[HowTo] WireGuard with OMV Super-Easy

    • Resolved
    • OMV 4.x
    • ozboss wrote:

      Ok thanks is there a guide on how to enable the beta repo?
      Nope. I don't want it to be a commonly used repo. I won't post anymore about it but you should be able to figure out how to enable it by looking at /etc/apt/sources.list.d/omvextras.list.

      ozboss wrote:

      I guess it would be better doing it with the beta repo as it will automatically find new version when they release, right?
      I first thought it was the testing repo but obviously not.
      Not necessarily. I was hoping to have people test the plugin enough that I could move it to the testing repo. Then you would automatically get new versions.
      omv 5.2.5 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.2
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!

      Post by ozboss ().

      This post was deleted by the author themselves ().
    • ryecoaaron wrote:

      ozboss wrote:

      Ok thanks is there a guide on how to enable the beta repo?
      Nope. I don't want it to be a commonly used repo. I won't post anymore about it but you should be able to figure out how to enable it by looking at /etc/apt/sources.list.d/omvextras.list.
      Any reason why not? If so I won't use it, it is working though thanks
      Just not really, I still get some errors.
      Log from installing plugin:

      Source Code

      1. Reading package lists...
      2. Building dependency tree...
      3. Reading state information...
      4. The following additional packages will be installed:
      5. dkms libqrencode4 qrencode wireguard wireguard-dkms wireguard-tools
      6. Suggested packages:
      7. python3-apport menu
      8. Recommended packages:
      9. fakeroot linux-headers-686-pae | linux-headers-amd64 | linux-headers-generic
      10. | linux-headers
      11. The following NEW packages will be installed:
      12. dkms libqrencode4 openmediavault-wireguard qrencode wireguard wireguard-dkms
      13. wireguard-tools
      14. 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
      15. Get:1 http://deb.debian.org/debian buster/main amd64 dkms all 2.6.1-4 [74.4 kB]
      16. Get:2 ...
      17. ...
      18. Fetched 546 kB in 3s (206 kB/s)
      19. Selecting previously unselected package dkms.
      20. (Reading database ... (Reading database ... 5%(Reading database ... 10%(Reading database ... 15%(Reading database ... 20%(Reading database ... 25%(Reading database ... 30%(Reading database ... 35%(Reading database ... 40%(Reading database ... 45%(Reading database ... 50%(Reading database ... 55%(Reading database ... 60%(Reading database ... 65%(Reading database ... 70%(Reading database ... 75%(Reading database ... 80%(Reading database ... 85%(Reading database ... 90%(Reading database ... 95%(Reading database ... 100%(Reading database ... 50245 files and directories currently installed.)
      21. Preparing to unpack .../0-dkms_2.6.1-4_all.deb ...
      22. Unpacking dkms (2.6.1-4) ...
      23. Selecting previously unselected package libqrencode4:amd64.
      24. Preparing to unpack .../1-libqrencode4_4.0.2-1_amd64.deb ...
      25. Unpacking libqrencode4:amd64 (4.0.2-1) ...
      26. Selecting previously unselected package qrencode.
      27. Preparing to unpack .../2-qrencode_4.0.2-1_amd64.deb ...
      28. Unpacking qrencode (4.0.2-1) ...
      29. Selecting previously unselected package wireguard-dkms.
      30. Preparing to unpack .../3-wireguard-dkms_0.0.20191219-1_all.deb ...
      31. Unpacking wireguard-dkms (0.0.20191219-1) ...
      32. Selecting previously unselected package wireguard-tools.
      33. Preparing to unpack .../4-wireguard-tools_0.0.20191219-1_amd64.deb ...
      34. Unpacking wireguard-tools (0.0.20191219-1) ...
      35. Selecting previously unselected package wireguard.
      36. Preparing to unpack .../5-wireguard_0.0.20191219-1_all.deb ...
      37. Unpacking wireguard (0.0.20191219-1) ...
      38. Selecting previously unselected package openmediavault-wireguard.
      39. Preparing to unpack .../6-openmediavault-wireguard_5.0.1_all.deb ...
      40. Unpacking openmediavault-wireguard (5.0.1) ...
      41. Setting up libqrencode4:amd64 (4.0.2-1) ...
      42. Setting up qrencode (4.0.2-1) ...
      43. Setting up dkms (2.6.1-4) ...
      44. Setting up wireguard-dkms (0.0.20191219-1) ...
      45. Loading new wireguard-0.0.20191219 DKMS files...
      46. Building for 5.3.0-0.bpo.2-amd64
      47. Module build for kernel 5.3.0-0.bpo.2-amd64 was skipped since the
      48. kernel headers for this kernel does not seem to be installed.
      49. Setting up wireguard-tools (0.0.20191219-1) ...
      50. Setting up wireguard (0.0.20191219-1) ...
      51. Setting up openmediavault-wireguard (5.0.1) ...
      52. Updating configuration database ...
      53. net.ipv4.ip_forward = 1
      54. modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.3.0-0.bpo.2-amd64
      55. dpkg: error processing package openmediavault-wireguard (--configure):
      56. installed openmediavault-wireguard package post-installation script subprocess returned error exit status 1
      57. Processing triggers for libc-bin (2.28-10) ...
      58. Processing triggers for openmediavault (5.2.2-1) ...
      59. Updating locale files ...
      60. >>> *************** Error ***************
      61. Invalid RPC response. Please check the syslog for more information.
      62. <<< *************************************
      63. Updating file permissions ...
      64. Purging internal cache ...
      65. Restarting engine daemon ...
      66. Errors were encountered while processing:
      67. openmediavault-wireguard
      Display All
      The GUI shows up though, but when I want to enable it I get this error:

      Brainfuck Source Code

      1. Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; omv-salt deploy run wireguard 2>&1' with exit code '1': debian: ---------- ID: configure_wireguard_wgnet0 Function: file.managed Name: /etc/wireguard/wgnet0.conf Result: True Comment: File /etc/wireguard/wgnet0.conf is in the correct state Started: 14:40:46.748553 Duration: 26.439 ms Changes: ---------- ID: configure_wireguard_client Function: file.managed Name: /etc/wireguard/wgnet_client.conf Result: True Comment: File /etc/wireguard/wgnet_client.conf updated Started: 14:40:46.775099 Duration: 6.759 ms Changes: ---------- diff: --- +++ @@ -4,5 +4,5 @@ [Peer] PublicKey = 0BMoaoA6FP/cU7wvx839t1gwTC4JM02oM0G7VpxUw30= -Endpoint = :51820 +Endpoint = <myip>:51820 AllowedIPs = 0.0.0.0/0 ---------- ID: start_wireguard_service Function: service.running Name: wg-quick@wgnet0 Result: False Comment: Job for wg-quick@wgnet0.service failed because the control process exited with error code. See "systemctl status wg-quick@wgnet0.service" and "journalctl -xe" for details. Started: 14:40:46.905056 Duration: 120.128 ms Changes: Summary for debian ------------ Succeeded: 2 (changed=1) Failed: 1 ------------ Total states run: 3 Total run time: 153.326 ms
      2. Details:
      3. Error #0:
      4. OMV\ExecException: Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C.UTF-8; omv-salt deploy run wireguard 2>&1' with exit code '1': debian:
      5. ----------
      6. ID: configure_wireguard_wgnet0
      7. Function: file.managed
      8. Name: /etc/wireguard/wgnet0.conf
      9. Result: True
      10. Comment: File /etc/wireguard/wgnet0.conf is in the correct state
      11. Started: 14:40:46.748553
      12. Duration: 26.439 ms
      13. Changes:
      14. ----------
      15. ID: configure_wireguard_client
      16. Function: file.managed
      17. Name: /etc/wireguard/wgnet_client.conf
      18. Result: True
      19. Comment: File /etc/wireguard/wgnet_client.conf updated
      20. Started: 14:40:46.775099
      21. Duration: 6.759 ms
      22. Changes:
      23. ----------
      24. diff:
      25. ---
      26. +++
      27. @@ -4,5 +4,5 @@
      28. [Peer]
      29. PublicKey = 0BMoaoA6FP/cU7wvx839t1gwTC4JM02oM0G7VpxUw30=
      30. -Endpoint = :51820
      31. +Endpoint = <myip>:51820
      32. AllowedIPs = 0.0.0.0/0
      33. ----------
      34. ID: start_wireguard_service
      35. Function: service.running
      36. Name: wg-quick@wgnet0
      37. Result: False
      38. Comment: Job for wg-quick@wgnet0.service failed because the control process exited with error code.
      39. See "systemctl status wg-quick@wgnet0.service" and "journalctl -xe" for details.
      40. Started: 14:40:46.905056
      41. Duration: 120.128 ms
      42. Changes:
      43. Summary for debian
      44. ------------
      45. Succeeded: 2 (changed=1)
      46. Failed: 1
      47. ------------
      48. Total states run: 3
      49. Total run time: 153.326 ms in /usr/share/php/openmediavault/system/process.inc:182
      50. Stack trace:
      51. #0 /usr/share/php/openmediavault/engine/module/serviceabstract.inc(60): OMV\System\Process->execute()
      52. #1 /usr/share/openmediavault/engined/rpc/config.inc(167): OMV\Engine\Module\ServiceAbstract->deploy()
      53. #2 [internal function]: Engined\Rpc\Config->applyChanges(Array, Array)
      54. #3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)
      55. #4 /usr/share/php/openmediavault/rpc/serviceabstract.inc(149): OMV\Rpc\ServiceAbstract->callMethod('applyChanges', Array, Array)
      56. #5 /usr/share/php/openmediavault/rpc/serviceabstract.inc(588): OMV\Rpc\ServiceAbstract->OMV\Rpc\{closure}('/tmp/bgstatush2...', '/tmp/bgoutputVF...')
      57. #6 /usr/share/php/openmediavault/rpc/serviceabstract.inc(159): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure))
      58. #7 /usr/share/openmediavault/engined/rpc/config.inc(189): OMV\Rpc\ServiceAbstract->callMethodBg('applyChanges', Array, Array)
      59. #8 [internal function]: Engined\Rpc\Config->applyChangesBg(Array, Array)
      60. #9 /usr/share/php/openmediavault/rpc/serviceabstract.inc(123): call_user_func_array(Array, Array)
      61. #10 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('applyChangesBg', Array, Array)
      62. #11 /usr/sbin/omv-engined(537): OMV\Rpc\Rpc::call('Config', 'applyChangesBg', Array, Array, 1)
      63. #12 {main}
      Display All
      Also not sure about the endpoint.
      Is that the IP of my server?
      Edit:
      Should by my public IP / DNS, right?
      Sorry for the mess :D

      The post was edited 3 times, last by ozboss ().

    • ozboss wrote:

      Any reason why not? If so I won't use it, it is working though thanks
      Because I don't want to have to worry about breaking peoples systems if I push something bad to it. It is really just meant for my testing. And since the wireguard plugin is very beta, that is why it is in the beta repo. If someone chooses to test it and download it, fine with me. That can helpful. But I don't want people getting regular updates from the repo.

      ozboss wrote:

      I still get some errors.
      You probably needs the build-essential package and/or kernel headers to build the wireguard module. That is one reason I can't wait for wireguard to be in the kernel (will be in 5.6).

      ozboss wrote:

      Should by my public IP / DNS, right?
      Not sure. I haven't been able to spend much time on wireguard to get it working.
      omv 5.2.5 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.2
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Thanks for the help @ryecoaaron.
      Installing the headers allows to complete the plugin installation without errors.
      I still don't get a connection though...
      The endpoint is my puplic IP / DDNS and I know for sure that the DDNS I set up works because I was using it with Unraid.
      The same for the port forwarding, I know that it worked before.
      I also checked the config files and everything seems to be correct....
      So right now I'm out of options :D

      The post was edited 1 time, last by ozboss ().

    • wgnet0.conf:

      [Interface]
      Address = 10.192.122.1/24
      SaveConfig = true
      PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp7s7f1 -j MASQUERADE
      PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $enp7s7f1 -j MASQUERADE
      ListenPort = 51820
      PrivateKey = <private key server>


      [Peer]
      PublicKey = <public key client>
      AllowedIPs = 10.192.122.2/32



      wgnet_client.conf:

      [Interface]
      Address = 10.192.122.2/32
      PrivateKey = <private key client>


      [Peer]
      PublicKey = <public key server>
      Endpoint = <my>.duckdns.org:51820
      AllowedIPs = 0.0.0.0/0


      So the AllowedIPs is all open and my client should be able to access all my network devices.
      When I scan the QR code everything shows up correct in my WireGuard app.
      Only the public key is different but that is generated on my client, as far as I understand it.
      I don't know why here the files are called wgnet (e.g. wgnet0) and not wg (e.g. wg0), but I don't think it matters.

      Edit:
      And yes enp7s7f1 is the network card that I'm connected to.
      I don't know why it has the leading $ in PostDown though.
    • my conf on my server looks like this:

      Source Code

      1. [Interface]
      2. Address = 10.192.100.1/24
      3. PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enx001e063676f8 -j MASQUERADE
      4. PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enx001e063676f8 -j MASQUERADE
      5. ListenPort = xxx
      6. PrivateKey = xxxxxxxxxxxx
      7. #Mobile
      8. [Peer]
      9. PublicKey = xxxx
      10. AllowedIPs = 10.192.100.2/32
      11. #Client at Mom's place
      12. [Peer]
      13. PublicKey = xxxxx
      14. AllowedIPs = 10.192.100.3/32
      15. #Laptop
      16. [Peer]
      17. PublicKey = xxxxxx
      18. AllowedIPs = 10.192.100.4/32
      Display All

      conf on my mobile phone:


      Source Code

      1. [Interface]
      2. Address = 10.192.100.2/24
      3. PrivateKey = xxxxxxxxxxxx
      4. [Peer]
      5. PublicKey = xxxx
      6. AllowedIPs = 0.0.0.0/0, ::/0
      7. PersistentKeepalive = 25
      8. Endpoint = MyDynDNSIP.com:port
    • remove the $ in PostDown. Easiest way to change the config is to stop wireguard wg-quick down wgnet0 change the config file and then wg-quick up wgnet0.
      The only difference in config I see in the netmask of the client interface ip. Address = 10.192.122.2/32 // Address = 10.192.100.2/24

      ozboss wrote:

      I don't know why here the files are called wgnet (e.g. wgnet0) and not wg (e.g. wg0), but I don't think it matters.
      Just a name.
    • Thanks for the advice @Morlan, unfortunately it still doesn't work.
      I tried deleting the $ in PostDown yesterday already but as it didn't change anything I added it back in there.
      Setting the IP of the mobile device to /24 also didn't help,
      I also don't think it makes sense because if I understand correctly setting it to /32 gives your device (mobile) one IP inside this Wireguard network and setting it to /24 usually is for the whole range from 0-254.
      Also adding ::/0 to AllowedIPs didn't help.
      I don't think its the config as I studied this pretty intensely yesterday :D
      I would suspect the Wireguard install on omv but all seems good when running wg-quick up wgnet0 and wg ...
    • So I'm playing with OMV on another machine right now and when installing wireguard saw this error:

      Source Code

      1. ...
      2. DKMS: install completed.
      3. Setting up wireguard-tools (0.0.20191219-1) ...
      4. Setting up wireguard (0.0.20191219-1) ...
      5. Setting up openmediavault-wireguard (5.0.1) ...
      6. Updating configuration database ...
      7. net.ipv4.ip_forward = 1
      8. Processing triggers for libc-bin (2.28-10) ...
      9. Processing triggers for openmediavault (5.2.3-2) ...
      10. Updating locale files ...
      11. >>> *************** Error ***************
      12. Failed to read from socket: Connection reset by peer
      13. <<< *************************************
      14. Updating file permissions ...
      15. Purging internal cache ...
      16. Restarting engine daemon ...
      17. Done ...
      Display All
      Wireguard also does not work on this machine.
      Reinstalling the plugin on the main server gives the same error.
      I don't know what it means, is it a clue for something?
    • ozboss wrote:

      Reinstalling the plugin on the main server gives the same error.
      I don't know what it means, is it a clue for something?
      I wouldn't count on the plugin doing everything correctly. That is why it is in the beta repo. I recommend trying to get wireguard working manually first and then see what the plugin is doing wrong. I will fix the plugin then.
      omv 5.2.5 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.2
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • ryecoaaron wrote:

      ozboss wrote:

      Reinstalling the plugin on the main server gives the same error.
      I don't know what it means, is it a clue for something?
      I wouldn't count on the plugin doing everything correctly. That is why it is in the beta repo. I recommend trying to get wireguard working manually first and then see what the plugin is doing wrong. I will fix the plugin then.


      I haven't looked at the plugin yet, but I found this and though it might be helpful in plugin development.

      Subspace - A simple WireGuard VPN server GUI

      Video about it.

      Subspace a free, open source, self hosted GUI front end for the Wireguard VPN server.


      I found a script install also.

      WireGuard installer

      Video of the Installer

      Build Your Own VPN in 6 Minutes Using WireGuard
      Build, Learn, Create.

      How to Videos for OMV

      Post any questions to the forum, so others can benefit from your curiosity. :thumbsup:
      No private support.

      The post was edited 1 time, last by TechnoDadLife ().

    • Users Online 1

      1 Guest