module:wireguard

 

WireGuard (VPN)

The used UI for wireguard, wg-manager seems discontinued and isn't working properly. I hope to implement another UI soon.

This package provides WireGuard on NethServer.

Install the mrmarkuz repo.

Install nethserver-wireguard:

yum -y --enablerepo=mrmarkuz install nethserver-wireguard

A dedicated virtual host is needed for WG Manager.

config setprop wg-manager VirtualHost subdomain.domain.tld
signal-event nethserver-wireguard-update

Go to https://subdomain.domain.tld and login with username wg-manager and with the wg-manager secret found in

/var/lib/nethserver/secrets/wg-manager

.

WireGuard uses interfaces (wg0, wg1, etc) and peers (machines connecting to WireGuard VPN).

Expand the Interface Creation on top of the site. You need to enable IPv6 due to a bug in the UI. The Allowed IPs are the routes that are created. An Allowed IP of 0.0.0.0/0 will set the default route so any traffic is directed to the VPN.

Create interface

Add a new peer.

Add new peer

Modify the peer settings like the name. You may add a pre shared key for the peers but it's optional.

Peer settings

Start the VPN interface.

Start the interface

You may use the QR codes or export functions to deploy your clients.

On the right top, there's the user menu:

To add a user go to “Edit user”.

Modify Full name, username, email and password to your needs. There's a bug regarding the mail address, it's limited to 20 chars. When finished click on “Edit user”. Nothing happens but the user is created. You may logout and login with the new user.

In the interface settings you have a postup and postdown script:

{{:module:screenshot7.png?400|}}

iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;

Change eth0 to the interface you want to allow the VPN, usually the LAN interface.

The UI is under development and has a few issues but some of them are already covered by PRs.

  • No autostart of wireguard
  • No LDAP
  • IPv6 needs to be enabled
  • Don't change the password of the user or the service won't start anymore, it's a bug. As workaround just delete the database file
    /opt/wg-manager/database.db

    and restart the wg-manager service.

Please raise issues on NethServer Community