Jump to content


Photo

Request for WireGuard VPN implementation

WireGuard VPN

  • Please log in to reply
70 replies to this topic

#1 p_e_p_i_j_n

  • New Member
  • 2 posts

0
Neutral

Posted 9 August 2018 - 23:13

Like the title says, it would be nice for me to have WireGuard working on the OpenPLi image.

 

In the beginning only command line support will be enough for me. And later on as a plugin within the gui or something like that.

 



Re: Request for WireGuard VPN implementation #2 littlesat

  • PLi® Core member
  • 52,264 posts

+591
Excellent

Posted 10 August 2018 - 06:57

We have OpenVPN support. Not from the ui as a e2 box is not really secure (everything is running under root). But you can install it and config it via console etc...

Edited by littlesat, 10 August 2018 - 07:00.

WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: Request for WireGuard VPN implementation #3 MastaG

  • PLi® Core member
  • 1,529 posts

+116
Excellent

Posted 10 August 2018 - 10:02

WireGuard needs to be enabled at kernel level.

Also since it's not merged into mainline yet, you need to get the patchset and backport it.

See: https://www.phoronix...Likes-WireGuard

 

And the kernel is specific for each receiver and the kernel versions/configurations differ across the multiple BSP-layers we support.

So we'd have to look at the available patchsets, apply, enable and test them.. and then send in PR's I guess.

 

Then of course there's also the UI part..

 

This would require a person with lots of free time available ;)



Re: Request for WireGuard VPN implementation #4 athoik

  • PLi® Core member
  • 8,342 posts

+314
Excellent

Posted 10 August 2018 - 10:42

No it doesn't required build-in kernel support.

You need:
https://layers.opene...x/recipe/60780/
 
WireGuard requires Linux ≥3.10, with the following configuration options, which are likely already configured in your kernel, especially if you're installing via distribution packages, above.

    CONFIG_NET for basic networking support
    CONFIG_INET for basic IP support
    CONFIG_NET_UDP_TUNNEL for sending and receiving UDP packets
    CONFIG_CRYPTO_BLKCIPHER for doing scatter-gather I/O
and:
https://layers.opene...x/recipe/60780/


So all new generation boxes can support it, it's a matter of testing the recipes (and enabling the config on kernels where required).


Of course create a "proper" UI for it, it requires first making "proper" UI for the whole network staff (that currently sucks).

Edited by athoik, 10 August 2018 - 10:42.

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #5 MastaG

  • PLi® Core member
  • 1,529 posts

+116
Excellent

Posted 10 August 2018 - 12:14

Ah thanks for clearing that up Athoik.

Guess I've had to do a bit more research.

Btw, you posted the same link twice ;)

 

Great to see the module can be built easily op top of 3.10 or newer.

Going to give it a try soon.



Re: Request for WireGuard VPN implementation #6 athoik

  • PLi® Core member
  • 8,342 posts

+314
Excellent

Posted 10 August 2018 - 13:07

The second link was the wireguard-tools: https://layers.opene...x/recipe/60781/

I guess we should give a "huge" try.

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.


Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #7 p_e_p_i_j_n

  • New Member
  • 2 posts

0
Neutral

Posted 14 August 2018 - 15:38

2 ideas to keep things simple and less time-consuming....

  1. Make it available as an opkg extension. So only the people who need it will install it. Keeps the basic distro lean and clean.
     
  2. Forget the UI. People who will use this have enough experience to get this up and running by the cli. And i.e. entering an WireGuard publickey with you stb remote will be a catastrophe  :(  

Maybe I can help testing or something. I'm running multiple WireGuard VPN setups for a long time.
Where can I follow the progress or be informed about updates around this subject.


Edited by p_e_p_i_j_n, 14 August 2018 - 15:40.


Re: Request for WireGuard VPN implementation #8 athoik

  • PLi® Core member
  • 8,342 posts

+314
Excellent

Posted 15 August 2018 - 16:01

I was able to compile wireguard (20180809) just fine.

Only CONFIG_NET_UDP_TUNNEL is missing from boxes.

Although some boxes like VU+ 1st gen are still using 3.9, Xtrend 1st gen are using 3.8 and DM8000 is using 3.2

Most probably those will fail, if there are not failing (but not working either) it is much better (because no special MACHINE_FEATURES, requrired).

Edited by athoik, 15 August 2018 - 16:02.

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #9 AllMassive

  • Member
  • 5 posts

0
Neutral

Posted 24 December 2018 - 00:34

Just stumbled across this Thread because i was searching for OpenPli+Wireguard.

Since a few Months i'm playing around with Wireguard on various non-TV-Devices and it works like a charm.

Also it needs much less Resources and is even faster than IPsec/OpenVPN.

It would be really great to have Wireguard on the OpenPli.


Edited by AllMassive, 24 December 2018 - 00:35.


Re: Request for WireGuard VPN implementation #10 WanWizard

  • Forum Moderator
    PLi® Core member
  • 55,450 posts

+1,126
Excellent

Posted 25 December 2018 - 18:15

It requires "CONFIG_NETFILTER_XT_MATCH_HASHLIMIT" to be activated in the kernel config, which in turn means all vendors have to update their BSP package. Which in turn means we can't add it to the build until all vendors have done so.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Request for WireGuard VPN implementation #11 athoik

  • PLi® Core member
  • 8,342 posts

+314
Excellent

Posted 25 December 2018 - 18:32

Also tried to build for older kernels and it fails!

Maybe @A.A. can help us, otherwise old machines cannot get it.
Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #12 WanWizard

  • Forum Moderator
    PLi® Core member
  • 55,450 posts

+1,126
Excellent

Posted 25 December 2018 - 18:39

It also requires:

  • CONFIG_NET_UDP_TUNNEL, found in Linux kernels: 3.17–3.19, 4.0–4.20, so it fails for quite a few boxes
  • CONFIG_NF_CONNTRACK, not enabled in any defconfig
  • CONFIG_CRYPTO_BLKCIPHER, not enabled in any defconfig
  • CONFIG_PADATA, not enabled in any defconfig
The first restricting it's use to STB's with a 4.x kernel, excluding the DM8000, the 1st gen Xtrends, and virtually all VU+.
 
I think that, since we don't consider the STB a security device, we should not support this. Exposing the STB onto the internet, no matter which service, imho is a bad idea, it is not running a full-features hardened OS.

Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Request for WireGuard VPN implementation #13 AllMassive

  • Member
  • 5 posts

0
Neutral

Posted 25 December 2018 - 21:54

  • CONFIG_NET_UDP_TUNNEL, found in Linux kernels: 3.17–3.19, 4.0–4.20, so it fails for quite a few boxes
  • CONFIG_NF_CONNTRACK, not enabled in any defconfig
  • CONFIG_CRYPTO_BLKCIPHER, not enabled in any defconfig
  • CONFIG_PADATA, not enabled in any defconfig
The first restricting it's use to STB's with a 4.x kernel, excluding the DM8000, the 1st gen Xtrends, and virtually all VU+.

 

Hm - ok  :*(

You wrote that a 4.x-Kernel is needed and actually my VU+ UNO 4K SE OpenPli 7.rc already has a 4.x-Kernel:

Linux vu 4.1.20-1.9 #1 SMP Sat Nov 24 17:07:00 CET 2018 armv7l GNU/Linux



Re: Request for WireGuard VPN implementation #14 WanWizard

  • Forum Moderator
    PLi® Core member
  • 55,450 posts

+1,126
Excellent

Posted 25 December 2018 - 23:39

In which case you can make local BSP modifications and build your own image from source. ;)

 

In addition to that I wrote before, we're also not a big fan of introducing features that only work on a subset of supported hardware.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Request for WireGuard VPN implementation #15 dolphs

  • Senior Member
  • 800 posts

+7
Neutral

Posted 8 April 2020 - 06:51

Almost "a year and a half" further, meanwhile wireguard made it in to kernel 5.6 mainline,

Yet which view have OpenPLi dev's on this tunnel?

I suppose openvpn will be deprecated and wireguard packages will be in soon ?  



Re: Request for WireGuard VPN implementation #16 littlesat

  • PLi® Core member
  • 52,264 posts

+591
Excellent

Posted 8 April 2020 - 06:58

And what about using smart dns? Could this me a more easy way! Just change the dns settings of your box? To the dyndns IP address as given by the vpn provider.

Edited by littlesat, 8 April 2020 - 06:58.

WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: Request for WireGuard VPN implementation #17 WanWizard

  • Forum Moderator
    PLi® Core member
  • 55,450 posts

+1,126
Excellent

Posted 8 April 2020 - 12:33

Almost "a year and a half" further, meanwhile wireguard made it in to kernel 5.6 mainline,

Yet which view have OpenPLi dev's on this tunnel?

I suppose openvpn will be deprecated and wireguard packages will be in soon ?  

 

I sincerely doubt it.

 

For starters, no box currently runs on 5.6, and most never will.

 

And as long as most endpoints (NAS boxes, routers, firewalls) don't support it, it will not catch on very quickly.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Request for WireGuard VPN implementation #18 dolphs

  • Senior Member
  • 800 posts

+7
Neutral

Posted 9 April 2020 - 06:28

certainly but as from kernel 3.10 things can be compiled from scratch so I thought things could be incorporated building forthcoming OpenPLi.8

[offtopic]My old Vu+solo won't be in as it has 3.9.6 currently ...[/offtopic] 



Re: Request for WireGuard VPN implementation #19 WanWizard

  • Forum Moderator
    PLi® Core member
  • 55,450 posts

+1,126
Excellent

Posted 9 April 2020 - 13:03

If it doesn't work on all boxes, don't hold your breath.

 

Also, if it is not part of Yocto, someone needs to make a bitbake recipe for it. That someone won't be me, see my previous response.


Currently in use: VU+Duo 4K (2xFBC S2), Amiko Viper T2C (T2+fallback), Octagon SF8008 (S2+T2), Zgemma H9.2H (T2+fallback)

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Request for WireGuard VPN implementation #20 littlesat

  • PLi® Core member
  • 52,264 posts

+591
Excellent

Posted 9 April 2020 - 15:11

And using smart dan instead?

WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users