Jump to content
TorGuard

HowTo - Wireguard RADXA's Rock Pi4 A/B (Ubuntu/Debian) and similar devices where wireguard installation from PPA is not possible

Rate this topic


Recommended Posts

19807409

wireguard.svg

Rockpi_angel.png

Guide Requirements

  • TorGuard credentials and Enabled Wireguard on your account
    (at least until you have to enable it manually, at the time of this guide's writing you had to enable it manually)
    tmp.png
  • rock pi 4 (or similar device)
  • Debian9/Ubuntu 18.04 or higher
    • Wireguard is compatible from kernel 3-5 and by that it should make no difference for those running manually compiled kernel 5

Description

  • Hardware used for test
    RADXA Rock Pi 4A v1.3, v1.4
    RADXA Rock Pi 4B v1.3, v1.4
  • OS and kernel used during creation of this guide
    Ubuntu 18.04
    aarch64 architecture
    Linux rock1 4.4.154-109-rockchip-gb04eccb4588e #1 SMP Mon May 18 09:22:02 UTC 2020 aarch64 aarch64 aarch64 GNU/Linux

 

In the attachment you can find example script which can be used for the installation on rock pi 4 devices, make sure to replace your variables in script before usage

This guide is mainly intended for RADXA's 🐼 Rock Pi 4 users.

ℹ️¹ - Currently latest available linux kernel for rock pi's is kernel 4.4.154, there is no official kernel 5, but there are guides how to compile kernel 5.

ℹ️² - For Ubuntu 18.04 and lower, recommended way of installing wireguard would be adding PPA and then installing from repository. For Ubuntu higher than 18.04, wireguard is available over ubuntu's default repo and adding PPA is not required.

sudo add-apt-repository ppa:wireguard/wireguard # you skip this step on Ubuntu 20.04
sudo apt-get update # you can skip this on Ubuntu 18.04
sudo apt-get install -y wireguard

In case of RADXA's Rock Pi 4, we run into issue that wireguard can't be installed from repository due to some raspberry related dependencies like linux-*-raspi2 which can not be installed on RADXA's Rock Pi 4. If you do not use Rock Pi 4, try first installing from PPA and if your device boots properly after installation, proceed to step 4. of this guide skipping all previous steps.

What will we have at the end of this setup

  • On every boot we will be connected automatically to TorGuard's wireguard server
  • Reconnecting on connection drops happens automatically

 

Installation and compilation instructions

  1. Install required packages
    # wireguard build dependencies
    sudo apt-get install -y libelf-dev linux-headers-$(uname -r) build-essential pkg-config
    # wg-quick dependencies, requires network service restart 
    sudo apt-get install -y resolvconf
    sudo service networking restart

     

  2. Fix missing scripts
    this step is required, otherwise build will fail with following error: /bin/sh: 1: ./scripts/recordmcount: Exec format error
    cd /usr/src/linux-headers-$(uname -r)
    sudo make scripts
  3. Build wireguard from source and install
    # Set folder where you want to save and compile your sources
    WIREGUARDSOURCEDIR="/opt/wireguard" # here all sources will be saved and compiled
    
    sudo mkdir -p $WIREGUARDSOURCEDIR
    cd $WIREGUARDSOURCEDIR
    
    # Get wireguard sources
    sudo git clone https://git.zx2c4.com/wireguard-linux-compat
    sudo git clone https://git.zx2c4.com/wireguard-tools
    
    echo "Wireguard: Compile the module"
    sudo make -C wireguard-linux-compat/src -j$(nproc)
    echo "Wireguard: Install the module"
    sudo make -C wireguard-linux-compat/src install
    
    echo "Wireguard: Compile the wg(8) tool"
    sudo make -C wireguard-tools/src -j$(nproc)
    echo "Wireguard: Install the wg(8) tool"
    sudo make -C wireguard-tools/src install
    
  4. Create wireguard config
    1. Option A (preffered option as typos are excluded)
      You can get your configs from your torguard account. Login and go to "Servers", "Wireguard Network". Every enabled server has a config download button. Save your downloaded file as /etc/wireguard/wg0.conf
      # Example with Canada-Toronto1 server, assumed you downloaded it as ~/Downloads/Canada-Toronto1.conf
      sudo cp ~/Downloads/Canada-Toronto1.conf /etc/wireguard/wg0.conf
      # Wireguard: restrict permissions to make sure the config file is safe"
      sudo chmod 600 /etc/wireguard/wg0.conf

       

    2. Option B (if you know your credentials and servers, you can create your own config)
      # Please change variables below before usage
      COMMENT="TorGuard WireGuard Config - Canada-Toronto1"
      PRIVATEKEY="YOURPRIVATEKEY"
      PUBLICKEY="YOURPUBLICKEY"
      ADDRESS="10.99.0.2/24" # Example : 10.99.0.2/24, login to torguard to get your wireguard address
      ENDPOINTHOST="123.145.167.189" # Example: 123.145.167.189, login to torguard to get your wireguard server address
      ENDPOINTPORT="443" # Example: 443, currently 443 is used for torguards wireguard connections
      DNS="1.1.1.1" # login to torguard to get your wireguard DNS address
      LISTENPORT="51820" # login to torguard to get your wireguard listen port
      KEEPALIVE="25" # login to torguard to get keepalive value
      ALLOWEDIPS="0.0.0.0/0" # login to torguard to get your wireguard allowed ip's default setting
      
      # Please do not change anything from here
      
      ENDPOINT="$ENDPOINTHOST:$ENDPOINTPORT"
      cat <<EOF | sudo tee /etc/wireguard/wg0.conf
      # $COMMENT
      [Interface]
      Address = $ADDRESS
      PrivateKey = $PRIVATEKEY
      SaveConfig = true
      ListenPort = $LISTENPORT
      DNS = $DNS
      
      [Peer]
      PublicKey = $PUBLICKEY
      Endpoint = $ENDPOINT
      PersistentKeepalive = $KEEPALIVE
      AllowedIPs = $ALLOWEDIPS
      EOF
      
  5. Quick test of wireguard config
    sudo wg-quick up wg0

    You should see something like this as a result
     

    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.29.0.120/24 dev wg0
    [#] ip link set mtu 1420 up dev wg0
    [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
    [#] ip -4 rule add not fwmark 51820 table 51820
    [#] ip -4 rule add table main suppress_prefixlength 0
    [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
    [#] iptables-restore -n

    If you need to make any changes to your /etc/wireguard/wg0.conf, you have to stop wireguard: (otherwise all changes you made will be overwritten)
     

    sudo wg-quick down wg0

    as result you should see something like this:
     

    [#] wg showconf wg0
    [#] ip -4 rule delete table 51820
    [#] ip -4 rule delete table main suppress_prefixlength 0
    [#] ip link delete dev wg0
    [#] iptables-restore -n
  6. Enable wireguard to start automatically on boot
    sudo systemctl enable [email protected]
  7. Activate kernel module
    WireGuard works as a kernel module that is installed using DKMS every time we upgrade our kernel the WireGuard kernel module is automatically compiled and ready to use for our new kernel as well. In order to use the kernel module right after the installation we have to either reboot or run modprobe to activate it:
    sudo modprobe wireguard
    

    You can check whether the kernel module is loaded using:

    sudo lsmod | grep wireguard

    As a result you should see something like this:
     

    wireguard             135168  0
    ip6_udp_tunnel         16384  1 wireguard
    udp_tunnel             16384  1 wireguard
  8. Optional firewall configuration
    If you have a firewall installed (ufw) or any other firewall, allow wireguard's listen port:
    ufw allow ${LISTENPORT}/udp

Finished.

 

You can test your speed/performance with various tools, maybe most known is speedtest-cli despite having some issues (especially on upload statistics), if you see correct IP and have a connection, then you are safe to reboot.

Link to post
Share on other sites
  • 4 weeks later...
Axlerod34

If you get the following error when using wg-quick

resolvconf: command not found

 

You'll need to install openresolv from your particular repository.

 

Also for the firewall entry the udp port is in the .conf file provided by torguard.

Link to post
Share on other sites
Axlerod34

Here is an alternate method using network manager instead. This will bypass the need for openresolv using wg-quick.

This also assumes you named your torguard wireguard config file wg0.conf and already have placed it in /etc/wireguard. Adjust accordingly for your needs.

 

Network manager method only works natively in the command line so far. Third party gui functionality exists but is not officially supported yet.

 

First we need to import the existing config to network manager.

If you already restricted access to the wg0.conf file then you'll need to do this using sudo.

 

$ CONF_FILE="/etc/wireguard/wg0.conf"
$ nmcli connection import type wireguard file "$CONF_FILE"
Connection 'wg0' (xxxxxxxxx) successfully added.

As a side note if you import the config from a non restricted file all the restrictions are changed automatically so there is no need to do a sudo chmod 600 command afterwards once the config is imported into a new profile in the /etc/NetworkManager/system-connections/ folder

If you want to remove the config

$ nmcli connection delete wg0
or
$ nmcli c delete wg0
Connection 'wg0' (xxxxxxxxxxx) successfully deleted.

 

To see the details of the config

$ nmcli --show-secrets connection show wg0
or
$ nmcli --show-secrets c s wg0

 

To activate the connection

$ nmcli connection up wg0
or
$ nmcli c u wg0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/30)

 

To make the connection permanent if it wasn't done so by default, this is how to set up autoconnect through the command line

First assuming we didn't know what the profile name was for the config use the following command

$ nmcli connection show
or
$ nmcli c s

 Next to edit the profile use the following command, this will open nmcli editor

$ nmcli connection edit wg0
or
$ nmcli c e wg0

 

Now we can check individual settings, in this case autoconnect

nmcli> print connection.autoconnect

 

If it brings back the following value, this is how to set it so it will autoconnect every time we start up the computer

nmcli> print connection.autoconnect
connection.autoconnect: no
nmcli> set connection.autoconnect yes
nmcli> save persistent
Saving the connection with 'autoconnect=yes'. That might result in an immediate activation of the connection.
Do you still want to save? (yes/no)

The connection will now autoconnect on computer restarts once enabled using the nmcli connection up command

To deactivate the connection

$ nmcli connection down wg0
or
$ nmcli c d wg0
Connection successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/30)

 

 

 
  • Like 1
Link to post
Share on other sites
19807409

Thanks for extension of another option.

On 7/13/2020 at 8:12 PM, Axlerod34 said:

If you get the following error when using wg-quick

resolvconf: command not found

 

You'll need to install openresolv from your particular repository.

 

Also for the firewall entry the udp port is in the .conf file provided by torguard.

 

Actually it is part of the guide and script includes installation of resolvconf, I am not sure why you got that error, probably because you did not follow the guide as it clearly is part of it:
 

sudo apt-get install -y resolvconf

I am not sure what exactly you commented on with "Also for the firewall entry the udp port is in the .conf file provided by torguard."? TorGuard uses default port 51820, which is included in the guide for somebody who creates config on their own as well as a note is left that it is better to use torguards config from users account as that would prevent any typos in config, as if you mean FwMark, then it is automatically added to the config file after successful connection. If not specified, default port 51820 is used, which TorGuard uses anyway. By that I am not sure what exactly you meant or tried to say with that comment.

For RPi as example, you can install directly from debian repo, no need to compile on your own, same script just without compilation, but installing from debian repo:
 

#!/bin/bash
# Please change variables below before usage
COMMENT="TorGuard WireGuard Config - Canada-Toronto1"
PRIVATEKEY="YOURPRIVATEKEY"
PUBLICKEY="YOURPUBLICKEY"
ADDRESS="10.99.0.2/24" # Example : 10.99.0.2/24, login to torguard to get your wireguard address
ENDPOINTHOST="123.145.167.189" # Example: 123.145.167.189, login to torguard to get your wireguard server address
ENDPOINTPORT="443" # Example: 443, currently 443 is used for torguards wireguard connections
DNS="1.1.1.1" # login to torguard to get your wireguard DNS address
LISTENPORT="51820" # login to torguard to get your wireguard listen port
KEEPALIVE="25" # login to torguard to get keepalive value
ALLOWEDIPS="0.0.0.0/0" # login to torguard to get your wireguard allowed ip's default setting

# Please do not change anything from here if you do not know what you are doing

# wireguard build dependencies (optional, only required if you want to build from source, in this script we install from a repo)
sudo apt-get install -y libelf-dev build-essential pkg-config

# install rpi's kernel headers (without them you will receive error message "RTNETLINK answers: Operation not supported" when runnig wg-quick)
sudo apt-get install raspberrypi-kernel-headers

# wg-quick dependencies, requires network service restart 
sudo apt-get install -y resolvconf
sudo service networking restart

# add debian distro repo
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list

# install Debian distro keys
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 648ACFD622F3D138

# Prevent RPi from using the Debian distro for normal Raspbian packages
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'

# install wireguard
sudo apt-get update
sudo apt install -y wireguard
sudo chown -R root:root /etc/wireguard/
sudo chmod -R og-rwx /etc/wireguard/*

ENDPOINT="$ENDPOINTHOST:$ENDPOINTPORT"
cat <<EOF | sudo tee /etc/wireguard/wg0.conf
# $COMMENT
[Interface]
Address = $ADDRESS
PrivateKey = $PRIVATEKEY
SaveConfig = true
ListenPort = $LISTENPORT
DNS = $DNS

[Peer]
PublicKey = $PUBLICKEY
Endpoint = $ENDPOINT
PersistentKeepalive = $KEEPALIVE
AllowedIPs = $ALLOWEDIPS
EOF

# make sure conf file is secure
sudo chmod 600 /etc/wireguard/wg0.conf

# start wireguard interface
sudo wg-quick up wg0

# stop wireguard interface
sudo wg-quick down wg0

# enable wireguard om boot
sudo systemctl enable [email protected]

# if you do not use ufw firewall, unmark/delete next line
sudo ufw allow ${LISTENPORT}/udp

On amd64 you can install wireguard from repo directly as it is available (for ubuntu it is since 20.04).

Just curious, why don't you want to install/use resolvconf or why do you want to void using wg-quick, especially taken in mind that package size is small and available in official repo? Better question for common user would be why and when would you use one way or the other where the result is the same.

 

Link to post
Share on other sites
19807409

many people ask for speedtests just for ability to compare results, here are few tests with devices used in this guide with setup of this guide. As TorGuard's wireguard servers are not available for now in all countries I had to take servers quite far away, around 1000km.

my ISP's bandwith for current test: 250Mbits on download and 50Mbits on upload.

speedtest of rock pi4 connected to a wireguard server quite far away 1.235,42 km

9763544916.png

speedtest-cli --share --server 24387
Retrieving speedtest.net configuration...
Testing from Digital Ocean (167.99.83.132)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by GTT.net (Slough) [2.34 km]: 51.533 ms
Testing download speed................................................................................
Download: 188.67 Mbit/s
Testing upload speed................................................................................................
Upload: 47.12 Mbit/s
Share results: http://www.speedtest.net/result/9763544916.png

9763569074.png

speedtest-cli --share --server 24387
Retrieving speedtest.net configuration...
Testing from Digital Ocean (167.99.83.132)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by GTT.net (Slough) [2.34 km]: 47.801 ms
Testing download speed................................................................................
Download: 199.29 Mbit/s
Testing upload speed...............................................................................................
.Upload: 45.41 Mbit/s
Share results: http://www.speedtest.net/result/9763569074.png

 

speedtest of raspberry pi3 connected to a torguard server a little closer but not much, 936,80 km

RPi 3 is restricted to 100Mb port and therefore cant be really faster than those results if iperf on local net delivers 94.4 Mbits/sec for the rpi3 tested for this guide where 79.75 Mbit/s is slightly lower than 85 Mbit/s that my rpi delivers without VPN, all speedtest servers were just randomly picked.

9763413199.png
 

[email protected]:~ $ speedtest-cli --share --server 5972
Retrieving speedtest.net configuration...
Testing from Digital Ocean (178.62.233.46)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by Tele2 Netherlands B.V. (Amsterdam) [3.12 km]: 75.182 ms
Testing download speed................................................................................
Download: 75.77 Mbit/s
Testing upload speed................................................................................................
Upload: 47.92 Mbit/s
Share results: http://www.speedtest.net/result/9763413199.png

9763506639.png
 

[email protected]:~ $ speedtest-cli --share --server 5972
Retrieving speedtest.net configuration...
Testing from Digital Ocean (178.62.233.46)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by Tele2 Netherlands B.V. (Amsterdam) [3.12 km]: 74.233 ms
Testing download speed................................................................................
Download: 79.75 Mbit/s
Testing upload speed................................................................................................
Upload: 45.72 Mbit/s
Share results: http://www.speedtest.net/result/9763506639.png

9763508751.png

[email protected]:~ $ speedtest-cli --share --server 5972
Retrieving speedtest.net configuration...
Testing from Digital Ocean (178.62.233.46)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by Tele2 Netherlands B.V. (Amsterdam) [3.12 km]: 77.845 ms
Testing download speed................................................................................
Download: 75.44 Mbit/s
Testing upload speed................................................................................................
Upload: 47.02 Mbit/s
Share results: http://www.speedtest.net/result/9763508751.png


Wireguard servers around 1000 km far away give me around 80% on download and 100% on upload speed offered by my ISP.  All servers closers than 100 km give me 99% (its never 100% of bandwith ie. shown by iperf on local net but very close).

 

speedtest version for this test on rock pi4:
 

[email protected]:~$ speedtest-cli --version
speedtest-cli 2.1.2
Python 2.7.17 (default, Apr 15 2020, 17:20:14) [GCC 7.5.0]

speedtest version for this test on rpi3

[email protected]:~ $ speedtest-cli --version
speedtest-cli 2.1.2
Python 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]

 

Link to post
Share on other sites
Axlerod34
5 hours ago, 19807409 said:

Thanks for extension of another option.

 

Actually it is part of the guide and script includes installation of resolvconf, I am not sure why you got that error, probably because you did not follow the guide as it clearly is part of it:
 

sudo apt-get install -y resolvconf

I am not sure what exactly you commented on with "Also for the firewall entry the udp port is in the .conf file provided by torguard."? TorGuard uses default port 51820, which is included in the guide for somebody who creates config on their own as well as a note is left that it is better to use torguards config from users account as that would prevent any typos in config, as if you mean FwMark, then it is automatically added to the config file after successful connection. If not specified, default port 51820 is used, which TorGuard uses anyway. By that I am not sure what exactly you meant or tried to say with that comment.

For RPi as example, you can install directly from debian repo, no need to compile on your own, same script just without compilation, but installing from debian repo:
 

#!/bin/bash
# Please change variables below before usage
COMMENT="TorGuard WireGuard Config - Canada-Toronto1"
PRIVATEKEY="YOURPRIVATEKEY"
PUBLICKEY="YOURPUBLICKEY"
ADDRESS="10.99.0.2/24" # Example : 10.99.0.2/24, login to torguard to get your wireguard address
ENDPOINTHOST="123.145.167.189" # Example: 123.145.167.189, login to torguard to get your wireguard server address
ENDPOINTPORT="443" # Example: 443, currently 443 is used for torguards wireguard connections
DNS="1.1.1.1" # login to torguard to get your wireguard DNS address
LISTENPORT="51820" # login to torguard to get your wireguard listen port
KEEPALIVE="25" # login to torguard to get keepalive value
ALLOWEDIPS="0.0.0.0/0" # login to torguard to get your wireguard allowed ip's default setting

# Please do not change anything from here if you do not know what you are doing

# wireguard build dependencies (optional, only required if you want to build from source, in this script we install from a repo)
sudo apt-get install -y libelf-dev build-essential pkg-config

# install rpi's kernel headers (without them you will receive error message "RTNETLINK answers: Operation not supported" when runnig wg-quick)
sudo apt-get install raspberrypi-kernel-headers

# wg-quick dependencies, requires network service restart 
sudo apt-get install -y resolvconf
sudo service networking restart

# add debian distro repo
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list

# install Debian distro keys
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
sudo apt-key adv --keyserver   keyserver.ubuntu.com --recv-keys 648ACFD622F3D138

# Prevent RPi from using the Debian distro for normal Raspbian packages
sudo sh -c 'printf "Package: *\nPin: release a=unstable\nPin-Priority: 90\n" > /etc/apt/preferences.d/limit-unstable'

# install wireguard
sudo apt-get update
sudo apt install -y wireguard
sudo chown -R root:root /etc/wireguard/
sudo chmod -R og-rwx /etc/wireguard/*

ENDPOINT="$ENDPOINTHOST:$ENDPOINTPORT"
cat <<EOF | sudo tee /etc/wireguard/wg0.conf
# $COMMENT
[Interface]
Address = $ADDRESS
PrivateKey = $PRIVATEKEY
SaveConfig = true
ListenPort = $LISTENPORT
DNS = $DNS

[Peer]
PublicKey = $PUBLICKEY
Endpoint = $ENDPOINT
PersistentKeepalive = $KEEPALIVE
AllowedIPs = $ALLOWEDIPS
EOF

# make sure conf file is secure
sudo chmod 600 /etc/wireguard/wg0.conf

# start wireguard interface
sudo wg-quick up wg0

# stop wireguard interface
sudo wg-quick down wg0

# enable wireguard om boot
sudo systemctl enable [email protected]

# if you do not use ufw firewall, unmark/delete next line
sudo ufw allow ${LISTENPORT}/udp

On amd64 you can install wireguard from repo directly as it is available (for ubuntu it is since 20.04).

Just curious, why don't you want to install/use resolvconf or why do you want to void using wg-quick, especially taken in mind that package size is small and available in official repo? Better question for common user would be why and when would you use one way or the other where the result is the same.

 

 

I should have added the distro I did it on was Ubuntu 20.04 and the reason for openresolv is when I looked through the repository I couldn't find resolvconf. I have to add they do offer resolvconf still in 20.04 so either will work in this case. Other reason I've found using different implementations for DNS tends to run afoul of other methods and most Ubuntu distros these days from 18.04 and up use network manager through /etc/netplan as their default method for handling network connections. Wg-quick at least on the surface seems like a sideways implementation of the depreciated /etc/network/interfaces way of adding network devices and settings. Case and point for DNS trying using Dnscrypt proxy and a torguard openvpn connection. They both depending how network manager is set up write conflicting DNS servers and ports to the resolv.conf file. It is nothing against wg-quick and more so with keeping all the networking connections and configurations under one umbrella to avoid potential conflicts when possible if not using the Torguard application.

 

It is also possible to set up wireguard using systemd with systemd-networkd or /etc/network/interfaces as long as ifupdown and resolvconf are also installed but those I don't think are commonly implemented anymore by the average user on Ubuntu unlike network manager which is by default.

 

On the port thing was more a comment on me not seeing it in the guide is all. Overall it is an excellent guide regardless of my reading comprehension.

Link to post
Share on other sites
Axlerod34

One other point on the resolvconf thing even though this article is about building wireguard from src and not installing from a repository. I figure it is better to add it here as a comment then do a whole separate thread. If you do install it from a repository using the apt or apt-get command. It won't install resolvconf or openresolv even using the --install-recommends or --install-suggested flags when installing wireguard and/or wireguard-dkms for kernel module support in Ubuntu. You'll have to install it separately, same with wireguard-tools for the wg and wg-quick utility.

Link to post
Share on other sites
19807409

thanks for your explanations and points. It is always good to get feedback.

Like I wrote in the guide, it should work similar way on all platforms, guide was created on aarch64 architecture on rockpi4 SoC board and depending on which software people use, setup can be different, especially scripts, like rpi and rockpi are quite the same, but the software and scripts are not and so they require different setups. On 20.04 you should probably use ubuntus repository version as since 20.04 it is available, where btw, it is written in the guide just for those who do not use rock pi4 as for rock pi4 there is no 20.04 and wireguards ppa does not work without modifications, that was the reason to write the guide about building from source.

The first version of this guide actually included information about port as well as iperf tests as well as some deeper analysis about connection health, but before posting I removed bigger part of it as I found it to be confusing for a newcomer reading this guide, I decided to delete all not required stuff.

I would disagree with the point that the guide does not mention the port. If you look up:

ENDPOINTPORT="443" # Example: 443, currently 443 is used for torguards wireguard connections
DNS="1.1.1.1" # login to torguard to get your wireguard DNS address
LISTENPORT="51820" # login to torguard to get your wireguard listen port

Here, 443 and 51820 are default ports and in all wireguard documentation and guides. I also wrote as a comment where to look up instead of writting it as I cant know if torguard will change its default port.

 

Here I take the critics and ask myself now why do you mean that you did not see it, so probably I need to add another comments or edit current, suggestions are welcome.

 

As for dnscrypt and similar things, all of this is part of extended setup for users and I find it should not be a part of this guide but maybe a separate, especially as min. amount of wireguard users will use the combination which might be problematic like you say.

As for network-manager, I would mean that people who are well versed with linux, they do not need this guide for wireguard setup but instead wireguard documentation and best practices.

Point about resolvconf is in my opinion again extended setup not to use it as a part of wireguard is not working and I find it is a problem for basic guide for average user. Especially as you still can use network-manager to configure it if your resolvconf is installed/used, it all depends on your settings.

If you look up, I wrote that those resolvconf is required for this guide to work, meaning not only it should be installed but added it as requirement.

You are probably right about putting it here instead of a new thread, I did agree on this in my previous post but I am unsure if I expressed it well, however, dnscrypt and more sophisticated setups and port forwarding etc.. should be probably in another guide, not that we talked about it.

However, if involving dnscrypt and other things people use, I clearly think it should be in another thread, however, torguard admins should probably have better overview of what and how they add to their KB.

What I hate most on writting guides is to keep them compact and not to forget important information and as you might know, everybody has its own perception of what is important and it can't fit every use case without additional steps.

Thanks for comments, it already helps to improve this guide. Will do it in following days just to wait, maybe some more critics and options will be added by users who might think it is important ;)

 

 

Link to post
Share on other sites
Axlerod34
1 hour ago, 19807409 said:

thanks for your explanations and points. It is always good to get feedback.

Like I wrote in the guide, it should work similar way on all platforms, guide was created on aarch64 architecture on rockpi4 SoC board and depending on which software people use, setup can be different, especially scripts, like rpi and rockpi are quite the same, but the software and scripts are not and so they require different setups. On 20.04 you should probably use ubuntus repository version as since 20.04 it is available, where btw, it is written in the guide just for those who do not use rock pi4 as for rock pi4 there is no 20.04 and wireguards ppa does not work without modifications, that was the reason to write the guide about building from source.

The first version of this guide actually included information about port as well as iperf tests as well as some deeper analysis about connection health, but before posting I removed bigger part of it as I found it to be confusing for a newcomer reading this guide, I decided to delete all not required stuff.

I would disagree with the point that the guide does not mention the port. If you look up:

ENDPOINTPORT="443" # Example: 443, currently 443 is used for torguards wireguard connections
DNS="1.1.1.1" # login to torguard to get your wireguard DNS address
LISTENPORT="51820" # login to torguard to get your wireguard listen port

Here, 443 and 51820 are default ports and in all wireguard documentation and guides. I also wrote as a comment where to look up instead of writting it as I cant know if torguard will change its default port.

 

Here I take the critics and ask myself now why do you mean that you did not see it, so probably I need to add another comments or edit current, suggestions are welcome.

 

As for dnscrypt and similar things, all of this is part of extended setup for users and I find it should not be a part of this guide but maybe a separate, especially as min. amount of wireguard users will use the combination which might be problematic like you say.

As for network-manager, I would mean that people who are well versed with linux, they do not need this guide for wireguard setup but instead wireguard documentation and best practices.

Point about resolvconf is in my opinion again extended setup not to use it as a part of wireguard is not working and I find it is a problem for basic guide for average user. Especially as you still can use network-manager to configure it if your resolvconf is installed/used, it all depends on your settings.

If you look up, I wrote that those resolvconf is required for this guide to work, meaning not only it should be installed but added it as requirement.

You are probably right about putting it here instead of a new thread, I did agree on this in my previous post but I am unsure if I expressed it well, however, dnscrypt and more sophisticated setups and port forwarding etc.. should be probably in another guide, not that we talked about it.

However, if involving dnscrypt and other things people use, I clearly think it should be in another thread, however, torguard admins should probably have better overview of what and how they add to their KB.

What I hate most on writting guides is to keep them compact and not to forget important information and as you might know, everybody has its own perception of what is important and it can't fit every use case without additional steps.

Thanks for comments, it already helps to improve this guide. Will do it in following days just to wait, maybe some more critics and options will be added by users who might think it is important ;)

 

More on the DNS thing and network manager which I think is valid to this guide for the reason that it is the default networking management tool on Ubuntu distros it can and will run afoul of DNS settings with other programs like with older versions of the Torguard app or openvpn configs within network manager because of how it sets priority to DNS server usage when multiples ones are specificed causing DNS leaks and in this case potentially with wg-quick in how both make use of the resolv.conf file. It could also potentially knock out DNS resolution for the wireguard connection not just cause leakage. Like I said having resolvconf and then network manager which uses systemd-resolved by default both setting dns through resolv.conf is a recipe for conflict. A simple solution which I also think is valid to this guide since it will also apply to wireguard and DNS server assignments is to simply disable systemd-resolved service unless you have need for it and specifically adding a line in the NetworkManager.conf file under the main section for DNS like this, DNS = default if a conflict does arise. Network Manager will then use resolvconf instead if that is what is being used. Doing that resolves any potential conflicts if you want to use wg-quick and resolvconf/openresolv.

Link to post
Share on other sites
Axlerod34

One more thing I may add to this since it has relevance here regardless of whether you built wireguard from src or installed from a repository is I may do a quick write up on how to set up wireguard using systemd-networkd. Reason for doing so is networkd uses a lot less resources to manage the connections than network manager and it is also a case of having all the networking being handled under one umbrella. In the case of Raspberry Pi devices you may see a performance increase unlike a desktop or laptop.

Link to post
Share on other sites
19807409

DNS point is arguable as well as the point of which configs you preffer to maintain, older systems do not use netplan, from that perspective current guide should work on all systems.

I preffer to keep "Thinking is not knowing, for decisions and guides it is better to know". To address possible leaking in DNS by inproper usage is I guess a separate topic for discussion.

For things that I know, it cant as example run afoul in combination with TorGuard client on aarch64, as simply there is no TorGuard client for aarch64 as well as for some other platforms.

Again, better guide for installation of wireguard on amd64/x86 archs would be wireguard's official documentation. Involving more software and more configs is actually how most newbies do leak DNS etc.. it is like 99% always bad config where somewhere leaks something, example is ipv6. The more soft you involve, the higher possibility is that something is not configured properly or that some update stops its function. It also includes backup and restore process.

Potential conflict is not a conflict, you need to be able to reproduce the conflict for ability to discuss that one exists I would mean. Does my DNS leak with current guide? No, it does not. If you can reproduce the leak and show me that it is leaking, then please post it as it would be important.

As last, I am not sure you know it, but wireguard is not in production stage, it is still in development stage, so we should stay updated about their changes I guess more than if ubuntu suddenly decided to use netplan which you do not have to use at all, reminds me on their attempt to push their desktop gui which failed on all stages and dumped super stable gnome desktop just to come back to it years later, so no, Ubuntu is not a ref for me how I would use wireguard.

Link to post
Share on other sites
19807409
4 minutes ago, Axlerod34 said:

One more thing I may add to this since it has relevance here regardless of whether you built wireguard from src or installed from a repository is I may do a quick write up on how to set up wireguard using systemd-networkd. Reason for doing so is networkd uses a lot less resources to manage the connections than network manager and it is also a case of having all the networking being handled under one umbrella. In the case of Raspberry Pi devices you may see a performance increase unlike a desktop or laptop.

 

sure you can, but what do you dislike on despite that wg-quick is used, you can write script/service file using your method ?:

sudo systemctl enable [email protected]

Above, you can see tests on raspberry pi3 as well as rock pi4 which is quite the same as rpi4. I get actually 100% of what I can get with both devices, adding that those tests were done on heavily used network so WAN was shared and for sure made speeds a little lower than if only that test device would use WAN.

 

I can add it additionally your config as service file if that is required, but again, for current guide above command works on raspbian, ubuntu, debian (other I did not test)

Link to post
Share on other sites
Axlerod34
3 minutes ago, 19807409 said:

DNS point is arguable as well as the point of which configs you preffer to maintain, older systems do not use netplan, from that perspective current guide should work on all systems.

I preffer to keep "Thinking is not knowing, for decisions and guides it is better to know". To address possible leaking in DNS by inproper usage is I guess a separate topic for discussion.

For things that I know, it cant as example run afoul in combination with TorGuard client on aarch64, as simply there is no TorGuard client for aarch64 as well as for some other platforms.

Again, better guide for installation of wireguard on amd64/x86 archs would be wireguard's official documentation. Involving more software and more configs is actually how most newbies do leak DNS etc.. it is like 99% always bad config where somewhere leaks something, example is ipv6. The more soft you involve, the higher possibility is that something is not configured properly or that some update stops its function. It also includes backup and restore process.

Potential conflict is not a conflict, you need to be able to reproduce the conflict for ability to discuss that one exists I would mean. Does my DNS leak with current guide? No, it does not. If you can reproduce the leak and show me that it is leaking, then please post it as it would be important.

As last, I am not sure you know it, but wireguard is not in production stage, it is still in development stage, so we should stay updated about their changes I guess more than if ubuntu suddenly decided to use netplan which you do not have to use at all, reminds me on their attempt to push their desktop gui which failed on all stages and dumped super stable gnome desktop just to come back to it years later, so no, Ubuntu is not a ref for me how I would use wireguard.

 

Fair enough on the aarch64 architecture not being supported by the Torguard app but the issue between resolvconf and systemd-resolved is one that extends beyond that. There is plenty of documentation on how systemd-resolved and resolvconf don't play nice with each other. That also extends beyond Ubuntu and into other Debian based distros. As to my original reason to do one or the other and not both it is a case of K.I.S.S. (keep it simple stupid). No need to do something multiple ways unless there is some advantage to doing so. Potential conflict never has a chance of becoming more than that in this case by applying K.I.S.S.. Not to beat this point to death but I will anyways implementing things and saying conflict doesn't exist until it does is a bad rational for not following K.I.S.S.. Keeping it simple makes it easier to debug issues that weren't foreseen and understand what is going on. As far as netplan goes if you have ifupdown also installed whether by default or otherwise then the system will ignore netplan and use the old /etc/network/interfaces as the backend regardless of the front end whether it be network manager or something else. That also goes back to K.I.S.S. and adding an optional step or at least note to keep all your DNS resolution methods under one umbrella, either systemd-resolvd or resolvconf which is covered in the comments how to do so.

Link to post
Share on other sites
Axlerod34
41 minutes ago, 19807409 said:

 

sure you can, but what do you dislike on despite that wg-quick is used, you can write script/service file using your method ?:

sudo systemctl enable [email protected]

Above, you can see tests on raspberry pi3 as well as rock pi4 which is quite the same as rpi4. I get actually 100% of what I can get with both devices, adding that those tests were done on heavily used network so WAN was shared and for sure made speeds a little lower than if only that test device would use WAN.

 

I can add it additionally your config as service file if that is required, but again, for current guide above command works on raspbian, ubuntu, debian (other I did not test)

 

Informational purposes, what works well in your case may not for someone else. Think of it as supplimentary information is all.

 

And on your script comment I can also write a script to do what wg-quick does since it uses primarily the ip command to set everything up and the wg command for the wireguard specific parameters then systemd-resolved instead of resolvconf to handle the dns. It would be more trouble than it is worth and easier to just disable systemd-resolved if I want to keep everything unified.

As far as using systemctl to run wg-quick as service. It goes back to the K.I.S.S. comment on DNS. Systemd is the system manager, systemd-resolved is for dns. You can shut off systemd-resolved and use resolvconf exclusively whether you set wg-quick which is an intermediary for resolvconf under Systemd.

There are also a few security reasons why I would want to use network manager over wg-quick because I can better control how the keys are stored and whether the user has to type in the key manually to connect but they would probably not apply to most people.

 

Link to post
Share on other sites
19807409

Wireguard is a route-based VPN, it will only tunnel if the destination IP is routable by one of the endpoints config, it doesn't care about the actual protocol, only the destination. It means your allowed ips in your clients config must include your DNS resolver's IP in order to tunnel DNS traffic.

This does not tunnel your DNS requests to 1.1.1.1

DNS = 1.1.1.1
AllowedIPs = 10.42.42.0/24, fd42:42:42::0/64

While this will tunnel your traffic to 1.1.1.1

DNS = 1.1.1.1
AllowedIPs = 10.42.42.0/24, fd42:42:42::0/64, 1.1.1.1/32

As far as I agree on different points, this guide was not about finding out what the perfect way of configuration DNS would be, as again, from person to person perfection changes up to the point that it fails, for a company it goes to another level starting that wireguard is at all not in production stage and therefore actually should not be used for commercial purpose until it is in production stage.

 

As far as I can understand, you do not have any DNS issues now and your concerns are connected to management of several VPN's by that you might have non TorGuard VPN's. But as you mention K.I:S.S, then let's be honest about simple way of thinking:

1. Just install wireguard, it must be compiled.

2. When you compile it and finish, wg-quick and maybe some other things will not work, telling you about error. Fastest way to fix it is to install resolvconf, so a user does it.

3. Connect to VPN with wg-quick as shown in most wireguard guides, as at this point is about to get connected at all.

4. shape/optimize configs (DNS etc). This is the part which is not covered by this guide which you suggest, only first 3 points, as in my opinion, fourth point is customization of each user separately where companies probably should seek additional support from torguard itself for best practices.

As example, for my rock device I do not need to have OpenVPN or any other profile where your mentioned issue can happen at all, especially as main intention of my use is simply to have a gateway for which I have many reasons, like to run vpn over vpn, in my ISP's case it means that using openconnect will give me 500% of what actually ISP wanted to restrict me, then using that gateway for other VPN connections like wireguard works just fine, I am not getting 500% running wireguard over openconnect but it is still significantly higher than what ISP offers. Talking in money, such connection would costs me around 10-20 times more than I pay for current. Alone this fact directly impacts you monthly available cash and my decision of what I really need, DNS point here is not of any value in that scenario, as we really speak just about how system resolves dns and you layed first out that ubuntu uses per default something and therefore it is nice to use their recommendation.

DNSCrypt and other things have also their own problems and not everybody wants to use it, many don't need it at all.

Quote

As far as using systemctl to run wg-quick as service. It goes back to the K.I.S.S. comment on DNS. Systemd is the system manager, systemd-resolved is for dns. You can shut off systemd-resolved and use resolvconf exclusively whether you set wg-quick which is an intermediary for resolvconf under Systemd.

Well, Systemd and system manager are not a part of wireguard, do you agree? By that it is not K.I.S.S. as you involve things that are optional and not mandatory. Taken in mind that most people do use torguard client on their notebooks etc.., they have full list of all openvpn and openconnect servers as well as other features which torguard client offers. Have to mention again that there is no TorGuard client for aarch64 and I do not know anybody having desktop pc/notebook pc with aarch64. Your next argument might be probably that you want to have 2 separate connections to 2 different VPN's where you mention openvpn which is just ressource hungry and no matter which SoC board you take, you will get pretty much less than 20Mbits which probably would work fine for those having such slow internet connection, but at the end of the day, it is much easier to use separate SoC board for each single connection and only for that purpose. By that, you must know which connection you want, how your network is setup, how to configure your servers etc... . Many people tend to wish all-in-one-router, I on other side suggest everybody to split those things, like a cheap Archer C7 router with openwrt will give you possibility to run VLAN's, ddns, dns server, dhcp server and maybe some other, but proxies and gateways should be on other devices and having it all in one means that maintenance is much harder not easier.

 

Quote

As far as using systemctl to run wg-quick as service. It goes back to the K.I.S.S. comment on DNS. Systemd is the system manager, systemd-resolved is for dns. You can shut off systemd-resolved and use resolvconf exclusively whether you set wg-quick which is an intermediary for resolvconf under Systemd.

If you look up: https://www.wireguard.com/install/ you will quickly notice that there is no information at all how your dns should be resolved, it is a part of your network configuration and big majority of people who I know would get lost in discussion about DNS crypt as well as possible issues.

As a user, I would have big problem if I would not install resolvconf as then wg-quick would not work and as an average Joe user I would believe that I either broke something or something is not working, then somebody would give me a tip to mess up my DNS settings I would end up installing new OS as I have no clue what I have broken.

Main goal of this guide was to provide easy way of how to install wireguard and get all tools working, it was not to find out which is the best setup according to some reports about DNS issues and leaks. I write it because we get offtopic with DNS discussion, if you follow this guide and decide to remove resolvconf after you have verified that your wireguard works, running

sudo apt purge --remove resolvconf
sudo apt autoremove

will remove it and its configs.

Quote

There are also a few security reasons why I would want to use network manager over wg-quick because I can better control how the keys are stored and whether the user has to type in the key manually to connect but they would probably not apply to most people.

Well, your keys are storeg in wg0.conf and for that in guide chmod 600 is present. Or do you users have root access? In that case all your security efforts are for nothing. You are right, it does not apply to most people and if network manager is used for connection, then normally your keyring would be used and by that your password, not the one from VPN or similar. By that, I do not really understand what you mean with control keys, you do it with keyring in ubuntu, everything else is not secure.

However, with keyring you will have again some issues in running it automatically and on connection drops etc.. without to ask you for a password at all.

As last, I do not remember that I had ever to enter a password for wireguard connection, private key in conf is used which is also way more secure. I would assume you mean here again other vpn's which are not wireguard and actually not part of this guide, do you agree?

Quote

There is plenty of documentation on how systemd-resolved and resolvconf don't play nice with each other.

there is also plenty documentation about flat earth and even more people believe it, it still does not change the fact that the earth is not flat neither our science should be rewritten because there is plenty documentation suggesting it without to prove it. I think it would be better to ref to documentation and its exact point if you already mention those, as to talk that there is plenty of people saying something makes no sense at this point. As again, guide is intended for those who can't install wireguard from PPA but are forced to compile, has nothing to do with DNS but it has to do with user's ability to check fresh compiled tools which you in fact reach by installing resolvconf on ubuntu. Beside all that, I will ref to non ubuntu community: https://wiki.archlinux.org/index.php/WireGuard

I will quote just this:

Quote

Manual WireGuard setup

Peer setup

Manual setup is accomplished by using ip(8) and wg(8).

 

There is quite nothing about DNS and issues which you describe.

Quote

Potential conflict never has a chance of becoming more than that in this case by applying K.I.S.S.

I think it is again required to define what exactly potential conflict is. I would define it as something that it theory works and by that it is reproduceable. You mentioned that there are plenty reports about how that could happen, whoever the author is of what you read about "known" issues, I would gladly provide one rock4 with ubuntu 18.04/debian stretch server where we can test to see if DNS leaking happens.

To mention few other things, like TorGuard's killswitch, you actually can restrict each single device in ufw to be allowed to only communicate with your VPN server and on your router side you can do the same restriction. Going that path, this thread would explode once again as it would involve again discussions if pfsense or if openwrt, which device, which cpu .... this is all the information I mentioned before that I deleted, I do strongly believe that a user who simply tries to setup wireguard on ubuntu and does not know how to do it would find this guide usefull. It does not mean I disagree that you should write scripts/guide like you said. TorGuard uses KB for storing the information and having links to other relevant threads is easy to achieve here on forum as well in their KB. As you see, discussion about DNS can get very deep and could get 100s of pages if other people participate, I really think you should write another guide where you can ref to this for installation (or any other) but present your use case and how you can achieve it, I think it would only help those who actually follow same logic, it is subjective if it is wrong or right, it has to fit the purpose.

Link to post
Share on other sites
19807409

I forgot to quote wg-quick's description:

Quote

This is an extremely simple script for easily bringing up a WireGuard interface, suitable for a few common use cases.

Use up to add and set up an interface, and use down to tear down and remove an interface. Running up adds a WireGuard interface, brings up the interface with the supplied IP addresses, sets up mtu and routes, and optionally runs pre/post up scripts. Running down optionally saves the current configuration, removes the WireGuard interface, and optionally runs pre/post down scripts. Running save saves the configuration of an existing interface without bringing the interface down. Use strip to output a configuration file with all wg-quick(8)-specific options removed, suitable for use with wg(8).

CONFIG_FILE is a configuration file, whose filename is the interface name followed by ‘.conf’. Otherwise, INTERFACE is an interface name, with configuration found at ‘/etc/wireguard/INTERFACE.conf’, searched first, followed by distro-specific search paths.

Generally speaking, this utility is just a simple script that wraps invocations to wg(8) and ip(8) in order to set up a WireGuard interface. It is designed for users with simple needs, and users with more advanced needs are highly encouraged to use a more specific tool, a more complete network manager, or otherwise just use wg(8) and ip(8), as usual.

 

Link to post
Share on other sites
  • 3 months later...
Newbuilder

Followed this guide but had to add

 

sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
sudo iptables -A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT

 

and then 

 

#install app to save iptables for reboot
sudo apt-get install iptables-persistent

#future saves after app installed

iptables-save > /etc/iptables/rules.v4
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...