Table of Contents


Wireguard Plugin For OMV7

Wireguard Plugin For OMV7

Wireguard Plugin For OMV7



Under Services > Wireguard

Wireguard

Summary


Third Party Software Note

www.wireguard.com While this OMV plugin makes the wireguard package easy to integrate into openmediavault, the wireguard package itself was created by a third party. See the project / author's → Wireguard web page for more detailed information and support.

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.


Prerequisites


Installation

In OMV7's GUI:
Under System > Plugins, find and highlight openmediavault-wireguard 7.X, and click the install button.

  Note
If your system is based on an Armbian image, installing this plugin may break the existing Kernel.
To solve it you must reinstall the Armbian Kernel once the plugin is installed and everything will work normally.


Management of a Tunnel

Under Services > Wireguard > Tunnels

Wireguard Tunnels


Configuring a tunnel

Wireguard Tunnels Create


  Note
It is completely necessary and mandatory that our operator provide us with a public IP address, if we have CG-NAT in our connection we will not be able to access from outside. This is something completely normal, and it is the first thing you should make sure of for it.
Of course, if we are opening a port on the router, we have to make 100% sure that our server's firewall is not interfering with the communication.


Editing a tunnel


Delete a tunnel


See the Tunnel Config


Management of a Client

Under Services > Wireguard > Clients

Wireguard Clients


Configuring a Client

Wireguard Clients Create


Editing a Client

  Note
Any changes made must be implemented again on the client using the QR code or configuration file for the changes to be applied.


Delete a Client


See the Client Config


Management of a Custom Config

Under Services > Wireguard > Custom Config

Wireguard Custom Config


This tab allows you to create a tunnel with the custom settings you need. It allows to open an editing window where you can paste the configuration from a text file, therefore, you can choose the parameters you need for the tunnel. Use this tab if you need to connect the server to an external (commercial) Wireguard VPN service.

If you need to configure a tunnel to connect the point-to-point server with another server, or any other network topology, you must do so in this tab, since it allows you to manually define keys, networks and other necessary parameters.


Create a Custom Config

Wireguard Custom Config Create

  Tip: Use templates to automatically generate keys.
If you are creating a custom tunnel from scratch and want to avoid creating the keys manually, you can create a tunnel and a client (or several) and use them as templates:
Create a tunnel in the Tunnels tab and activate it and create a client in the Clients tab and activate it.
In the Tunnels tab, select the tunnel you have created and click the Tunnel Config button. Copy the text to the clipboard and go to the Custom Config tab. Create a new tunnel and paste the text in the dialog box. Save the changes without activating the tunnel.
Go to the Clients tab and select the client you have created. Click the Client Config button and copy the text to a text file. This will be the starting point with the keys for your peer.
Delete the generated client and tunnel that you used as templates. You are now ready to edit your custom tunnel and activate it. Modifies the range of networks to move away from the networks generated by the plugin. Modify the rest of the parameters according to your needs.

  Note
In the procedures section of this document there is a procedure to create a point-to-point tunnel.

  Note
The plugin enables IP forwarding on the host by default. So it is not necessary to add any sysctl -w net.ipv4.ip_forward=1 type instruction in the interface.


Edit a Custom Config


Delete a custom tunnel


How to configure a smartphone or pc

If the client is a smartphone (android or iOS)


  Note
Depending on your router settings, the connection may not work if you are connected by Wi-Fi on the same network as the server.
You can disable the Wi-Fi connection of the smartphone in this case and connect with data on the smartphone. This way you can test your connection.


If the client is a PC (Linux, MacOS or Windows)

Wireguard > Clients > Client config


  Note
Depending on your router settings, the connection may not work if the PC is connected to the same network as the server.
If the PC has Wi-Fi, you can share a data connection via Wi-Fi from the smartphone and connect to it from the PC. This way you can test your connection.


How to split the tunnel traffic

Useful if you connect to a remote network but at the same time want to access your local network. This can be achieved if the network ranges are different on these two networks.


How to Point-to-point tunnel configuration

Point to point. Standard tunnel.

Wireguard's point-to-point configuration creates a remote connection between two peers so that they can only communicate with each other, without sharing any other points on the local network of each peer.

It's a simple setup, each peer can only see the IP of the other peer. The rest of the IPs of the local network are restricted in this connection. Logically, each peer can access all the ports of the other peer, therefore it is able to access all its services on that IP.

One of the two peers is the one that opens the connection with the other peer and keeps it open so that the other peer can also link. We will see it later.

The point-to-point configuration is useful, for example, in situations where you need to create remote backup jobs from one server to another. For example, a peer can access an rsync module created by the other peer if given the credentials to do so.

The procedure is the next:

Configuration of the first server (peer 1)

[Interface]
PrivateKey = Uses the previously generated TUNNEL PRIVATE KEY
ListenPort = 51500
Address = 10.15.15.1/32

[Peer]
PublicKey = Uses the previously generated CLIENT PUBLIC KEY
AllowedIPs = 10.15.15.2/32


Configuration of the second server (peer 2)

[Interface]
PrivateKey = Uses the previously generated CLIENT PRIVATE KEY
ListenPort = 51500
Address = 10.15.15.2/32

[Peer]
PublicKey = Use the previously generated TUNNEL PUBLIC KEY
AllowedIPs = 10.15.15.1/32
Endpoint = mydomain.com:51500
PersistentKeepalive = 25

You just need to make sure that the port set is open on both routers and that the domain point set on the peer 2 points to the public IP of the peer 1.

If you are sure of the above, the point-to-point tunnel is established. You can check this in the CLI from the first peer by running ping 10.15.15.2 and from the second peer by running ping 10.15.15.1 or whatever subnet you have set. The response should be something similar to this:

ping 10.15.15.1 (10.15.15.1) 56 (84) bytes of data.
64 bytes from 10.15.15.1: icmp_seq = 1 ttl = 64 time = 30.6 ms
64 bytes from 10.15.15.1: icmp_seq = 2 ttl = 64 time = 30.7 ms
64 bytes from 10.15.15.1: icmp_seq = 3 ttl = 64 time = 29.6 ms
64 bytes from 10.15.15.1: icmp_seq = 4 ttl = 64 time = 28.9 ms
^ C
--- 10.15.15.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min / avg / max / mdev = 28.877 / 29.934 / 30.677 / 0.775 ms

If it doesn't work check your domain and check that the ports are open on both routers.


Point to point. Variant with two Endpoints, silence in the connection.

Wireguard is characterized by being a silent connection. In the above case, only one of the two peers can initiate the connection since the other peer does not have an endpoint. Therefore, to allow the initiation of the connection from both peers, one of them must keep the connection open by sending a packet every so often (PersistentKeepalive).

We can achieve that the tunnel behaves silently when there is no communication and that both peers can initiate the connection, for this we must establish an Endpoint in each of the two peers. Of course to achieve this we must have a domain pointing to each server. We will call them in this case peer1.mydomain.com and peer2.mydomain.com

The previous configuration would look like this:

Peer 1.

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.1/32

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.2/32
Endpoint = peer2.mydomain.com:51500

Peer 2.

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.2/32

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.1/32
Endpoint = peer1.mydomain.com:51500


Point by point. Firewall configuration using iptables.

The above configuration allows the peers to talk to each other on any port. If you need it, you can restrict these communications to one or more ports using iptables as a firewall. This will cause each of the peers to reject any communication outside of what we need to establish.

Suppose we are setting up this tunnel to perform rsync synchronization from a module that supports connections on port 873 (you can customize it). In this case, it would be desirable for each server to only allow connections to that port, denying connections to any other service.

Suppose we have called the interface of each peer pp_peer1 in the plugin GUI. The plugin will end up calling that interface wgnet_pp_peer1. Similarly, in peer 2 the interface will be called wgnet_pp_peer2.

The configuration of the previous section would look like this after applying the iptables rules:

Peer 1.

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.1/32

# Firewall
PreUp = iptables -A INPUT -i wgnet_pp_peer1 -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer1 -j REJECT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -j REJECT

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.2/32
Endpoint = peer2.mydomain.com:51500

Peer 2.

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.2/32

# Firewall
PreUp = iptables -A INPUT -i wgnet_pp_peer2 -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer2 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer2 -j REJECT
PostDown = iptables -D INPUT -i wgnet_pp_peer2 -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer2 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer2 -j REJECT

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.1/32
Endpoint = peer1.mydomain.com:51500

Be sure to bring the interface down before making iptables changes and then bring it back up to avoid orphan rules being left active.

If you need to add more than one port to the tunnel, for example ports 80 and 443 on peer1, you can replace the second and fifth lines of iptables with these:

PreUp = iptables -A INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp -m multiport --dports 80,443 -j ACCEPT


How to Set up a free domain with duckdns. Fix dynamic IP

www.duckdns.org If you need a domain there are many ways to get it. One of them is provided by duckdns.org for free.

If your IP is dynamic, the most usual, it can change at any time. If this happens you will lose the connection because the domain will be forwarded to an IP that is no longer your server's. To solve this duckdns also provides a simple dynamic public IP update system.

Get a domain in duckdns

Dynamic IP update with duckdns on OMV

The original instructions can be seen here. www.duckdns.org/install.jsp. The procedure installs a small file that must be executed from time to time. In each execution it sends the current IP and compares it with the one configured in the domain, if it is different it updates it.

Instead we will use the scheduled task execution in the OMV GUI to execute the instruction directly.

To configure it do the following:

echo url="https://www.duckdns.org/update?domains=MY_DOMAIN&token=MY_TOKEN&ip=" | curl -k -o /var/log/duck.log -K -

  Note
This task will create a log file at /var/log/duck.log.


Common Problems

I can't connect to the network from outside


The connection works, I receive data, but I cannot access the network

Set the value AllowedIPs = 0.0.0.0/0 and check if you have access. If so, you can now proceed to customize the network range. If after customizing the network range you lose access, you haven't done it right.


I have set the same settings on the smartphone and the laptop and it only works on one

If you need two accesses from two or more clients, you must configure a different connection for each client. If you establish the same configuration on different clients, only one of them will work, they will never work simultaneously.


I can't access my shared folders

Sometimes domain name resolution may not work. If this is the case, try accessing through your server's IP instead of the domain name.


I can't access the internet from my client

If you can access your local network from the client but cannot access the internet, try splitting the tunnel traffic. Connections directed to your local network would go through the Wireguard tunnel, the rest of the connections would go through your smartphone's standard network interface accessed by the laptop. To do that you must do it like this:


Source Code

openmediavault-wireguard


A Closing Note

We, who support the openmediavault project, hope you’ve found this guide to be useful and that you’ll find your openmediavault server to be efficient, easy to use, and enjoyable.

If you found this plugin guide to be helpful, please consider a modest donation to support the hosting costs of this server.

OMV-Extras.org



Venmo: ryecoaaron