We use Wireguard VPN client on hangdevice because it allows us to have a secure privat IPv4 (and possibly IPv6) tunnel to a known server. This also works in case the public IPv6 system of Freifunk fails (which was tested a lot). That means that Wireguard is the preferred way to communicate from external networks.

Server side

Install Wireguard and add some interface

add-apt-repository ppa:wireguard/wireguard
apt-get update
apt-get install wireguard wireguard-dkms wireguard-tools
ip link add dev wg0 type wireguard
ifconfig wg0

Enable packet forwarding (Server only - not required on Clients)

vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
#net.ipv6.conf.all.forwarding=1 #disable ipv6
sysctl -p

Create private/public key pair

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Configure server interface

vim /etc/wireguard/wg0.conf

(info)allow access to 192.168.1.103

[Interface]
Address = 192.168.11.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -o bond1 -d 192.168.1.103/32 -j ACCEPT; iptables -A FORWARD -i bond1 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j DROP; iptables -t nat -D POSTROUTING -o bond1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o bond1 -d 192.168.1.103/32 -j ACCEPT; iptables -D FORWARD -i bond1 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j DROP; iptables -t nat -D POSTROUTING -o bond1 -j MASQUERADE
ListenPort = 54321
PrivateKey = PPKofServer
[Peer]
PublicKey = PubKeyOfClient1
AllowedIPs = 192.168.11.2/32

Start Wireguard (as service)

systemctl enable wg-quick@wg0
wg-quick up wg0
wg

hangdevice Client

Install Wireguard and add some interface

#on hangdevice - see https://www.sigmdel.ca/michel/ha/wireguard/wireguard_02_en.html (client)
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee --append /etc/apt/sources.list.d/unstable.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' | sudo tee --append /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard -y
reboot

Create peer key pair (for client)

wg genkey | tee peeroneprivatekey | wg pubkey > peeronepublickey
vim /etc/wireguard/wg0.conf 
[Interface]
Address = 192.168.11.2/24
Privatekey = PPKofClient
#DNS = 1.1.1.1

[Peer]
PublicKey = PubKeyOfServer
#AllowedIPs = 0.0.0.0/0
AllowedIPs = 192.168.11.0/16
Endpoint = the.wireguard.server:54321
PersistentKeepalive = 25

Start Wireguard (as service)

systemctl enable wg-quick@wg0
wg-quick up wg0
wg #show info
wg-quick save wg0 #save that info immediately

#stop
#wg-quick down wg0

udpdump Test Wireguard (Client + Server)

(warning) If the command "wg" does not show a line with "handshake" on the client, then the connection was not established. If "wg" shows no peers on the server, this also means that no connection was established by a client.

#on server:
netstat -anlup | grep 54321
ps aux | grep wireguard
ss -lun 'sport = :54321'
tcpdump -i bond1 udp port 54321 -vv -X

#on client (hangdevice)
echo -n "blah:36|c" | nc -w 1 -u -4 the.wireguard.server 54321

#on server:
18:55:42.919037 IP (tos 0x0, ttl 54, id 4198, offset 0, flags [DF], proto UDP (17), length 37)
    gianotti.chemnitz.freifunk.net.36882 > 192.168.1.66.54321: [udp sum ok] UDP, length 9
        0x0000:  4500 0025 1066 4000 3611 fbe1 a3ac d2e9  E..%.f@.6.......
        0x0010:  c0a8 0142 9012 d431 0011 cb82 626c 6168  ...B...1....blah
        0x0020:  3a33 367c 6300 0000 0000 0000 0000       :36|c........


wg #run this on client and on server each. It should return peer connections on both sides plus successful handshake

Troubleshooting

RTNETLINK answers: Operation not supported (Kernel Update / Firmware Update)

RTNETLINK answers: Operation not supported (Kernel Update / Firmware Update)

[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

modprobe wireguard
modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.19.118-v7+

#fix variant 1
dpkg-reconfigure wireguard-dkms

#fix variant 2
sudo apt remove wireguard-dkms
sudo apt install wireguard-dkms

#fix variant 3 - make recent headers manually
sudo apt-get install git bc bison flex libssl-dev
sudo wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/local/bin/rpi-source && sudo chmod +x /usr/local/bin/rpi-source && /usr/local/bin/rpi-source -q --tag-update
cd ~/
rpi-source

#in case of failure:
cd ~/
rm -rf linux-fe2c7bf4cad4641dfb6f12712755515ab15815ca/
rpi-source

Helpful ressources

  • No labels
Write a comment…