\\ ​ Name = AnythingYouLike\\ ​
-Host = IP or hostname ​of the WireGuard **server**\\+Host = IP of the WireGuard **server**\\
 Domain = must.not.be.blank\\ ​ Domain = must.not.be.blank\\ ​
 WireGuard.Address = The internal IP of the **client** node, usually a /24 address\\ WireGuard.Address = The internal IP of the **client** node, usually a /24 address\\
Line 39: Line 39:
 WireGuard.PersistentKeepalive = Periodic keepalive in seconds (optional)\\ ​ WireGuard.PersistentKeepalive = Periodic keepalive in seconds (optional)\\ ​
  
-Domain is a quirk of how ConnMan internally names and stores services, and it must exist. It is simply a text field, not a qualified domain, so "​MyVPN" ​an "​alice.loves.bob"​ and "​libreelec.tv"​ are all valid Domain entries.+Domain is a quirk of how ConnMan internally names and stores services, and it must exist. It is simply a text field, not a qualified domain, so "​MyVPN" ​and "​alice.loves.bob"​ and "​libreelec.tv"​ are all valid Domain entries.
  
 === Creating WireGuard Keys === === Creating WireGuard Keys ===
Line 83: Line 83:
  
 wg0       Link encap:​UNSPEC ​ HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  ​ wg0       Link encap:​UNSPEC ​ HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  ​
-          inet addr:10.10.10. ​P-t-P:​10.10.10. ​Mask:​255.255.255.0+          inet addr:10.2.0. ​P-t-P:​10.2.0. ​Mask:​255.255.255.0
           UP POINTOPOINT RUNNING NOARP  MTU:​1420 ​ Metric:1           UP POINTOPOINT RUNNING NOARP  MTU:​1420 ​ Metric:1
           RX packets:​13744 errors:0 dropped:0 overruns:0 frame:0           RX packets:​13744 errors:0 dropped:0 overruns:0 frame:0
Line 91: Line 91:
 </​code>​ </​code>​
  
-You should be able to "​ping"​ the remote (server) side of the WireGuard VPN tunnel:+You should be able to "​ping"​ the remote (server) side of the WireGuard VPN tunnel. In our example this is 10.2.0.1:
  
 <​code>​ <​code>​
-RPi4:~ # ping 10.10.10.1 +RPi4:~ # ping 10.2.0.1 
-PING 10.10.10.1 (10.10.10.1): 56 data bytes +PING 10.2.0.1 (10.2.0.1): 56 data bytes 
-64 bytes from 10.10.10.1: seq=0 ttl=64 time=147.936 ms +64 bytes from 10.2.0.1: seq=0 ttl=64 time=147.936 ms 
-64 bytes from 10.10.10.1: seq=1 ttl=64 time=147.955 ms+64 bytes from 10.2.0.1: seq=1 ttl=64 time=147.955 ms
 </​code>​ </​code>​
  
Line 109: Line 109:
 1.1.1.1 ​        ​* ​              ​255.255.255.255 UH    0      0        0 wg0 1.1.1.1 ​        ​* ​              ​255.255.255.255 UH    0      0        0 wg0
 8.8.8.8 ​        ​* ​              ​255.255.255.255 UH    0      0        0 wg0 8.8.8.8 ​        ​* ​              ​255.255.255.255 UH    0      0        0 wg0
-10.10.10.0      *               ​255.255.255.0 ​  ​U ​    ​0 ​     0        0 wg0+10.2.0.0        *               ​255.255.255.0 ​  ​U ​    ​0 ​     0        0 wg0
 192.168.10.0 ​   *               ​255.255.255.0 ​  ​U ​    ​0 ​     0        0 eth0 192.168.10.0 ​   *               ​255.255.255.0 ​  ​U ​    ​0 ​     0        0 eth0
 192.168.10.1 ​   *               ​255.255.255.255 UH    0      0        0 eth0 192.168.10.1 ​   *               ​255.255.255.255 UH    0      0        0 eth0
-185.210.30.121  ​172.16.20.1     ​255.255.255.255 UGH   ​0 ​     0        0 eth0+185.210.30.121  ​192.168.10.1    255.255.255.255 UGH   ​0 ​     0        0 eth0
 </​code>​ </​code>​
  
Line 125: Line 125:
 === Configuring Systemd === === Configuring Systemd ===
  
-To start the connection automatically on boot we need to create a systemd wireguard.service file. This tells which ConnMan service to start and the sequence/​dependencies (when to start it). The sample wireguard.service file looks like:+To start the connection automatically on boot we need to create a systemd wireguard.service file. This tells ConnMan ​which service to start and the sequence/​dependencies (when to start it). The sample wireguard.service file looks like:
  
 <​code>​ <​code>​