[HowTo] WireGuard with OMV Super-Easy

  • Ok thanks is there a guide on how to enable the beta repo?

    Nope. I don't want it to be a commonly used repo. I won't post anymore about it but you should be able to figure out how to enable it by looking at /etc/apt/sources.list.d/omvextras.list.


    I guess it would be better doing it with the beta repo as it will automatically find new version when they release, right?
    I first thought it was the testing repo but obviously not.

    Not necessarily. I was hoping to have people test the plugin enough that I could move it to the testing repo. Then you would automatically get new versions.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Nope. I don't want it to be a commonly used repo. I won't post anymore about it but you should be able to figure out how to enable it by looking at /etc/apt/sources.list.d/omvextras.list.

    Any reason why not? If so I won't use it, it is working though thanks
    Just not really, I still get some errors.
    Log from installing plugin:


    The GUI shows up though, but when I want to enable it I get this error:

    Also not sure about the endpoint.
    Is that the IP of my server?
    Edit:
    Should by my public IP / DNS, right?
    Sorry for the mess :D

  • Any reason why not? If so I won't use it, it is working though thanks

    Because I don't want to have to worry about breaking peoples systems if I push something bad to it. It is really just meant for my testing. And since the wireguard plugin is very beta, that is why it is in the beta repo. If someone chooses to test it and download it, fine with me. That can helpful. But I don't want people getting regular updates from the repo.

    I still get some errors.

    You probably needs the build-essential package and/or kernel headers to build the wireguard module. That is one reason I can't wait for wireguard to be in the kernel (will be in 5.6).


    Should by my public IP / DNS, right?

    Not sure. I haven't been able to spend much time on wireguard to get it working.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Thanks for the help @ryecoaaron.
    Installing the headers allows to complete the plugin installation without errors.
    I still don't get a connection though...
    The endpoint is my puplic IP / DDNS and I know for sure that the DDNS I set up works because I was using it with Unraid.
    The same for the port forwarding, I know that it worked before.
    I also checked the config files and everything seems to be correct....
    So right now I'm out of options :D

  • wgnet0.conf:


    [Interface]
    Address = 10.192.122.1/24
    SaveConfig = true
    PostUp = iptables -A FORWARD -i wgnet0 -j ACCEPT; iptables -A FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp7s7f1 -j MASQUERADE
    PostDown = iptables -D FORWARD -i wgnet0 -j ACCEPT; iptables -D FORWARD -o wgnet0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $enp7s7f1 -j MASQUERADE
    ListenPort = 51820
    PrivateKey = <private key server>



    [Peer]
    PublicKey = <public key client>
    AllowedIPs = 10.192.122.2/32




    wgnet_client.conf:


    [Interface]
    Address = 10.192.122.2/32
    PrivateKey = <private key client>



    [Peer]
    PublicKey = <public key server>
    Endpoint = <my>.duckdns.org:51820
    AllowedIPs = 0.0.0.0/0



    So the AllowedIPs is all open and my client should be able to access all my network devices.
    When I scan the QR code everything shows up correct in my WireGuard app.
    Only the public key is different but that is generated on my client, as far as I understand it.
    I don't know why here the files are called wgnet (e.g. wgnet0) and not wg (e.g. wg0), but I don't think it matters.


    Edit:
    And yes enp7s7f1 is the network card that I'm connected to.
    I don't know why it has the leading $ in PostDown though.

  • my conf on my server looks like this:



    conf on my mobile phone:



    Code
    [Interface]
    Address = 10.192.100.2/24
    PrivateKey = xxxxxxxxxxxx
    [Peer]
    PublicKey = xxxx
    AllowedIPs = 0.0.0.0/0, ::/0
    PersistentKeepalive = 25
    Endpoint = MyDynDNSIP.com:port
  • remove the $ in PostDown. Easiest way to change the config is to stop wireguard wg-quick down wgnet0 change the config file and then wg-quick up wgnet0.
    The only difference in config I see in the netmask of the client interface ip. Address = 10.192.122.2/32 // Address = 10.192.100.2/24


    I don't know why here the files are called wgnet (e.g. wgnet0) and not wg (e.g. wg0), but I don't think it matters.

    Just a name.

  • Thanks for the advice @Morlan, unfortunately it still doesn't work.
    I tried deleting the $ in PostDown yesterday already but as it didn't change anything I added it back in there.
    Setting the IP of the mobile device to /24 also didn't help,
    I also don't think it makes sense because if I understand correctly setting it to /32 gives your device (mobile) one IP inside this Wireguard network and setting it to /24 usually is for the whole range from 0-254.
    Also adding ::/0 to AllowedIPs didn't help.
    I don't think its the config as I studied this pretty intensely yesterday :D
    I would suspect the Wireguard install on omv but all seems good when running wg-quick up wgnet0 and wg ...

  • So I'm playing with OMV on another machine right now and when installing wireguard saw this error:

    Wireguard also does not work on this machine.
    Reinstalling the plugin on the main server gives the same error.
    I don't know what it means, is it a clue for something?

  • Reinstalling the plugin on the main server gives the same error.
    I don't know what it means, is it a clue for something?

    I wouldn't count on the plugin doing everything correctly. That is why it is in the beta repo. I recommend trying to get wireguard working manually first and then see what the plugin is doing wrong. I will fix the plugin then.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I wouldn't count on the plugin doing everything correctly. That is why it is in the beta repo. I recommend trying to get wireguard working manually first and then see what the plugin is doing wrong. I will fix the plugin then.


    I haven't looked at the plugin yet, but I found this and though it might be helpful in plugin development.


    Subspace - A simple WireGuard VPN server GUI


    Video about it.


    Subspace a free, open source, self hosted GUI front end for the Wireguard VPN server.



    I found a script install also.


    WireGuard installer


    Video of the Installer


    Build Your Own VPN in 6 Minutes Using WireGuard

  • Hello,


    if running on OMV5, you could

    • remove the install-related commands form my script
    • install wireguard manually
    • use my script to create the configuration


    That could help in case you have doubts creating the configuration files yourself or by the plugin.


    Greetings,
    Hendrik

  • Hi there!


    Another wireguard gui


    https://github.com/vx3r/wg-gen-web


    Inspired by this project I was able to install everything on my Openmediavault Raspberry PI server, up and running.
    Here is my steps.

    1. Install Wireguard



    echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list


    printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable


    sudo apt update


    sudo apt-get install raspberrypi-kernel-headers


    sudo apt install wireguard


    Check that everything was installed correctly.



    sudo modprobe wireguard && lsmod | grep wireguard


    2. Allowing Docker host also acts as a router


    Docker also sets the policy for the FORWARD chain to DROP. If your Docker host also acts as a router,
    this will result in that router not forwarding any traffic anymore.
    If you want your system to continue functioning as a router, you can add explicit ACCEPT rules to the
    DOCKER-USER chain to allow it:


    $ iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT


    3.Allowing forwarding in the system


    nano /etc/sysctl.conf
    Look for following entries and uncomment them by removing a ‘#’ in beginning.


    net.ipv4.ip_forward = 1
    net.ipv6.conf.all.forwarding = 1


    Save, exit and then enable it as follows:


    sysctl -p


    4.Install Wg Gen Web by Portainer using the Docker compose snippet bellow





    Add this scripts to the server configuration section to forward your traffic to local network and internet.


    PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE




    5.Automatically apply changes to WireGuard
    Using systemd


    Using systemd.path monitor for directory changes see systemd doc
    # /etc/systemd/system/wg-gen-web.path

    Code
    [Unit]
    Description=Watch /etc/wireguard for changes
    [Path]
    PathModified=/etc/wireguard
    [Install]
    WantedBy=multi-user.target


    This .path will activate unit file with the same name
    # /etc/systemd/system/wg-gen-web.service

  • I wouldn't count on the plugin doing everything correctly. That is why it is in the beta repo. I recommend trying to get wireguard working manually first and then see what the plugin is doing wrong. I will fix the plugin then.

    How is the wireguard plugin coming?

  • How is the wireguard plugin coming?

    I haven't touched it. I was waiting for more feedback on what it is doing wrong. As much as I would like to try it out, I haven't had time. So, I haven't really used wireguard and that makes it tough to improve the plugin.

    omv 5.5.2 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Wow, very nice work, thanks a lot!
    I only had to add my domain to the endpoint section on my mobile's Wireguard after importing the settings via the QR-Code and could connect instantly from the internet. 10/10 would run again - if I had to.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!