Topic: wireguard as **client** on server and gateway Koozali server

[gieres]

Hi,
Because I have a new Internet provider with carrier-grade NAT IPv4, I take a VPN service to can have DNS recordings and rDNS.
After installed wireguard-tools and kmod-wireguard, it's easy to configure a wg device.
But I have difficult with route...

Code: [Select]

ip -4 route show default
default via 192.168.1.1 dev enp4s0but if I want modify default route by :

Code: [Select]

default_route=$(ip route list default | cut -d' ' -f2-)
ip -4 route del default
ip -4 route add default dev wg0
ip -4 route add 193.33.56.19/32 $default_routeLast command doesn't run :
RTNETLINK answers: No such device
wg0 was created and configure before.
Thanks in advance.

[Jean-Philippe Pialasse]

there is not such thing as client and server with wireguard. it is more peers. 

this is a routed protocol and all is indeed in the way you route things.
using ip route command in SME will fail at a moment or another.   

why not using the contrib?

[gieres]

why not using the contrib?

Because I believe it is to install a wireguard server on Koozali server.
In this case, for me, wireguard server is on VPN provider.
OK, I try.

[Jean-Philippe Pialasse]

again wireguard is not client or server, it is all about of peers and nodes.
one node can peer to and being peered to. so both client and server.

allyou need is configure the public and server key according to what they ask you (if they do not let your provide yours)
and set the ip block they ask you . see https://wiki.koozali.org/Wireguard#advanced_manual_configuration

then you might indeed need to make a custom fragment

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/wireguard/wg0.conf
vim /etc/e-smith/templates-custom/etc/wireguard/wg0.conf/51RemotePeers
and then edit RemotePeers for something like this

Code: [Select]

[Peer]
# mon ISP
PublicKey = MYPUBLICKEY
EndPoint = REMOTEIP:PORT
AllowedIPs = IPBLOCK/MASK\n";


edit: remove typo

[gieres]

Thank you for help.
I have began the opposite ! I have configured wg0 with db commands and have trying to find good key to configure the peer.

Effectively, when editing wg0.conf, it's clearly written « Don't modify this file ». I'have just forgotten...

[gieres]

i'have made this configuration :

Code: [Select]

[ ~]# vi /etc/e-smith/templates-custom/etc/wireguard/wg0.conf/51remotePeers
~]# expand-template /etc/wireguard/wg0.conf
 ~]# signal-event remoteaccess-update

 ~]# config show wg-quick@wg0
wg-quick@wg0=service
    UDPPort=51820
    access=public
    ip=193.33.56.123
    mask=32
    private=AAAAAAAAAAAAAAAAAAAAAAAAAAA=
    public=BBBBBBBBBBBBBBBBBBBBBBBBBB=
    status=enabled

 ~]# cat /etc/e-smith/templates-custom/etc/wireguard/wg0.conf/51remotePeers
[Peer]
# rezine_vpn
PublicKey = CCCCCCCCCCCCCCCCCCCCCC=    #key of VPN provider
EndPoints = 193.33.56.19:51820                             #address of VPN provider server
AllowedIPs = 0.0.0.0/0\n";

~]# systemctl start wg-quick@wg0.service
Job for wg-quick@wg0.service failed because the control process exited with error code. See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details.

~]# systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/wg-quick@wg0.service.d
           └─51k.conf
   Active: failed (Result: exit-code) since ven. 2025-03-28 17:34:51 CET; 1min 6s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 26800 ExecStop=/usr/bin/wg-quick down %i (code=exited, status=0/SUCCESS)
  Process: 13995 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=1/FAILURE)
 Main PID: 13995 (code=exited, status=1/FAILURE)

mars 28 17:34:51 k.albe.ovh systemd[1]: Starting WireGuard via wg-q....        # albe.ovh is my domain name
mars 28 17:34:51 k.albe.ovh wg-quick[13995]: [#] ip link add wg0 typ...
mars 28 17:34:51 k.albe.ovh wg-quick[13995]: [#] wg setconf wg0 /dev...
mars 28 17:34:51 k.albe.ovh wg-quick[13995]: Line unrecognized: `End...
mars 28 17:34:51 k.albe.ovh wg-quick[13995]: Configuration parsing e...
mars 28 17:34:51 k.albe.ovh wg-quick[13995]: [#] ip link delete dev wg0
mars 28 17:34:51 k.albe.ovh systemd[1]: wg-quick@wg0.service: main ...E
mars 28 17:34:51 k.albe.ovh systemd[1]: Failed to start WireGuard v....
mars 28 17:34:51 k.albe.ovh systemd[1]: Unit wg-quick@wg0.service e....
mars 28 17:34:51 k.albe.ovh systemd[1]: wg-quick@wg0.service failed.
Hint: Some lines were ellipsized, use -l to show in full.


That don't runs. I believe that script don't accept that IP is not in B class.

[Jean-Philippe Pialasse]

as stated in the log:

use -l to show in full.

only 2 elements are needed to debug and pinpoint the error and they are missing.

Code: [Select]

systemctl status -l wg-quick@wg0.service
and

Code: [Select]

cat /etc/wireguard/wg0.conf

but from the cut out line i can guess the error is  a syntax error Endpoints should be

Endpoint

Line unrecognized: `End...
Configuration parsing e...

[Jean-Philippe Pialasse]

after you confirm this work without the typo, i see only one issue, the contrib was thought to have a trusted not internet routable network on the wg0 interface.   
so indeed in your use case, you can not use the routing already offered by the contrib, or you might see people using your server as mail relay from same provider.

would need to use a dedicated interface wg0 and write the routing apart.
a nice project for sme11

[gieres]

Yes, wg-quick@wg0.service works without the typo, thanks.

But, effectively, domain name isn't reachable from Internet, probably routing issue, effectively.

a nice project for sme11

With or without the contrib ?