107 replies to this topic

[p_e_p_i_j_n]

Like the title says, it would be nice for me to have WireGuard working on the OpenPLi image.

 

In the beginning only command line support will be enough for me. And later on as a plugin within the gui or something like that.

 

[littlesat]

We have OpenVPN support. Not from the ui as a e2 box is not really secure (everything is running under root). But you can install it and config it via console etc...

Edited by littlesat, 10 August 2018 - 07:00.

[MastaG]

WireGuard needs to be enabled at kernel level.

Also since it's not merged into mainline yet, you need to get the patchset and backport it.

See: https://www.phoronix...Likes-WireGuard

 

And the kernel is specific for each receiver and the kernel versions/configurations differ across the multiple BSP-layers we support.

So we'd have to look at the available patchsets, apply, enable and test them.. and then send in PR's I guess.

 

Then of course there's also the UI part..

 

This would require a person with lots of free time available

[athoik]

No it doesn't required build-in kernel support.

You need:
https://layers.opene...x/recipe/60780/
 

WireGuard requires Linux ≥3.10, with the following configuration options, which are likely already configured in your kernel, especially if you're installing via distribution packages, above.

    CONFIG_NET for basic networking support
    CONFIG_INET for basic IP support
    CONFIG_NET_UDP_TUNNEL for sending and receiving UDP packets
    CONFIG_CRYPTO_BLKCIPHER for doing scatter-gather I/O

and:
https://layers.opene...x/recipe/60780/


So all new generation boxes can support it, it's a matter of testing the recipes (and enabling the config on kernels where required).


Of course create a "proper" UI for it, it requires first making "proper" UI for the whole network staff (that currently sucks).

Edited by athoik, 10 August 2018 - 10:42.

[MastaG]

Ah thanks for clearing that up Athoik.

Guess I've had to do a bit more research.

Btw, you posted the same link twice

 

Great to see the module can be built easily op top of 3.10 or newer.

Going to give it a try soon.

[athoik]

The second link was the wireguard-tools: https://layers.opene...x/recipe/60781/

I guess we should give a "huge" try.

WireGuard uses state-of-the-art cryptography, like the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, and secure trusted constructions. It makes conservative and reasonable choices and has been reviewed by cryptographers.

[p_e_p_i_j_n]

2 ideas to keep things simple and less time-consuming....

1. Make it available as an opkg extension. So only the people who need it will install it. Keeps the basic distro lean and clean.
    
2. Forget the UI. People who will use this have enough experience to get this up and running by the cli. And i.e. entering an WireGuard publickey with you stb remote will be a catastrophe    

Maybe I can help testing or something. I'm running multiple WireGuard VPN setups for a long time.
Where can I follow the progress or be informed about updates around this subject.

Edited by p_e_p_i_j_n, 14 August 2018 - 15:40.

[athoik]

I was able to compile wireguard (20180809) just fine.

Only CONFIG_NET_UDP_TUNNEL is missing from boxes.

Although some boxes like VU+ 1st gen are still using 3.9, Xtrend 1st gen are using 3.8 and DM8000 is using 3.2

Most probably those will fail, if there are not failing (but not working either) it is much better (because no special MACHINE_FEATURES, requrired).

Edited by athoik, 15 August 2018 - 16:02.

[AllMassive]

Just stumbled across this Thread because i was searching for OpenPli+Wireguard.

Since a few Months i'm playing around with Wireguard on various non-TV-Devices and it works like a charm.

Also it needs much less Resources and is even faster than IPsec/OpenVPN.

It would be really great to have Wireguard on the OpenPli.

Edited by AllMassive, 24 December 2018 - 00:35.

[WanWizard]

It requires "CONFIG_NETFILTER_XT_MATCH_HASHLIMIT" to be activated in the kernel config, which in turn means all vendors have to update their BSP package. Which in turn means we can't add it to the build until all vendors have done so.

[athoik]

Also tried to build for older kernels and it fails!

Maybe @A.A. can help us, otherwise old machines cannot get it.

[WanWizard]

It also requires:

• CONFIG_NET_UDP_TUNNEL, found in Linux kernels: 3.17–3.19, 4.0–4.20, so it fails for quite a few boxes
• CONFIG_NF_CONNTRACK, not enabled in any defconfig
• CONFIG_CRYPTO_BLKCIPHER, not enabled in any defconfig
• CONFIG_PADATA, not enabled in any defconfig

The first restricting it's use to STB's with a 4.x kernel, excluding the DM8000, the 1st gen Xtrends, and virtually all VU+.

 

I think that, since we don't consider the STB a security device, we should not support this. Exposing the STB onto the internet, no matter which service, imho is a bad idea, it is not running a full-features hardened OS.

[AllMassive]

• CONFIG_NET_UDP_TUNNEL, found in Linux kernels: 3.17–3.19, 4.0–4.20, so it fails for quite a few boxes
• CONFIG_NF_CONNTRACK, not enabled in any defconfig
• CONFIG_CRYPTO_BLKCIPHER, not enabled in any defconfig
• CONFIG_PADATA, not enabled in any defconfig

The first restricting it's use to STB's with a 4.x kernel, excluding the DM8000, the 1st gen Xtrends, and virtually all VU+.

 

Hm - ok  :*(

You wrote that a 4.x-Kernel is needed and actually my VU+ UNO 4K SE OpenPli 7.rc already has a 4.x-Kernel:

Linux vu 4.1.20-1.9 #1 SMP Sat Nov 24 17:07:00 CET 2018 armv7l GNU/Linux

[WanWizard]

In which case you can make local BSP modifications and build your own image from source.

 

In addition to that I wrote before, we're also not a big fan of introducing features that only work on a subset of supported hardware.

[dolphs]

Almost "a year and a half" further, meanwhile wireguard made it in to kernel 5.6 mainline,

Yet which view have OpenPLi dev's on this tunnel?

I suppose openvpn will be deprecated and wireguard packages will be in soon ?  

[littlesat]

And what about using smart dns? Could this me a more easy way! Just change the dns settings of your box? To the dyndns IP address as given by the vpn provider.

Edited by littlesat, 8 April 2020 - 06:58.

[WanWizard]

Almost "a year and a half" further, meanwhile wireguard made it in to kernel 5.6 mainline,

Yet which view have OpenPLi dev's on this tunnel?

I suppose openvpn will be deprecated and wireguard packages will be in soon ?  

 

I sincerely doubt it.

 

For starters, no box currently runs on 5.6, and most never will.

 

And as long as most endpoints (NAS boxes, routers, firewalls) don't support it, it will not catch on very quickly.

[dolphs]

certainly but as from kernel 3.10 things can be compiled from scratch so I thought things could be incorporated building forthcoming OpenPLi.8

[offtopic]My old Vu+solo won't be in as it has 3.9.6 currently ...[/offtopic] 

[WanWizard]

If it doesn't work on all boxes, don't hold your breath.

 

Also, if it is not part of Yocto, someone needs to make a bitbake recipe for it. That someone won't be me, see my previous response.

[littlesat]

And using smart dan instead?