Koozali.org: home of the SME Server

smeserver-wireguard released

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
smeserver-wireguard released
« on: November 04, 2021, 03:11:50 AM »
I am pleased to announce the release of smeserver-wireguard contrib.

This is one more option for those in need of VPN aside with openvpn libreswan, and Softethernet.

Currently the contrib set a dedicated network for the vpn which is interconnected with the LAN of SME. The easy configuration is made primarily thinking about roadwariors with a phone, a laptop etc.

All you have to do is configure some peer as client in the server-manager. Dedicated peer configuration is provided as copy paste or QR code to easily configure your clients.

The manager does not support currently the use of server type peers (i.e. peer the SME initiate the connection to), but this could be done in the near future if needed as an example for site to site VPN.


see https://wiki.koozali.org/Wireguard for more information.



Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: smeserver-wireguard released
« Reply #1 on: November 23, 2021, 11:57:12 PM »
Please note this bug:

https://bugs.koozali.org/show_bug.cgi?id=11771

It will work OK as long as you leave the network as set 172.29.0.0/255.255.252.0, or only add a private address range e.g 192.168.1.0/255.255.255.0

Do NOT add a public address range, or an address with a subnet mask that can create a public range.

If you have additional local networks that you have created you can remove them via the local network panel.

We will try and fix this as soon as possible.

Thanks.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline markleman

  • **
  • 66
  • +0/-0
    • http://www.leman.net
Re: smeserver-wireguard released
« Reply #2 on: October 12, 2022, 04:08:03 PM »
Please note this bug:
https://bugs.koozali.org/show_bug.cgi?id=11771

That bug is marked as 'closed fixed', so is it safe to use this contrib now? Can the warning on the page https://wiki.koozali.org/Wireguard be removed now? (I could go edit the page if it is)

Regards,
Mark Leman

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: smeserver-wireguard released
« Reply #3 on: October 12, 2022, 04:29:37 PM »
As far as I am aware it has been fixed & released and no further issues have been noticed.

However, you are still your own sysadmin and should be watching for any issues :-)

I've removed the warning thanks!

Please let us know if you have any issues.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline markleman

  • **
  • 66
  • +0/-0
    • http://www.leman.net
Re: smeserver-wireguard released
« Reply #4 on: October 12, 2022, 04:40:05 PM »
As far as I am aware it has been fixed & released and no further issues have been noticed.

However, you are still your own sysadmin and should be watching for any issues :-)

I've removed the warning thanks!

Please let us know if you have any issues.

Thanks, I'll get installing and report back any issues :-)
Regards,
Mark Leman

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: smeserver-wireguard released
« Reply #5 on: October 12, 2022, 05:00:01 PM »
Thanks, I'll get installing and report back any issues :-)

Cool. Please do.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline toothandnail

  • ***
  • 133
  • +0/-0
Re: smeserver-wireguard released
« Reply #6 on: November 15, 2022, 04:34:51 PM »
Thanks for the WireGuard contrib. I've been having some trouble with getting Phpki set up correctly, and given the improved performance claims made for WireGuard decided I'd try it.

Install was quick and simple. I do have one question though. When I look at the client configuration generated by Server-manager, in both test cases I've tried, the "endpoint" that is listed is the private IP at the internet side of the SME server, rather than the public IP or DNS listed name of the system. Is this a bug, or am I missing something else?

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: smeserver-wireguard released
« Reply #7 on: November 15, 2022, 05:06:31 PM »
yes wireguard does not use certificates. phpki is irrelevant. and ease global deployment.

re End point:
what is your SME install type ? server only or gateway?
is it directly connected to the internet or behind another firewall or routing device ?

Offline toothandnail

  • ***
  • 133
  • +0/-0
Re: smeserver-wireguard released
« Reply #8 on: November 15, 2022, 05:37:01 PM »
yes wireguard does not use certificates. phpki is irrelevant. and ease global deployment.

Public/private key-pairs are certainly simpler, which was one of my reasons for wanting to try wireguard.

Quote
re End point:
what is your SME install type ? server only or gateway?
is it directly connected to the internet or behind another firewall or routing device ?

I've got a couple of trial installations. Both are server/gateway systems, both running through cable routers. No firewall in the router, but the IPs are NATed from DNS listed public IPs to private IPS. In both configurations the client configuration endpoint listings are for the static IP set on interface that connects to the router.

I can easily enough edit the copied configuration, though I guess that would make it a bit more complicated to configure a phone.


Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: smeserver-wireguard released
« Reply #9 on: November 16, 2022, 01:38:02 AM »
Quote
No firewall in the router, but the IPs are NATed from DNS listed public IPs to private IPS. In both configurations the client configuration endpoint listings are for the static IP set on interface that connects to the router.

Router NAT IP this is why.  you have a double NAT. SME expects to have a public IP on its external interface. 

in server only there is a script that tries to get the public ip, bit if you filter DNS through the router it might also fails. 

there are way to force the ip in the config if you have a static public IP.

Offline toothandnail

  • ***
  • 133
  • +0/-0
Re: smeserver-wireguard released
« Reply #10 on: November 16, 2022, 09:23:26 PM »
Router NAT IP this is why.  you have a double NAT. SME expects to have a public IP on its external interface. 

in server only there is a script that tries to get the public ip, bit if you filter DNS through the router it might also fails.
 
For the moment, I've edited the config file to put the correct static IP in place. Testing with that I've got Wireguard working on both Linux and under Windows 10. Very nice....

Quote
there are way to force the ip in the config if you have a static public IP.

That would help. Both the systems I'm testing at the moment have static public IPs. While hand editing the client config fixes the problem for use with a computer, it wouldn't help with the phone configuration (though I'm not sure any of the users will have need of that one). What would I need to do to force the IP in the config?

Alternatively, if the ability to change the endpoint IP was available in the Server-Manager panel when modifying a client profile, that would allow a manual override of the NAT created problem.

I would have thought that many systems would have a similar problem. Most of the small business people I deal with have ISPs who supply a router which will use NAT for local network. I don't think I've ever encountered a router that I could disable the NAT function on.

I was a bit disappointed to find that I could only use an IP in the Wireguard config. Means that I can't use it for my own system, since my current ISP is unable to provide static IPs and I'm not in a position to change ISPs at the moment. I've been using a dynamic DNS provider for home, but that wouldn't work with Wireguard.

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: smeserver-wireguard released
« Reply #11 on: November 17, 2022, 02:17:45 AM »

That would help. Both the systems I'm testing at the moment have static public IPs. While hand editing the client config fixes the problem for use with a computer, it wouldn't help with the phone configuration (though I'm not sure any of the users will have need of that one). What would I need to do to force the IP in the config?
Alternatively, if the ability to change the endpoint IP was available in the Server-Manager panel when modifying a client profile, that would allow a manual override of the NAT created problem.
All the code is there behind the scene, it would mostly need to add a drop box  (auto/ force detection/force IP) and a text input to enter an ip in the panel config page , store it in db , then jsut modify the code of the panel in sub print_qr

Code: [Select]
#here we guess wan IP
# are we server-gateway mode ? so external lan, should do
# else we should guess from an external service
my $ExternalIP = $cdb->get('ExternalInterface')->prop('IPAddress');
$ExternalIP = get_internet_ip_address() unless defined $ExternalIP;



I would have thought that many systems would have a similar problem. Most of the small business people I deal with have ISPs who supply a router which will use NAT for local network. I don't think I've ever encountered a router that I could disable the NAT function on.

most  are able to be changed to modem only and act as a transparent gateway. Only limit I Have encountered in some situations is that you lose the phone line over IP or the TV on home boxes.




Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: smeserver-wireguard released
« Reply #12 on: November 17, 2022, 06:14:55 AM »
most  are able to be changed to modem only and act as a transparent gateway. Only limit I Have encountered in some situations is that you lose the phone line over IP or the TV on home boxes.

commonly refered to as, set modem to bridge mode, this then sets the server to do all the validation work, modem just looks after the electrons. Yes usually means ou lose your phone line, at least here in Oz, and is not possible on all NBN connections either :-) just to muddy the waters a little more
--
qui scribit bis legit

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: smeserver-wireguard released
« Reply #13 on: November 17, 2022, 02:27:18 PM »
I was a bit disappointed to find that I could only use an IP in the Wireguard config. Means that I can't use it for my own system, since my current ISP is unable to provide static IPs and I'm not in a position to change ISPs at the moment. I've been using a dynamic DNS provider for home, but that wouldn't work with Wireguard.

I have a dynamic DNS, and run SME in server-only mode behind a Sophos firewall.

Wireguard on the SME is using the standard settings (current public IP, port 51820).

My firewall is forwarding UDP traffic on port 5182 to port 51820 on the SME server.

When configuring each client, I manually change the server IP and port to use my dynamic DNS name and the configured firewall port.

I set up my iPhone using the QR code, then edited the client (wireguard -> tap the client -> click 'edit') to set the Endpoint to use DNS and my configured firewall port.

I set up my macbook Air (macOS Ventura) by copying the displayed wireguard client config from server-manager and editing the 'Endpoint' (and optionally the "AllowedIPs"):

Quote from: redacted wireguard config from server-manager
#configuration for 192.168.201.10/32 --placeholder--
[Interface]
PrivateKey = 2GdyJNoWayI'mGivingYouARealPrivateKeycxdKGo=
Address = 192.168.201.10/32
DNS = 192.168.100.2

[Peer]
PublicKey = Zy3b3gQqFakePublicKeyoGL9bE0EtDC/eyP2M4EqkvV4=
AllowedIPs = 0.0.0.0/0
Endpoint = 71.178.192.52:51820

Quote from: Edited Config I used in my macbook
#configuration for 192.168.201.10/32 --placeholder--
[Interface]
PrivateKey = 2GdyJNoWayI'mGivingYouARealPrivateKeycxdKGo=
Address = 192.168.201.10/32
DNS = 192.168.100.2

[Peer]
PublicKey = Zy3b3gQqFakePublicKeyoGL9bE0EtDC/eyP2M4EqkvV4=
AllowedIPs = 192.168.100.0/24, a.b.c.d/32, w.x.y.z/32
Endpoint = mysmeserver.tld:5182

I have also configured my wireguard clients:
1) with my home Wifi network listed in "Except these SSIDs"
2) with "AllowedIPs" set to my home LAN and selected internet IPs***
3) with "On-Demand" enabled

*** I was recently stuck in a building with no cell service, and whose guest wifi blocked SSL VPN traffic on port 8443.  Wireguard worked so I added my office VPN IPs to "AllowedIPs" and was able to acess my home LAN, connect to my office VPN, and still connect to Teams and Zoom (& Netflix...) directly to avoid any latency induced by passing the traffic through my home office.

[edit: remove blank line added to the 'edited config' block]

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: smeserver-wireguard released
« Reply #14 on: November 17, 2022, 04:05:58 PM »
mmccarn

i hope those are not the real keys to allow us to connect to your network. if so, delete then and renew them.

I see indeed another issue with dynamic IP comfig will change,

also one need to force the port if different from the one open on the firewall. Why not the same? you know you could also alter it on SME if you do not want the standard

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: smeserver-wireguard released
« Reply #15 on: November 17, 2022, 09:51:55 PM »
i hope those are not the real keys to allow us to connect to your network. if so, delete then and renew them.
Not the real keys...

Quote
also one need to force the port if different from the one open on the firewall. Why not the same? you know you could also alter it on SME if you do not want the standard
I had three reasons for doing this:
1) (outdated, I know...) I like to run my servers on non-standard ports
2) I wanted to find out if the Sophos UDP port forwarding would support this configuration
3) I wanted to be able to hunt around for UDP ports not being blocked by the guest wifi that was giving me headaches. 

Since I was commuting to this benighted location 12 hrs/day for a week I created 3 client configurations on my macbook while I was at home - each using different UDP ports.  I then created 3 UDP port forward rules on my Sophos, all going to the SME on port 51820. This let me try the default 51820 (which worked, as it turned out), or 443 (in case the guest wifi operator was blocking 51820 but not 443...), or 53 (in case 51820 and 443 were both blocked, but 53 was open...)