Jump to content


Photo

Request for WireGuard VPN implementation

WireGuard VPN

  • Please log in to reply
13 replies to this topic

#1 p_e_p_i_j_n

  • New Member
  • 2 posts

0
Neutral

Posted 9 August 2018 - 23:13

Like the title says, it would be nice for me to have WireGuard working on the OpenPLi image.

 

In the beginning only command line support will be enough for me. And later on as a plugin within the gui or something like that.

 



Re: Request for WireGuard VPN implementation #2 littlesat

  • PLi® Core member
  • 46,809 posts

+488
Excellent

Posted 10 August 2018 - 06:57

We have OpenVPN support. Not from the ui as a e2 box is not really secure (everything is running under root). But you can install it and config it via console etc...

Edited by littlesat, 10 August 2018 - 07:00.

WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W


Re: Request for WireGuard VPN implementation #3 MastaG

  • PLi® Core member
  • 1,506 posts

+115
Excellent

Posted 10 August 2018 - 10:02

WireGuard needs to be enabled at kernel level.

Also since it's not merged into mainline yet, you need to get the patchset and backport it.

See: https://www.phoronix...Likes-WireGuard

 

And the kernel is specific for each receiver and the kernel versions/configurations differ across the multiple BSP-layers we support.

So we'd have to look at the available patchsets, apply, enable and test them.. and then send in PR's I guess.

 

Then of course there's also the UI part..

 

This would require a person with lots of free time available ;)



Re: Request for WireGuard VPN implementation #4 athoik

  • PLi® Core member
  • 7,762 posts

+275
Excellent

Posted 10 August 2018 - 10:42

No it doesn't required build-in kernel support.

You need:
https://layers.opene...x/recipe/60780/
 
WireGuard requires Linux ≥3.10, with the following configuration options, which are likely already configured in your kernel, especially if you're installing via distribution packages, above.

    CONFIG_NET for basic networking support
    CONFIG_INET for basic IP support
    CONFIG_NET_UDP_TUNNEL for sending and receiving UDP packets
    CONFIG_CRYPTO_BLKCIPHER for doing scatter-gather I/O
and:
https://layers.opene...x/recipe/60780/


So all new generation boxes can support it, it's a matter of testing the recipes (and enabling the config on kernels where required).


Of course create a "proper" UI for it, it requires first making "proper" UI for the whole network staff (that currently sucks).

Edited by athoik, 10 August 2018 - 10:42.

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #5 MastaG

  • PLi® Core member
  • 1,506 posts

+115
Excellent

Posted 10 August 2018 - 12:14

Ah thanks for clearing that up Athoik.

Guess I've had to do a bit more research.

Btw, you posted the same link twice ;)

 

Great to see the module can be built easily op top of 3.10 or newer.

Going to give it a try soon.



Re: Request for WireGuard VPN implementation #6 athoik

  • PLi® Core member
  • 7,762 posts

+275
Excellent

Posted 10 August 2018 - 13:07

The second link was the wireguard-tools: https://layers.opene...x/recipe/60781/

I guess we should give a "huge" try.

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.


Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #7 p_e_p_i_j_n

  • New Member
  • 2 posts

0
Neutral

Posted 14 August 2018 - 15:38

2 ideas to keep things simple and less time-consuming....

  1. Make it available as an opkg extension. So only the people who need it will install it. Keeps the basic distro lean and clean.
     
  2. Forget the UI. People who will use this have enough experience to get this up and running by the cli. And i.e. entering an WireGuard publickey with you stb remote will be a catastrophe  :(  

Maybe I can help testing or something. I'm running multiple WireGuard VPN setups for a long time.
Where can I follow the progress or be informed about updates around this subject.


Edited by p_e_p_i_j_n, 14 August 2018 - 15:40.


Re: Request for WireGuard VPN implementation #8 athoik

  • PLi® Core member
  • 7,762 posts

+275
Excellent

Posted 15 August 2018 - 16:01

I was able to compile wireguard (20180809) just fine.

Only CONFIG_NET_UDP_TUNNEL is missing from boxes.

Although some boxes like VU+ 1st gen are still using 3.9, Xtrend 1st gen are using 3.8 and DM8000 is using 3.2

Most probably those will fail, if there are not failing (but not working either) it is much better (because no special MACHINE_FEATURES, requrired).

Edited by athoik, 15 August 2018 - 16:02.

Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #9 AllMassive

  • New Member
  • 2 posts

0
Neutral

Posted 24 December 2018 - 00:34

Just stumbled across this Thread because i was searching for OpenPli+Wireguard.

Since a few Months i'm playing around with Wireguard on various non-TV-Devices and it works like a charm.

Also it needs much less Resources and is even faster than IPsec/OpenVPN.

It would be really great to have Wireguard on the OpenPli.


Edited by AllMassive, 24 December 2018 - 00:35.


Re: Request for WireGuard VPN implementation #10 WanWizard

  • Forum Moderator
    PLi® Core member
  • 45,200 posts

+729
Excellent

Posted 25 December 2018 - 18:15

It requires "CONFIG_NETFILTER_XT_MATCH_HASHLIMIT" to be activated in the kernel config, which in turn means all vendors have to update their BSP package. Which in turn means we can't add it to the build until all vendors have done so.


Currently in use: VU+Duo 4K (2xFBC S2), VU+Zero, Amiko Viper 2TC, Zgemma H3.2TC, Zgemma H6

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Request for WireGuard VPN implementation #11 athoik

  • PLi® Core member
  • 7,762 posts

+275
Excellent

Posted 25 December 2018 - 18:32

Also tried to build for older kernels and it fails!

Maybe @A.A. can help us, otherwise old machines cannot get it.
Wavefield T90: 0.8W - 1.9E - 4.8E - 13E - 16E - 19.2E - 23.5E - 26E - 33E - 39E - 42E - 45E on EMP Centauri DiseqC 16/1
Unamed: 13E Quattro - 9E Quattro on IKUSI MS-0916

Re: Request for WireGuard VPN implementation #12 WanWizard

  • Forum Moderator
    PLi® Core member
  • 45,200 posts

+729
Excellent

Posted 25 December 2018 - 18:39

It also requires:

  • CONFIG_NET_UDP_TUNNEL, found in Linux kernels: 3.17–3.19, 4.0–4.20, so it fails for quite a few boxes
  • CONFIG_NF_CONNTRACK, not enabled in any defconfig
  • CONFIG_CRYPTO_BLKCIPHER, not enabled in any defconfig
  • CONFIG_PADATA, not enabled in any defconfig
The first restricting it's use to STB's with a 4.x kernel, excluding the DM8000, the 1st gen Xtrends, and virtually all VU+.
 
I think that, since we don't consider the STB a security device, we should not support this. Exposing the STB onto the internet, no matter which service, imho is a bad idea, it is not running a full-features hardened OS.

Currently in use: VU+Duo 4K (2xFBC S2), VU+Zero, Amiko Viper 2TC, Zgemma H3.2TC, Zgemma H6

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 


Re: Request for WireGuard VPN implementation #13 AllMassive

  • New Member
  • 2 posts

0
Neutral

Posted 25 December 2018 - 21:54

  • CONFIG_NET_UDP_TUNNEL, found in Linux kernels: 3.17–3.19, 4.0–4.20, so it fails for quite a few boxes
  • CONFIG_NF_CONNTRACK, not enabled in any defconfig
  • CONFIG_CRYPTO_BLKCIPHER, not enabled in any defconfig
  • CONFIG_PADATA, not enabled in any defconfig
The first restricting it's use to STB's with a 4.x kernel, excluding the DM8000, the 1st gen Xtrends, and virtually all VU+.

 

Hm - ok  :*(

You wrote that a 4.x-Kernel is needed and actually my VU+ UNO 4K SE OpenPli 7.rc already has a 4.x-Kernel:

Linux vu 4.1.20-1.9 #1 SMP Sat Nov 24 17:07:00 CET 2018 armv7l GNU/Linux



Re: Request for WireGuard VPN implementation #14 WanWizard

  • Forum Moderator
    PLi® Core member
  • 45,200 posts

+729
Excellent

Posted 25 December 2018 - 23:39

In which case you can make local BSP modifications and build your own image from source. ;)

 

In addition to that I wrote before, we're also not a big fan of introducing features that only work on a subset of supported hardware.


Currently in use: VU+Duo 4K (2xFBC S2), VU+Zero, Amiko Viper 2TC, Zgemma H3.2TC, Zgemma H6

Many answers to your question can be found in our new and improved wiki.

note: I do not provide support via PM !

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users