Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] help me with wireguard connection
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Mon Dec 16, 2019 8:39 pm    Post subject: [solved] help me with wireguard connection Reply with quote

I'm trying to switch to wireguard VPN protocol, I've installed wireguard and loaded its kernel module (wg and wg-quick are awailable). I'm using www.mullvad.net on the site I added my private keys and I generated the config file here https://mullvad.net/en/download/wireguard-config/, if I try to run that config with wg-quick up /etc/wireguard/mullvad-de1.conf I'm getting:
Code:
[#] ip link add mullvad-de1 type wireguard
[#] wg setconf mullvad-de1 /dev/fd/63
[#] ip -4 address add 10.65.63.219/32 dev mullvad-de1
[#] ip link set mtu 1420 up dev mullvad-de1
[#] resolvconf -a mullvad-de1 -m 0 -x
[#] wg set mullvad-de1 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad-de1 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.4 (legacy): iptables-restore: unable to initialize table 'raw'

Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d mullvad-de1 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev mullvad-de1

What should I do next? I din't mess with the network interface or openRC services, because I couldn't find the comprehensive guide of what to do. And why they call it easier to use, openvpn was much easier to setup for me...

--
kernel: https://termbin.com/j339


Last edited by etnull on Wed Jan 08, 2020 5:28 pm; edited 1 time in total
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Tue Dec 17, 2019 1:09 pm    Post subject: Reply with quote

After enabling anything I could find in the kernel related to this (ipv6, CONFIG_NETFILTER_XT_MARK, CONFIG_NETFILTER_XT_CONNMARK, CONFIG_IP6_NF_RAW, CONFIG_IP_NF_RAW)
I get this:
Code:
wg-quick up mullvad-se1
[#] ip link add mullvad-se1 type wireguard
[#] wg setconf mullvad-se1 /dev/fd/63
[#] ip -4 address add 10.65.69.124/32 dev mullvad-se1
[#] ip link set mtu 1420 up dev mullvad-se1
[#] resolvconf -a mullvad-se1 -m 0 -x
[#] wg set mullvad-se1 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad-se1 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.4 (legacy): Couldn't load match `addrtype':No such file or directory

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d mullvad-se1 -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev mullvad-se1


This guy didn't had any issues and his setup was very easy, something with my particular system? I'm running unstable
https://hund0b1.gitlab.io/2019/11/20/how-i-got-started-with-wireguard-in-gentoo-linux.html
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Tue Dec 17, 2019 3:59 pm    Post subject: Reply with quote

Finally, after carefully fallowing through all of these option in the kernel I have a connection running.
https://wiki.gentoo.org/wiki/User:Maffblaster/Drafts/WireGuard
https://wiki.gentoo.org/wiki/Iptables
https://wiki.gentoo.org/wiki/IPSet
I assume my problem was in iptables kernel configuration. When I couldn't find some options then I ignored them or tried to enable the closest semantically which I could find.
I won't mark it solved for now as I didn't yet setup the autorun during boot, If I got some problems with that I will ask later.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Wed Dec 18, 2019 12:58 pm    Post subject: Reply with quote

I can't get the interface up and running during boot, the proposed addition to /etc/conf.d/local.start file didn't help. How can I create the openrc service which would 'wg-quick up wg0' at boot?
Back to top
View user's profile Send private message
Hund
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jul 2016
Posts: 121
Location: Sweden

PostPosted: Wed Dec 18, 2019 3:39 pm    Post subject: Reply with quote

etnull wrote:
I can't get the interface up and running during boot, the proposed addition to /etc/conf.d/local.start file didn't help. How can I create the openrc service which would 'wg-quick up wg0' at boot?


I added the command to `/etc/conf.d/local.start`.
_________________
My corner of the web.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1944

PostPosted: Wed Dec 18, 2019 6:26 pm    Post subject: Reply with quote

I added a postup function in /etc/conf.d/net

However, it's a regular interface created with iproute, so creating a set of variables used by net.wg service file shouldn't be very hard (without wg-quick in this case)
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Wed Dec 18, 2019 8:44 pm    Post subject: Reply with quote

szatox wrote:
I added a postup function in /etc/conf.d/net

However, it's a regular interface created with iproute, so creating a set of variables used by net.wg service file shouldn't be very hard (without wg-quick in this case)

I tried to use netifrc config, added wireguard_wg0="/etc/wireguard/wg0.conf", and did the symlinc for a new interface, but it can't parse the config file properly, unrecognized "Address" or something like that.

Adding to "/etc/conf.d/local.start" didn't work, I don't know why
Code:
Runlevel: default
 net.enp6s0                                                             [  started  ]
 sysklogd                                                               [  started  ]
 ntpd                                                                   [  started  ]
 cronie                                                                 [  started  ]
 netmount                                                               [  started  ]
 local                                                                  [  started  ]
Runlevel: boot
 osclock                                                                [  started  ]
 modules                                                                [  started  ]
 fsck                                                                   [  started  ]
 root                                                                   [  started  ]
 mtab                                                                   [  started  ]
 swap                                                                   [  started  ]
 localmount                                                             [  started  ]
 opentmpfiles-setup                                                     [  started  ]
 hostname                                                               [  started  ]
 sysctl                                                                 [  started  ]
 bootmisc                                                               [  started  ]
 alsasound                                                              [  started  ]
 termencoding                                                           [  started  ]
 keymaps                                                                [  started  ]
 save-keymaps                                                           [  started  ]
 urandom                                                                [  started  ]
 procfs                                                                 [  started  ]
 binfmt                                                                 [  started  ]
 loopback                                                               [  started  ]
 consolefont                                                            [  started  ]
 save-termencoding                                                      [  started  ]
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Sun Dec 22, 2019 5:02 pm    Post subject: Reply with quote

nano /etc/conf.d/net
Code:
config_enp6s0="dhcp"
dns_domain_lo="localdomain"
wireguard_wg0="/etc/wireguard/wg0.conf"

ln -s /etc/init.d/net.lo /etc/init.d/net.wg0
rc-update add net.wg0 default
rc-service net.wg0 start
Code:
 * Bringing up interface wg0
 *   Creating WireGuard interface wg0 ...                                                                                                          [ ok ]
 *   Configuring WireGuard interface wg0 ...
Line unrecognized: `Address=10.65.73.115/32'
Configuration parsing error                                                                                                                        [ !! ]
 * ERROR: net.wg0 failed to start


------
What local.start is? Is it some service? Should I make some symlincs for openrc? It doesn't work by just making this file with the correct line in it.

------
Hund, I don't know what version of gentoo you have, but apparently it's now just local and not local.start, putting it there helped me with autoconnect on boot.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Sun Dec 22, 2019 11:00 pm    Post subject: Reply with quote

Now the last thing which I need to solve and the most difficult one for me is routing. I have another local machine and after connecting both of them to a wireguard tunnel I lost my access to that machine via ssh. I usually just did ssh name@192.168.1.* but now I think iptables blocking me to do that, is anyone knows how to edit the iptables rule to let the local connection in and out? I think I need to combine this:
Code:
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

With this:
Code:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

But the arguments are very cryptic to me, I don't know what to exclude and where to put the rest of it, any help please?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1944

PostPosted: Wed Dec 25, 2019 11:39 pm    Post subject: Reply with quote

Code:

# cat /etc/conf.d/net
# begin anonimized part
config_eth0= <ipv4>/24 <ipv6>/64
routes_eth0=<default via ipv4> <default via ipv6>
dns_servers_eth0=dns server list
# end anonimized part

# interesting part:

postup () {
wg-quick up wg
return 0
}

predown () {
wg-quick down wg
return 0
}


This is what I did to start wireguard with my network.
I suppose I could add some filters based on the interface (check out /etc/init.d/net.lo script for variable names), but since I only have 1 NIC to configure, I didn't bother to do that.
Return 0 ensures my post-up never reports failures. If it fails, I'd rather not be notified than be notified in some absurd way. You figure out whether or not this is appropriate for you.

Regarding "local" service, try this:
Code:
 # cat /etc/local.d/README

Obviously, there is no point in doing it _both_ ways at the same time.

I don't know whether there is a dedicated module for configuring wireguard. If not, variable "config_" may be a good place to hold parameters to "ip" which create and configure the interface.
Finally, wireguard config file used with wg-quick contains AllowedIPs which acts as both, ACL and a routing hint (like in wg-quick will define those entries in routing table AND will make wg interface accept traffic incoming from those IPs). So this may be a 3rd way to configure wireguard interface.



Now, regarding iptables, I think you are overengineering it with marking and stuff. It would be easier if you just described your current setup and your goal.
Posting your iptables-save could also help and should be safe to do if you are on a private network. Don't post it with public IP addresses visible
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Thu Dec 26, 2019 1:18 am    Post subject: Reply with quote

I don't have any iptables rules. These ones are part of the config of the provider, it blocks any communication outside of the tunnel (so called killswitch), if VPN itself goes down, no traffic would flow until I down the connection manually.
Code:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

I need to modify it to not block the local network so that I can connect to my other machine on the same network.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1944

PostPosted: Thu Dec 26, 2019 11:40 am    Post subject: Reply with quote

Look at the provided rules. You block _outgoing_ traffic with them, not _incoming_ one.
Your allow_ssh rule is syntactically correct, but you added it to a wrong chain so it doesn't work.
Also, your postup _inserts_ a reject rule which makes it more important than anything else in the output chain. This is not necessarily wrong but it will prevent you from accessing your local network and whatever ACCEPT rule later in chain will never be tried.
Either change this command to append reject rule or make it send traffic to another chain where you can accept traffic to your local network before rejecting the rest. Or add another filter to the same rule along the lines of
Code:
! -d lan_ip/netmask
so traffic going to your local network will not match (and won't be rejected)
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Wed Jan 08, 2020 5:28 pm    Post subject: Reply with quote

After consulting with service's support and also poking around myself, I came up with these rules:

Code:
PostUp = iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT DROP && iptables -A OUTPUT -o enp6s0 ! -d 193.138.218.74 -p tcp --dport 53 -j DROP && iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT && iptables -A INPUT -i enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -A OUTPUT -o enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -A OUTPUT -o enp6s0 -p udp -m multiport --dports 53,51820 -d 185.204.1.203/32 -j ACCEPT && iptables -A OUTPUT -o enp6s0 -p tcp -m multiport --dports 53 -d 185.204.1.203/32 -j ACCEPT && iptables -A OUTPUT -o wg0 -j ACCEPT && iptables -A INPUT -i lo -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT
PreDown = iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT && iptables -D OUTPUT -o enp6s0 ! -d 193.138.218.74 -p tcp --dport 53 -j DROP && iptables -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT && iptables -D INPUT -i enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -D OUTPUT -o enp6s0 -d 192.168.1.0/24 -j ACCEPT && iptables -D OUTPUT -o enp6s0 -p udp -m multiport --dports 53,51820 -d 185.204.1.203/32 -j ACCEPT && iptables -D OUTPUT -o enp6s0 -p tcp -m multiport --dports 53 -d 185.204.1.203/32 -j ACCEPT && iptables -D OUTPUT -o wg0 -j ACCEPT && iptables -D INPUT -i lo -j ACCEPT && iptables -D OUTPUT -o lo -j ACCEPT


It leaves local network accessible, and in theory should still act as a killswith, I couldn't test the killswith myself yet, because I can't kill not my own wireguard server. Note network interface and IPs should be changed according to your setup.

---

the killswitch also works, here is the test proposed by the support

Code:
Block:
iptables -I OUTPUT -d 185.204.1.203 -j DROP && iptables -I FORWARD -d 185.204.1.203 -j DROP

Unblock:
iptables -I OUTPUT -d 185.204.1.203 -j ACCEPT && iptables -I FORWARD -d 185.204.1.203 -j ACCEPT


Last edited by etnull on Wed Jan 08, 2020 7:41 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1944

PostPosted: Wed Jan 08, 2020 7:31 pm    Post subject: Reply with quote

Actually, you can test that killswitch.
It's not meant to protect you from server failure. It is meant to protect you from YOUR failure.
And you can test it by simply removing the wireguard interface with ip link del, which - as a side effect - will mess up your routing table, likely promoting a so-far-secondary route to a preferred one.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Wed Jan 08, 2020 7:40 pm    Post subject: Reply with quote

szatox wrote:
Actually, you can test that killswitch.
It's not meant to protect you from server failure. It is meant to protect you from YOUR failure.
And you can test it by simply removing the wireguard interface with ip link del, which - as a side effect - will mess up your routing table, likely promoting a so-far-secondary route to a preferred one.

Did that also, the traffic stops.
Back to top
View user's profile Send private message
etnull
Guru
Guru


Joined: 26 Mar 2019
Posts: 437
Location: Russia

PostPosted: Wed Jan 08, 2020 8:28 pm    Post subject: Reply with quote

lol, this isn't all, my arch machine can't connect using these settings, I assume the issue in ipv6 which I don't use on gentoo...

---

After hours of searching I finally figured out how to enable ssh and local connections like web router interface, it was much, much easier than what I've being doing:
Code:
PostUp = iptables -I OUTPUT ! -d 192.168.1.0/24 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -d 192.168.1.0/24 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

! -d 192.168.1.0/24 will exclude the local IP range from the filter, it's also an official rule, which means I won't fk something up by writing my own from scratch.
Can't believe I spent so much time on such easy thing.. I should finish some networking course, it takes me forever comparing to anything else IT related...
Back to top
View user's profile Send private message
gengreen
Tux's lil' helper
Tux's lil' helper


Joined: 23 Dec 2017
Posts: 125

PostPosted: Tue Mar 10, 2020 11:33 pm    Post subject: Reply with quote

Using mullvad and wireguard, I small suggestion regarding wg-quick

wg-quick should fallback to /etc/resolv.conf if resolvconf / openresolv and other similar thing are not installed

Example (patch made for my need)

Code:
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -139,24 +139,43 @@
 }
 
 resolvconf_iface_prefix() {
+   if [[ -f /sbin/resolvconf ]]; then
+
    [[ -f /etc/resolvconf/interface-order ]] || return 0
    local iface
    while read -r iface; do
       [[ $iface =~ ^([A-Za-z0-9-]+)\*$ ]] || continue
       echo "${BASH_REMATCH[1]}." && return 0
    done < /etc/resolvconf/interface-order
+
+   fi
 }
 
 HAVE_SET_DNS=0
 set_dns() {
    [[ ${#DNS[@]} -gt 0 ]] || return 0
+
+   if [[ -f /sbin/resolvconf ]]; then
    printf 'nameserver %s\n' "${DNS[@]}" | cmd resolvconf -a "$(resolvconf_iface_prefix)$INTERFACE" -m 0 -x
+   echo "[!] DNS has been set with resolvconf \n"
+   
+   else
+   printf 'nameserver %s\n' "${DNS[@]}" > /etc/resolv.conf
+   echo "[!] resolvconf is not installed, fallback to /etc/resolv.conf \n"
+   fi
+
    HAVE_SET_DNS=1
 }
 
 unset_dns() {
    [[ ${#DNS[@]} -gt 0 ]] || return 0
+   
+   if [[ -f /sbin/resolvconf ]]; then
    cmd resolvconf -d "$(resolvconf_iface_prefix)$INTERFACE" -f
+   
+   else
+   printf 'nameserver 127.0.0.1\n' > /etc/resolv.conf
+   fi
 }
 
 add_route() {
 


It make sense for system that do not use dhcp / network-manage and manually add the dns entry to /etc/resolv.conf and avoid the dependency virtual/resolvconf
_________________
Canonical philosophy
Make each program do beyond their task. To do a new job, add features/dependencies and change the name of older programs. If it won't work well, Microsoft is available
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum