Koozali.org: home of the SME Server

Contribs.org Forums => Koozali SME Server 10.x Contribs => Topic started by: robf355 on April 27, 2023, 06:52:45 PM

Title: wireguard network access
Post by: robf355 on April 27, 2023, 06:52:45 PM

Hi
I use the wireguard contrib to access my internal network 192.168.0. from android devices which works really well. I also have separate subnet for the cctv (zoneminder) which uses the 192.168.1.x subnet. all are physically connected i.e on the same hubs/switches.
My firewall (router/smoothwall box) has rules setup allowing the 192.168.0.x subnet to access the 192.168.1.0 subnet but not the other way round (to stop Chinese cameras calling 'home') i.e. all 192.168.1.x subnet outgoing connections are blocked.
However I can't access the 192.168.1.0 subnet from the wireguard clients, I can load the zoneminder console from any 192.168.0.x computers
Is there a way to allow this to work, I have added 192.168.1.0 in the local networks page of the server manager screen.
Regards
Rob

Title: Re: wireguard network access
Post by: Jean-Philippe Pialasse on April 28, 2023, 05:22:28 AM

your wireguard has its own network and subnet.  you need to authorize this subnet to access your camera network. 
if the router were SME all would have been done for you, but as you maintain your own firewall it is implicite that you know what you are doing and that you need to route every network you want.

there would be an alternative to fake your client ip and maie it seen as your server, but this could do more arm than help.

Title: Re: wireguard network access
Post by: robf355 on April 28, 2023, 05:28:51 PM

Thanks for the reply, I need to read the firewall docs to see if this can be done
Regards
Rob

Title: Re: wireguard network access
Post by: robf355 on May 04, 2023, 05:09:27 PM

Hi
In need of help here, I couldn't make may progress with getting wireguard to connect so I put zoneminder on the same subnet, which should have worked.
Today wireguard refused to connect even to the server from an android tablet.
The Android app log said handshake timeout, I checked the server logs and they are saying:

May  4 15:50:23 server wg-quick: wg-quick: `/etc/wireguard/wg0.conf' does not exist
May  4 15:50:23 server esmith::event[3555]: Job for wg-quick@wg0.service failed because the control process exited with error code. See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details.
May  4 15:50:23 server esmith::event[3555]: serviceControl: Couldn't system( /usr/bin/systemctl restart wg-quick@wg0.service): No such file or directory
May  4 15:50:23 server esmith::event[3555]: adjust-services=action|Event|wireguard-conf-modify|Action|adjust-services|Start|1683211823 165860|End|1683211823 754635|Elapsed|0.588775

I did an uninstall/reboot and then reinstall but it's still happening. I've checked /etc/wireguard.conf, and it doesn't exist.
/home/e-smith/db/wireguard does exist:
172.30.0.2/32=wg0|allowedips||info|SERVER|private|<private key>public <public key>|status|enabled|user|admin

Can anyone suggest what has happened, the install didn't display any errors, wireguard has been working fine for months, haven't made any changes
Regards
Rob

Title: Re: wireguard network access
Post by: Jean-Philippe Pialasse on May 04, 2023, 07:48:23 PM

Quote

May  4 15:50:23 server esmith::event[3555]: serviceControl: Couldn't system( /usr/bin/systemctl restart wg-quick@wg0.service): No such file or directory

check output of

whereis systemctl

rpm -q e-smith-base

and

systemctl status wg-quick@wg0.service

Title: Re: wireguard network access
Post by: robf355 on May 04, 2023, 07:55:41 PM

[root@server ~]# whereis systemctl
systemctl: /usr/bin/systemctl /usr/sbin/e-smith/systemctl /usr/share/man/man1/systemctl.1.gz

[root@server ~]# rpm -q e-smith-base
e-smith-base-5.8.1-23.el7.sme.x86_64

[root@server ~]# systemctl status wg-quick@wg0.service
â— wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/wg-quick@wg0.service.d
           |-51koozali.conf
   Active: failed (Result: exit-code) since Thu 2023-05-04 16:29:52 BST; 2h 22min ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 7897 ExecStart=/usr/bin/wg-quick up %i (code=exited, status=1/FAILURE)
 Main PID: 7897 (code=exited, status=1/FAILURE)

May 04 16:29:52 server.kjctechnik.com systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
May 04 16:29:52 server.kjctechnik.com wg-quick[7897]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
May 04 16:29:52 server.kjctechnik.com systemd[1]: wg-quick@wg0.service: main process exited, code=exited, status=1/FAILURE
May 04 16:29:52 server.kjctechnik.com systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
May 04 16:29:52 server.kjctechnik.com systemd[1]: Unit wg-quick@wg0.service entered failed state.
May 04 16:29:52 server.kjctechnik.com systemd[1]: wg-quick@wg0.service failed.

Title: Re: wireguard network access
Post by: Jean-Philippe Pialasse on May 05, 2023, 12:58:15 AM

you have your answer the config file is missing.

why? that is another question. 

Title: Re: wireguard network access
Post by: robf355 on May 05, 2023, 09:27:40 AM

Edit:
I just tried on a virtualbox install, directories are created correctly, so it isn't a bug!

I fixed the problem by creating the/etc/wireguard directory and then using touch to create the two 0 byte files:
server_public.key
wg0.conf
Then went into the web console clicked edit configuration and save, this created the correct configuration files.
I then added a client config which updated the wg0.conf file and created the server_private.key file.
When i did the original uninstall I deleted the wireguard directory to make sure I was doing a clean install.
It appears that the installer doesn't create the folders, and the edit configuration in the wireguard browser page doesn't create the folder/file if it's missing - at least on my machine.
Thanks for the help, is this a bug?
Regards
Rob

Title: Re: wireguard network access
Post by: Jean-Philippe Pialasse on May 07, 2023, 06:03:47 AM

i guess you uninstalled smeserver-wireguard but not the wireguard-tool rpm which own the /etc/wireguard directory. 

hint before manually deleting something rpm -qf this path

Title: Re: wireguard network access
Post by: robf355 on May 09, 2023, 12:20:36 PM

Quote

i guess you uninstalled smeserver-wireguard but not the wireguard-tool rpm which own the /etc/wireguard directory.

hint before manually deleting something rpm -qf this path

Yes you are correct, can I suggest a change to the wireguard howto under uninstall,
Change "yum remove smeserver-wireguard  wireguard"
to
yum remove smeserver-wireguard  wireguard wireguard-tools kmod-wireguard
if a user wishes to do a complete uninstall
Regards
Rob

Title: Re: wireguard network access
Post by: Jean-Philippe Pialasse on May 09, 2023, 01:20:11 PM

Quote from: robf355 on May 09, 2023, 12:20:36 PM

Yes you are correct, can I suggest a change to the wireguard howto under uninstall,
Change "yum remove smeserver-wireguard  wireguard"
to
yum remove smeserver-wireguard  wireguard wireguard-tools kmod-wireguard
if a user wishes to do a complete uninstall
Regards
Rob

done

Title: Re: wireguard network access
Post by: robf355 on May 09, 2023, 01:32:11 PM

Thanks, and thanks for the help!