WireGuard automated installer | Ubuntu, Debian, CentOS, Fedora

135

Comments

  • I had never installed a VPN before, this installer helped me a lot. Thank you!

  • OpenVZ support is here!


    FAQ:

    Does it work with other container technologies?
    Very likely, as long as they have full iptables/nftables support.

    Does it work with just 128 MB of RAM?
    Yes but avoid CentOS if you don't have SWAP, because yum/dnf are memory hungry.

    Does it work with NAT servers?
    Yes.

    Why are you using BoringTun instead of wireguard-go?
    It is the best WireGuard user space implementation currently available. I have my "political" opinions and you can too, but at this time BoringTun is technically a great choice and I see no reason to avoid it.

    Why aren't you signing the binaries?
    Because Cloudflare is not going to, and when they make them available I'd like to use their official binaries instead of my own. They are a modern company with great engineers for new and shiny languages, but it seems like GPG is too old school for them. My initial idea was to provide full deb and rpm repositories for the community, but that ended up being an unattainable ammount of work if I wanted to do it properly.

    Code quality could be better/cleaner
    That's not a question, but I know. I wanted to get working OpenVZ support out and then polish the minor stuff. I have a limited amount of time available and the implementation is working correctly, so no need to wait.

  • Good job @Nyr with adding OpenVZ support

  • Awesome. Thanks. I'll give it a try once the MrVM OpenVZ migration process is done.

  • edited May 2020

    @Nyr said:
    My initial idea was to provide full deb and rpm repositories for the community, but that ended up being an unattainable ammount of work if I wanted to do it properly.

    I am genuinely curious about what challenges did you face that made you to reject the idea? Is it the hosting the repo or building the rpm (or both)?
    Currently, I am interested to learn RPM ecology. If you think it will be worthy, I am happy to invest some of my time to (try) maintain atleast RPM of it.

    Thanked by (1)Nyr
  • InceptionHostingInceptionHosting Hosting ProviderOG

    really good work @Nyr really really appreciated!

    Thanked by (1)Nyr

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • @PHP_Backend said: I am genuinely curious about what challenges did you face that made you to reject the idea? Is it the hosting the repo or building the rpm (or both)?

    Currently, I am interested to learn RPM ecology. If you think it will be worthy, I am happy to invest some of my time to maintain atleast RPM of it.

    Packaging a .deb or .rpm is very easy and Rust some some pretty nice third party tools for it, but there are lots of details to do it properly, I did read some of the Debian documentation as I'm mainly a Debian guy and estimated that I'd need about 100 hours to get comfortable enough with .deb + RPM packaging and hosting. Hosting the repos itself is also non-trivial, there are third party solutions but what I researched was either expensive, unreliable in the long term or lacked important features for me. I spend like a day researching and it was just too much work.

    It was just not worth the effort in my opinion, I'm happy with the current implementation and it gives me freedom to support new distributions easily, instead of learning their packaging systems and maintaining multiple repositories up to date.

    I appreciate your offer but at this time the current solution is looking good enough to me. If WireGuard keeps getting popular, I hope that mid-term the distributions will provide official packages for this.

    Thanked by (2)PHP_Backend vimalware
  • @PHP_Backend said:

    @Nyr said:
    My initial idea was to provide full deb and rpm repositories for the community, but that ended up being an unattainable ammount of work if I wanted to do it properly.

    I am genuinely curious about what challenges did you face that made you to reject the idea? Is it the hosting the repo or building the rpm (or both)?
    Currently, I am interested to learn RPM ecology. If you think it will be worthy, I am happy to invest some of my time to (try) maintain atleast RPM of it.

    Are we talking about packaging BoringTun for the RH ecosystem?

    There's a Copr repo for CentOS 7, 8 and Fedora 30, 31, 32 here -> https://copr.fedorainfracloud.org/coprs/atim/boringtun/

    Alternately, there is Open Build Service (OBS) which will build repos for lots of things.
    https://openbuildservice.org/
    https://openbuildservice.org/help/manuals/obs-user-guide/cha.obs.package_formats.html

  • @FlamingSpaceJunk said: There's a Copr repo for CentOS 7, 8 and Fedora 30, 31, 32 here -> https://copr.fedorainfracloud.org/coprs/atim/boringtun/

    Yes, but there are no guarantees from the maintainer. In fact, the copr is already outdated. I want to maintain this script long-term so unofficial solutions most of the time will not work. I considered maintaining my own PPA + copr but decided against it.

    @FlamingSpaceJunk said: Alternately, there is Open Build Service (OBS) which will build repos for lots of things.

    I also considered Gemfury and Cloudmith, but ended up discarding them. The current approach is good enough, flexible for me and easy to maintain. When Cloudflare publishes their official binaries, I'll be able to use them directly. After all BoringTun is just that, a binary with no dependencies or anything.

  • Thanks for the openvz support!

    It's working on my MrVM SG but not the AU one :(

    [email protected] - WireGuard via wg-quick(8) for wg0
       Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/[email protected]
               └─boringtun.conf
       Active: failed (Result: exit-code) since Tue 2020-05-19 05:37:32 UTC; 1min 42s ago
         Docs: man:wg-quick(8)
               man:wg(8)
               https://www.wireguard.com/
               https://www.wireguard.com/quickstart/
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
      Process: 413 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=1/FAILURE)
     Main PID: 413 (code=exited, status=1/FAILURE)
    
    May 19 05:37:32 au1 wg-quick[413]: BoringTun started successfully
    May 19 05:37:32 au1 wg-quick[413]: [#] wg setconf wg0 /dev/fd/63
    May 19 05:37:32 au1 wg-quick[413]: Unable to modify interface: Protocol not supported
    May 19 05:37:32 au1 wg-quick[413]: Unable to access interface: Protocol not supported
    May 19 05:37:32 au1 wg-quick[413]: [#] ip link delete dev wg0
    May 19 05:37:32 au1 wg-quick[413]: Cannot find device "wg0"
    May 19 05:37:32 au1 systemd[1]: [email protected]: main process exited, code=exited, status=1/FAILURE
    May 19 05:37:32 au1 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
    May 19 05:37:32 au1 systemd[1]: Unit [email protected] entered failed state.
    May 19 05:37:32 au1 systemd[1]: [email protected] failed.
    
  • NyrNyr OG
    edited May 2020

    @kuroneko23 said:
    Thanks for the openvz support!

    It's working on my MrVM SG but not the AU one :(

    [email protected] - WireGuard via wg-quick(8) for wg0
       Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/[email protected]
               └─boringtun.conf
       Active: failed (Result: exit-code) since Tue 2020-05-19 05:37:32 UTC; 1min 42s ago
         Docs: man:wg-quick(8)
               man:wg(8)
               https://www.wireguard.com/
               https://www.wireguard.com/quickstart/
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
      Process: 413 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=1/FAILURE)
     Main PID: 413 (code=exited, status=1/FAILURE)
    
    May 19 05:37:32 au1 wg-quick[413]: BoringTun started successfully
    May 19 05:37:32 au1 wg-quick[413]: [#] wg setconf wg0 /dev/fd/63
    May 19 05:37:32 au1 wg-quick[413]: Unable to modify interface: Protocol not supported
    May 19 05:37:32 au1 wg-quick[413]: Unable to access interface: Protocol not supported
    May 19 05:37:32 au1 wg-quick[413]: [#] ip link delete dev wg0
    May 19 05:37:32 au1 wg-quick[413]: Cannot find device "wg0"
    May 19 05:37:32 au1 systemd[1]: [email protected]: main process exited, code=exited, status=1/FAILURE
    May 19 05:37:32 au1 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
    May 19 05:37:32 au1 systemd[1]: Unit [email protected] entered failed state.
    May 19 05:37:32 au1 systemd[1]: [email protected] failed.
    
    • Can you please provide the full installation log?
    • Run the boringtun-upgrade command, what's the output?
    • Is TUN enabled and working?
    • Edit /etc/systemd/system/[email protected]/boringtun.conf, add a line containing Environment=WG_LOG_LEVEL=debug and try running systemctl start [email protected].

    Also there are two MrVM locations in Australia. I can buy a container there to see what's going on, but need to know which one is having issues.

    Thanked by (1)kuroneko23
  • @Nyr said:

    • Can you please provide the full installation log?

    I don't know where to find the installation log but here all things that show up when I install it

    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.ventraip.net.au
     * extras: mirror.ventraip.net.au
     * updates: mirror.ventraip.net.au                                                              Resolving Dependencies
    --> Running transaction check                                                                   ---> Package epel-release.noarch 0:7-11 will be installed
    --> Finished Dependency Resolution                                                              
    Dependencies Resolved                                                                           
    ================================================================================================
     Package                    Arch                 Version             Repository            Size
    ================================================================================================
    Installing:
     epel-release               noarch               7-11                extras                15 k
    
    Transaction Summary
    ================================================================================================
    Install  1 Package
    
    Total download size: 15 k
    Installed size: 24 k
    Downloading packages:
    epel-release-7-11.noarch.rpm                                             |  15 kB  00:00:00
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : epel-release-7-11.noarch                                                     1/1
      Verifying  : epel-release-7-11.noarch                                                     1/1
    
    Installed:
      epel-release.noarch 0:7-11
    
    Complete!
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    epel/x86_64/metalink                                                     | 4.0 kB  00:00:00
     * base: mirror.ventraip.net.au
     * epel: fedora.melbourneitmirror.net
     * extras: mirror.ventraip.net.au
     * updates: mirror.ventraip.net.au
    epel                                                                     | 4.7 kB  00:00:00
    (1/3): epel/x86_64/group_gz                                              |  95 kB  00:00:00
    epel/x86_64/updateinfo         FAILED
    http://mirror.intergrid.com.au/epel/7/x86_64/repodata/297d60bc23dd0015e81acfdf880411654a0c7a9e81f396b007ed6091c1d21ae0-updateinfo.xml.bz2: [Errno 14] HTTP Error 404 - Not Found
    Trying other mirror.
    To address this issue please refer to the below wiki article
    
    https://wiki.centos.org/yum-errors
    
    If above article doesn't help to resolve this issue please use https://bugs.centos.org/.
    
    (2/3): epel/x86_64/updateinfo                                            | 1.0 MB  00:00:00
    epel/x86_64/primary_db         FAILED
    https://epel.mirror.digitalpacific.com.au/7/x86_64/repodata/7a566c24c011e3a37db6980a077f058bb72ffc678028e7b0cc354de4e8f9be93-primary.sqlite.bz2: [Errno 14] HTTPS Error 404 - Not Found
    Trying other mirror.
    (3/3): epel/x86_64/primary_db                                            | 6.8 MB  00:00:00
    Package ca-certificates-2019.2.32-76.el7_7.noarch already installed and latest version
    Package 2:tar-1.26-35.el7.x86_64 already installed and latest version
    Package cronie-1.4.11-23.el7.x86_64 already installed and latest version
    Resolving Dependencies
    --> Running transaction check
    ---> Package qrencode.x86_64 0:3.4.1-3.el7 will be installed
    --> Processing Dependency: libpng15.so.15(PNG15_0)(64bit) for package: qrencode-3.4.1-3.el7.x86_64
    --> Processing Dependency: libpng15.so.15()(64bit) for package: qrencode-3.4.1-3.el7.x86_64
    ---> Package wireguard-tools.x86_64 0:1.0.20200319-1.el7 will be installed
    --> Processing Dependency: /usr/bin/python3 for package: wireguard-tools-1.0.20200319-1.el7.x86_64
    --> Running transaction check
    ---> Package libpng.x86_64 2:1.5.13-7.el7_2 will be installed
    ---> Package python3.x86_64 0:3.6.8-13.el7 will be installed
    --> Processing Dependency: python3-libs(x86-64) = 3.6.8-13.el7 for package: python3-3.6.8-13.el7.x86_64
    --> Processing Dependency: python3-setuptools for package: python3-3.6.8-13.el7.x86_64
    --> Processing Dependency: python3-pip for package: python3-3.6.8-13.el7.x86_64
    --> Processing Dependency: libpython3.6m.so.1.0()(64bit) for package: python3-3.6.8-13.el7.x86_64
    --> Running transaction check
    ---> Package python3-libs.x86_64 0:3.6.8-13.el7 will be installed
    ---> Package python3-pip.noarch 0:9.0.3-7.el7_7 will be installed
    ---> Package python3-setuptools.noarch 0:39.2.0-10.el7 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================================
     Package                     Arch            Version                     Repository        Size
    ================================================================================================
    Installing:
     qrencode                    x86_64          3.4.1-3.el7                 base              19 k
     wireguard-tools             x86_64          1.0.20200319-1.el7          epel             118 k
    Installing for dependencies:
     libpng                      x86_64          2:1.5.13-7.el7_2            base             213 k
     python3                     x86_64          3.6.8-13.el7                base              69 k
     python3-libs                x86_64          3.6.8-13.el7                base             7.0 M
     python3-pip                 noarch          9.0.3-7.el7_7               updates          1.8 M
     python3-setuptools          noarch          39.2.0-10.el7               base             629 k
    
    Transaction Summary
    ================================================================================================
    Install  2 Packages (+5 Dependent packages)
    
    Total download size: 9.7 M
    Installed size: 49 M
    Downloading packages:
    (1/7): python3-3.6.8-13.el7.x86_64.rpm                                   |  69 kB  00:00:00
    (2/7): qrencode-3.4.1-3.el7.x86_64.rpm                                   |  19 kB  00:00:00
    (3/7): python3-setuptools-39.2.0-10.el7.noarch.rpm                       | 629 kB  00:00:00
    warning: /var/cache/yum/x86_64/7/epel/packages/wireguard-tools-1.0.20200319-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
    Public key for wireguard-tools-1.0.20200319-1.el7.x86_64.rpm is not installed
    (4/7): wireguard-tools-1.0.20200319-1.el7.x86_64.rpm                     | 118 kB  00:00:00
    (5/7): libpng-1.5.13-7.el7_2.x86_64.rpm                                  | 213 kB  00:00:00
    (6/7): python3-pip-9.0.3-7.el7_7.noarch.rpm                              | 1.8 MB  00:00:00
    (7/7): python3-libs-3.6.8-13.el7.x86_64.rpm                              | 7.0 MB  00:00:00
    ------------------------------------------------------------------------------------------------
    Total                                                            10 MB/s | 9.7 MB  00:00:00
    Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
    Importing GPG key 0x352C64E5:
     Userid     : "Fedora EPEL (7) <[email protected]>"
     Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
     Package    : epel-release-7-11.noarch (@extras)
     From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : python3-pip-9.0.3-7.el7_7.noarch                                             1/7
      Installing : python3-setuptools-39.2.0-10.el7.noarch                                      2/7
      Installing : python3-libs-3.6.8-13.el7.x86_64                                             3/7
      Installing : python3-3.6.8-13.el7.x86_64                                                  4/7
      Installing : 2:libpng-1.5.13-7.el7_2.x86_64                                               5/7
      Installing : qrencode-3.4.1-3.el7.x86_64                                                  6/7
      Installing : wireguard-tools-1.0.20200319-1.el7.x86_64                                    7/7
      Verifying  : 2:libpng-1.5.13-7.el7_2.x86_64                                               1/7
      Verifying  : python3-3.6.8-13.el7.x86_64                                                  2/7
      Verifying  : qrencode-3.4.1-3.el7.x86_64                                                  3/7
      Verifying  : python3-pip-9.0.3-7.el7_7.noarch                                             4/7
      Verifying  : python3-setuptools-39.2.0-10.el7.noarch                                      5/7
      Verifying  : wireguard-tools-1.0.20200319-1.el7.x86_64                                    6/7
      Verifying  : python3-libs-3.6.8-13.el7.x86_64                                             7/7
    
    Installed:
      qrencode.x86_64 0:3.4.1-3.el7           wireguard-tools.x86_64 0:1.0.20200319-1.el7
    
    Dependency Installed:
      libpng.x86_64 2:1.5.13-7.el7_2                     python3.x86_64 0:3.6.8-13.el7
      python3-libs.x86_64 0:3.6.8-13.el7                 python3-pip.noarch 0:9.0.3-7.el7_7
      python3-setuptools.noarch 0:39.2.0-10.el7
    
    Complete!
    Created symlink from /etc/systemd/system/multi-user.target.wants/wg-iptables.service to /etc/systemd/system/wg-iptables.service.
    Job for wg-iptables.service failed because the control process exited with error code. See "systemctl status wg-iptables.service" and "journalctl -xe" for details.
    Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected].
    Job for [email protected] failed because the control process exited with error code. See "systemctl status [email protected]" and "journalctl -xe" for details.
    
    • Run the boringtun-upgrade command, what's the output?

    boringtun 0.3.0 is up to date

    • Is TUN enabled and working?

    Yes, I enabled it on Virtualizor

    Done, don't know how to see the log

    Also there are two MrVM locations in Australia. I can buy a container there to see what's going on, but need to know which one is having issues.

    Both Perth and Sydney

  • NyrNyr OG
    edited May 2020

    @kuroneko23 thanks for the information.

    Please provide the output of the following commands after a failed installaton and enabling the WG_LOG_LEVEL flag as previously explained:

    systemctl status wg-iptables.service

    systemctl status [email protected]

    wg-quick up wg0

    @kuroneko23 said: Both Perth and Sydney

    Okay, I'll get one of them to avoid going back and forth with you if the next reply doesn't clarify the situation.

    Thanked by (1)kuroneko23
  • systemctl status wg-iptables.service

    ● wg-iptables.service
       Loaded: loaded (/etc/systemd/system/wg-iptables.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Tue 2020-05-19 08:42:27 UTC; 33min ago
     Main PID: 1604 (code=exited, status=3)
    
    May 19 08:42:27 au1 systemd[1]: Starting wg-iptables.service...
    May 19 08:42:27 au1 ip6tables[1604]: ip6tables v1.4.21: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
    May 19 08:42:27 au1 ip6tables[1604]: Perhaps ip6tables or your kernel needs to be upgraded.
    May 19 08:42:27 au1 systemd[1]: wg-iptables.service: main process exited, code=exited, status=3/NOTIMPLEMENTED
    May 19 08:42:27 au1 systemd[1]: Failed to start wg-iptables.service.
    May 19 08:42:27 au1 systemd[1]: Unit wg-iptables.service entered failed state.
    May 19 08:42:27 au1 systemd[1]: wg-iptables.service failed.
    

    systemctl status [email protected]

    [email protected] - WireGuard via wg-quick(8) for wg0
       Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/[email protected]
               └─boringtun.conf
       Active: failed (Result: exit-code) since Tue 2020-05-19 08:47:18 UTC; 28min ago
         Docs: man:wg-quick(8)
               man:wg(8)
               https://www.wireguard.com/
               https://www.wireguard.com/quickstart/
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
               https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
      Process: 1750 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=1/FAILURE)
     Main PID: 1750 (code=exited, status=1/FAILURE)
    
    May 19 08:47:18 au1 wg-quick[1750]: BoringTun started successfully
    May 19 08:47:18 au1 wg-quick[1750]: [#] wg setconf wg0 /dev/fd/63
    May 19 08:47:18 au1 wg-quick[1750]: Unable to modify interface: Protocol not supported
    May 19 08:47:18 au1 wg-quick[1750]: Unable to access interface: Protocol not supported
    May 19 08:47:18 au1 wg-quick[1750]: [#] ip link delete dev wg0
    May 19 08:47:18 au1 wg-quick[1750]: Cannot find device "wg0"
    May 19 08:47:18 au1 systemd[1]: [email protected]: main process exited, code=exited, status=1/FAILURE
    May 19 08:47:18 au1 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
    May 19 08:47:18 au1 systemd[1]: Unit [email protected] entered failed state.
    May 19 08:47:18 au1 systemd[1]: [email protected] failed.
    

    wg-quick up wg0

    [#] ip link add wg0 type wireguard
    RTNETLINK answers: Operation not supported
    Unable to access interface: Protocol not supported
    [#] ip link delete dev wg0
    Cannot find device "wg0"
    

    I use CentOS 7.5 in AU while SG use Ubuntu 18.04 LTS, maybe that'll help.

  • NyrNyr OG
    edited May 2020

    @kuroneko23 thanks for the information, it was very helpful.

    If you do a uname -a you'll probably see that your VPS is using a 2.6 kernel (OpenVZ 6) which has reached its end of life and is unsupported while Singapore will probably show a 3.x kernel if you check. I'd guess that @mikho is going to upgrade the former in the near future.

    There is additionally a problem with the TUN device, can you try running exec 8<>/dev/net/tun and let me know it produces any error?

    Support for OpenVZ 6 is not going to be added as it reached its EOL and is a VERY old piece of software, I understand that being the end user you can't do much about it but sadly I can't give you better news.

  • @Nyr said:

    If you do a uname -a you'll probably see that your VPS is using a 2.6 kernel (OpenVZ 6) which has reached its end of life and is unsupported while Singapore will probably show a 3.x kernel if you check. I'd guess that @mikho is going to upgrade the former in the near future.

    You're right, it's still 2.6.32. That's too bad

    There is additionally a problem with the TUN device, can you try running exec 8<>/dev/net/tun and let me know it produces any error?

    It returns nothing

    I guess i'll stick to the OpenVPN for now ._.

  • NyrNyr OG
    edited May 2020

    @kuroneko23 please, provide me the exact output of the following command: uname -r. I guess I can just match anything starting with 2.6, but just to be sure.

    That way I can add a compatibility test and alert the user that his system is not compatible.

  • @Nyr said:
    @kuroneko23 please, provide me the exact output of the following command: uname -r. I guess I can just match anything starting with 2.6, but just to be sure.

    That way I can add a compatibility test and alert the user that his system is not compatible.

    2.6.32-042stab127.2

    Thanked by (1)Nyr
  • SagnikSSagnikS Hosting ProviderOG

    Thank you for the script, made setting up a small personal VPN much easier :)

    Thanked by (1)Nyr
  • bibblebibble OG
    edited May 2020

    @Nyr - This is a simple Wireguard + Unbound + Ad Block script that auto creates a config for a laptop and a phone.

    https://github.com/dolegi/wireguard_unbound_setup/blob/master/install-wg-unbound.sh

    It seems to capture DNS requests using iptables. Is that safer, so clients are forced to use it, than putting the internal nameserver address in the client config ?

    iptables -A INPUT -p udp -s $PRIVATE_SUBNET -m udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp -s $PRIVATE_SUBNET -m udp --sport 53 -j ACCEPT
    iptables -A INPUT -p tcp -s $PRIVATE_SUBNET -m tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p tcp -s $PRIVATE_SUBNET -m tcp --sport 53 -j ACCEPT
    

    Will IPv6 be routed when using that simple script ?

    Good job on the OpenVZ NAT update B)

  • @bibble said: This is a simple Wireguard + Unbound + Ad Block script that auto creates a config for a laptop and a phone.

    It's abandoned and shouldn't be used.

    @bibble said: It seems to capture DNS requests using iptables. Is that safer, so clients are forced to use it, than putting the internal nameserver address in the client config ?

    No, those are just ACCEPT rules, they don't forward anything. Also they are useless in that context and not required in a normal system.

    @bibble said: Will IPv6 be routed when using that simple script ?

    No.

  • mikhomikho AdministratorHosting ProviderOG

    @kuroneko23 @Nyr

    True that both AU nodes are OVZ6.
    I’ve run into some problems with how Virtualizor decided to change from serial console (like in OVZ6) to VNC on Virtuozzo OVZ7.

    It has caused me to rethink the whole node deployment for OVZ7.

    Currently trying to figure out the best way, moving forward.

    @Nyr if you ever need a container to test with, let me know.
    I have a soft spot for projects like these. ;)

  • @mikho said: @Nyr if you ever need a container to test with, let me know.

    I have a soft spot for projects like these.

    Appreciate it, but already got one OVZ from you to test the whole thing, because I don't use OVZ elsewhere.

  • One thing that's not clear to me about Wireguard is that if one wants to use it in a Lowendspirit context, shouldn't one have redundancy and randomly select which VPN server to connect to using potentially different configs like port numbers, endpoint address, and private keys? How do you set it up on the client side to randomly select one VPN server to connect to to reroute traffic and reconnect to a random server if the current one is down?

    The way the configuration is documented makes it sound like you route particular routing to one server, so there shouldn't be an overlap (though this isn't explicitly stated), so if you direct all web traffic to one server in the config file, and you could route particular subnets to different servers, but you would be connected to all at once. How do you get around that, or is there something I completely misunderstood?

    Also, from a road warrior context, how have you found Wireguard VPN supported in travel context? Do you get blocked by the firewalls more when you're connected than when in OpenVPN mode where you at least get the TCP option as a fallback?

  • @curmudgeon

    • WireGuard does not support round robin connections, or rotating if one is down. You'd need to script that, or use OpenVPN.
    • WireGuard has the same permeability which OpenVPN has, if your network allows arbitrary traffic over an UDP port it'll work. If not, you'll need to route it over something else. Both WireGuard and OpenVPN can be easily identified if you network wants to.
    Thanked by (1)curmudgeon
  • Thank you NYR - I'll stick with openvpn, also because of the TCP fallback which sometimes seems to get allowed in places UDP is blocked (especially if using common ports). Obviously won't work against anyone who really means to block VPNs as opposed to just opening up wifi for web browsing type of applications.

  • Wireguard is really nice if you have a reliable PET vps that you can afford forever. I've been running it as my daily driver on a vultr vps in SGP since the script released.

    The connection roaming is pretty seamless when switching between wifi and 4g. Voice chat in my android games are not disturbed.

  • Due to a bug in BoringTun, adding users after the first one would result in WireGuard breaking for those using the script in OpenVZ.

    I have addressed that on my side with the latest commit. Affected users can download and use the latest version, no need to reinstall.

    Non-container installations are not affected.

    Thanked by (3)Iroshan464 vimalware flips
  • edited May 2020

    Sorry solved.(Not sure why i need to disable and enabled TUN/TAP few times to make it works)

    MY/SG & Worldwide Latency Test V3 : http://www.mywebping.com (27 February 2021 Updated)
    MY-Unifi Home SmokePing: http://smokeping.mywebping.com/smokeping/
    (Might be inaccessible for few mins when router reboot or setting)

  • @Nyr is this script usable in Xen VPS?

Sign In or Register to comment.