While this OMV plugin makes the wireguard package easy to integrate into openmediavault, the wireguard package itself was created by a third party. See the project / author's → Wireguard web page for more detailed information and support.
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
In OMV7's GUI:
Under System > Plugins, find and highlight openmediavault-wireguard 7.X, and click the install button.
Note | |
If your system is based on an Armbian image, installing this plugin may break the existing Kernel. To solve it you must reinstall the Armbian Kernel once the plugin is installed and everything will work normally. |
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o [NETWORK INTERFACE] -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o [NETWORK INTERFACE] -j MASQUERADE
Note | |
The plugin enables IP forwarding on the host by default. So it is not necessary to add any sysctl -w net.ipv4.ip_forward=1 type instruction in the interface.
|
192.168.1.0/24
MTU=1420
. Set a value if you need to modify this parameter. wg-quick does not support values below 1280. If you don't know your network parameters, the value 1380 should work fine in most cases. The upper limit is 9999.MTU=1420
, since the length of the header used by wireguard is subtracted (the longest is 80 bytes for IPv6).
Note | |
It is completely necessary and mandatory that our operator provide us with a public IP address, if we have CG-NAT in our connection we will not be able to access from outside. This is something completely normal, and it is the first thing you should make sure of for it. Of course, if we are opening a port on the router, we have to make 100% sure that our server's firewall is not interfering with the communication. |
0.0.0.0/0
and all traffic will be routed through the tunnel. If you need to split the tunnel traffic on this client you can press the button to access the different options. Using either of these options will remove the value 0.0.0.0/0
from the AllowedIPs variable. The different options add values regardless of whether the other options are active or not.0.0.0.0/0
network range from the AllowedIPs settings and add the network range that the plugin has set for this tunnel's VPN.0.0.0.0/0
from the AllowedIPs settings and add the network range manually set in the tunnel settings to the Local IP field.
Note | |
Any changes made must be implemented again on the client using the QR code or configuration file for the changes to be applied. |
This tab allows you to create a tunnel with the custom settings you need. It allows to open an editing window where you can paste the configuration from a text file, therefore, you can choose the parameters you need for the tunnel. Use this tab if you need to connect the server to an external (commercial) Wireguard VPN service.
If you need to configure a tunnel to connect the point-to-point server with another server, or any other network topology, you must do so in this tab, since it allows you to manually define keys, networks and other necessary parameters.
wgnet_NAME
where NAME
is the name chosen for the tunnel.10.192.x.x
network range. Therefore, choosing networks in this range may cause conflicts. In that case the service will not start and the plugin will throw an error./etc/wireguard
folder the generated configuration file that the service is using.
Tip: Use templates to automatically generate keys. | |
If you are creating a custom tunnel from scratch and want to avoid creating the keys manually, you can create a tunnel and a client (or several) and use them as templates: Create a tunnel in the Tunnels tab and activate it and create a client in the Clients tab and activate it. In the Tunnels tab, select the tunnel you have created and click the Tunnel Config button. Copy the text to the clipboard and go to the Custom Config tab. Create a new tunnel and paste the text in the dialog box. Save the changes without activating the tunnel. Go to the Clients tab and select the client you have created. Click the Client Config button and copy the text to a text file. This will be the starting point with the keys for your peer. Delete the generated client and tunnel that you used as templates. You are now ready to edit your custom tunnel and activate it. Modifies the range of networks to move away from the networks generated by the plugin. Modify the rest of the parameters according to your needs. |
Note | |
In the procedures section of this document there is a procedure to create a point-to-point tunnel. |
Note | |
The plugin enables IP forwarding on the host by default. So it is not necessary to add any sysctl -w net.ipv4.ip_forward=1 type instruction in the interface.
|
Note | |
Depending on your router settings, the connection may not work if you are connected by Wi-Fi on the same network as the server. You can disable the Wi-Fi connection of the smartphone in this case and connect with data on the smartphone. This way you can test your connection. |
Note | |
Depending on your router settings, the connection may not work if the PC is connected to the same network as the server. If the PC has Wi-Fi, you can share a data connection via Wi-Fi from the smartphone and connect to it from the PC. This way you can test your connection. |
Useful if you connect to a remote network but at the same time want to access your local network. This can be achieved if the network ranges are different on these two networks.
0.0.0.0/0
means all IP addresses, that is, all traffic.0.0.0.0/0
to something else will restrict tunnel traffic to the specified IP range. For example, if you only want to forward traffic to access your 192.168.1.x network you can specify 192.168.1.0/24
(This includes all IPs between 192.168.1.1 and 192.168.1.254)Wireguard's point-to-point configuration creates a remote connection between two peers so that they can only communicate with each other, without sharing any other points on the local network of each peer.
It's a simple setup, each peer can only see the IP of the other peer. The rest of the IPs of the local network are restricted in this connection. Logically, each peer can access all the ports of the other peer, therefore it is able to access all its services on that IP.
One of the two peers is the one that opens the connection with the other peer and keeps it open so that the other peer can also link. We will see it later.
The point-to-point configuration is useful, for example, in situations where you need to create remote backup jobs from one server to another. For example, a peer can access an rsync module created by the other peer if given the credentials to do so.
The procedure is the next:
[Interface]
PrivateKey = Uses the previously generated TUNNEL PRIVATE KEY
ListenPort = 51500
Address = 10.15.15.1/32
[Peer]
PublicKey = Uses the previously generated CLIENT PUBLIC KEY
AllowedIPs = 10.15.15.2/32
/32
for Netmask. This will ensure that the peer will only access the IP of the server.
[Interface]
PrivateKey = Uses the previously generated CLIENT PRIVATE KEY
ListenPort = 51500
Address = 10.15.15.2/32
[Peer]
PublicKey = Use the previously generated TUNNEL PUBLIC KEY
AllowedIPs = 10.15.15.1/32
Endpoint = mydomain.com:51500
PersistentKeepalive = 25
You just need to make sure that the port set is open on both routers and that the domain point set on the peer 2 points to the public IP of the peer 1.
If you are sure of the above, the point-to-point tunnel is established. You can check this in the CLI from the first peer by running ping 10.15.15.2
and from the second peer by running ping 10.15.15.1
or whatever subnet you have set. The response should be something similar to this:
ping 10.15.15.1 (10.15.15.1) 56 (84) bytes of data.
64 bytes from 10.15.15.1: icmp_seq = 1 ttl = 64 time = 30.6 ms
64 bytes from 10.15.15.1: icmp_seq = 2 ttl = 64 time = 30.7 ms
64 bytes from 10.15.15.1: icmp_seq = 3 ttl = 64 time = 29.6 ms
64 bytes from 10.15.15.1: icmp_seq = 4 ttl = 64 time = 28.9 ms
^ C
--- 10.15.15.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min / avg / max / mdev = 28.877 / 29.934 / 30.677 / 0.775 ms
If it doesn't work check your domain and check that the ports are open on both routers.
Wireguard is characterized by being a silent connection. In the above case, only one of the two peers can initiate the connection since the other peer does not have an endpoint. Therefore, to allow the initiation of the connection from both peers, one of them must keep the connection open by sending a packet every so often (PersistentKeepalive).
We can achieve that the tunnel behaves silently when there is no communication and that both peers can initiate the connection, for this we must establish an Endpoint in each of the two peers. Of course to achieve this we must have a domain pointing to each server. We will call them in this case peer1.mydomain.com and peer2.mydomain.com
The previous configuration would look like this:
Peer 1.
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.1/32
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.2/32
Endpoint = peer2.mydomain.com:51500
Peer 2.
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.2/32
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.1/32
Endpoint = peer1.mydomain.com:51500
The above configuration allows the peers to talk to each other on any port. If you need it, you can restrict these communications to one or more ports using iptables as a firewall. This will cause each of the peers to reject any communication outside of what we need to establish.
Suppose we are setting up this tunnel to perform rsync synchronization from a module that supports connections on port 873 (you can customize it). In this case, it would be desirable for each server to only allow connections to that port, denying connections to any other service.
Suppose we have called the interface of each peer pp_peer1 in the plugin GUI. The plugin will end up calling that interface wgnet_pp_peer1. Similarly, in peer 2 the interface will be called wgnet_pp_peer2.
The configuration of the previous section would look like this after applying the iptables rules:
Peer 1.
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.1/32
# Firewall
PreUp = iptables -A INPUT -i wgnet_pp_peer1 -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer1 -j REJECT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -j REJECT
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.2/32
Endpoint = peer2.mydomain.com:51500
Peer 2.
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort = 51500
Address = 10.15.15.2/32
# Firewall
PreUp = iptables -A INPUT -i wgnet_pp_peer2 -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer2 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PreUp = iptables -A INPUT -i wgnet_pp_peer2 -j REJECT
PostDown = iptables -D INPUT -i wgnet_pp_peer2 -m state --state ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer2 -m state --state NEW -p tcp --dport 873 -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer2 -j REJECT
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 10.15.15.1/32
Endpoint = peer1.mydomain.com:51500
Be sure to bring the interface down before making iptables changes and then bring it back up to avoid orphan rules being left active.
If you need to add more than one port to the tunnel, for example ports 80 and 443 on peer1, you can replace the second and fifth lines of iptables with these:
PreUp = iptables -A INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
PostDown = iptables -D INPUT -i wgnet_pp_peer1 -m state --state NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
If you need a domain there are many ways to get it. One of them is provided by duckdns.org for free.
If your IP is dynamic, the most usual, it can change at any time. If this happens you will lose the connection because the domain will be forwarded to an IP that is no longer your server's. To solve this duckdns also provides a simple dynamic public IP update system.
The original instructions can be seen here. www.duckdns.org/install.jsp. The procedure installs a small file that must be executed from time to time. In each execution it sends the current IP and compares it with the one configured in the domain, if it is different it updates it.
Instead we will use the scheduled task execution in the OMV GUI to execute the instruction directly.
To configure it do the following:
curl
installed on your system. If you do not have it installed you can do it from here. If you already have it installed, skip the following substeps.curl
:apt install curl
command.curl
package on the system. Now select the task again and press the Edit button. Delete the apt install curl
command you wrote earlier.
echo url="https://www.duckdns.org/update?domains=MY_DOMAIN&token=MY_TOKEN&ip=" | curl -k -o /var/log/duck.log -K -
MY_DOMAIN
with the subdomain you chose in “MY_DOMAIN
.duckdns.org”.MY_TOKEN
with the token that has been assigned to your duckdns account.Duckdns_DDNS
.
Note | |
This task will create a log file at /var/log/duck.log. |
Set the value AllowedIPs = 0.0.0.0/0
and check if you have access. If so, you can now proceed to customize the network range. If after customizing the network range you lose access, you haven't done it right.
If you need two accesses from two or more clients, you must configure a different connection for each client. If you establish the same configuration on different clients, only one of them will work, they will never work simultaneously.
Sometimes domain name resolution may not work. If this is the case, try accessing through your server's IP instead of the domain name.
If you can access your local network from the client but cannot access the internet, try splitting the tunnel traffic. Connections directed to your local network would go through the Wireguard tunnel, the rest of the connections would go through your smartphone's standard network interface accessed by the laptop. To do that you must do it like this:
AllowedIPs = 0.0.0.0/0
with this AllowedIPs = 192.168.1.0/24
(assuming that the scope of your local network is that, adapt it to your case)
We, who support the openmediavault project, hope you’ve found this guide to be useful and that you’ll find your openmediavault server to be efficient, easy to use, and enjoyable.
If you found this plugin guide to be helpful, please consider a modest donation to support the hosting costs of this server.
OMV-Extras.org