Results 1 to 3 of 3

Thread: Issues with configuring wireguard VPN server

  1. #1

    Default Issues with configuring wireguard VPN server

    I'm trying configure wireguard vpn on Leap 15.1 and here I have couple of questions:

    First of all, is there any up-to-date guide on doing it on OpenSuse? If yes, please provide a link and I'll follow the instructions.

    If no, then should I use network-manager or wicked? Most likely I'm doing something incorrectly but currently *for the same wireguard configuration*, in nm mode: Client can ping VPN server and vice versa, but VPN server lose ability to access its LAN and stops being accessible over ssh. In wicked mode Client can't ping VPN server and VPN server can't ping client but VPN server can access other machines on LAN and is accessible over ssh.

    I feel like there should be some difference in how nm handle firewall/ip-forwarding/whatever in comparison with wicked. I enabled ip forwarding / arp proxy via editing sysctl.conf but does it really have any influence on system behaviour for nm / wicked? Also for simplicity I disabled firewall via yast.

    I would appreciate any hints on what I'm doing wrong/how to do it properly.
    Last edited by elderorb; 26-Aug-2019 at 10:01. Reason: typo: fireguard => wireguard

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,153
    Blog Entries
    2

    Default Re: Issues with configuring wireguard VPN server

    I took a look at wireguard vpn, assuming that you're referring to
    https://www.wireguard.com/

    Taking a few minutes to skim the Install, Quick Setup and links for openSUSE, without actually doing the install, I think I understand the whole thing.

    The wireguard vpn is a different way to approach a VPN, instead of using a conventional VPN protocol, the endpoints set up public and private keys similar to how public encryption is commonly done (but wireguard provides this capability on its own for convenience) and uses that to encrypt data between the endpoints.
    It shouold not make any difference whether you use NM or Wicked to manage your networking, but you should not try to manage your wireguard vpn using NM.

    The wireguard vpn is not managed using NM or any other common management tool,
    You install and set up a special network interface device (The documentation suggests wg0) which looks like a common bridge device commonly used by nearly all virtualization networking, but with the properties associated with the wireguard vpn.

    The result is an "always on" VPN, you simply direct traffic to the NetworkID or address of the other vpn endpoint, and the VPN "just works."

    So,
    This looks like it's pretty easy to set up, particularly if you have had any experience with a networking bridge device like br0 or virbr0.
    But even without that background, if you can follow the steps exactly as described, you can setup... And, if something is not clear then yes, I think that I or others can clear up any problems you might run into.

    The things you should follow or know for openSUSE...

    The Wireguard Install page, execute the commands to add the repo and install the wireguard tools package
    https://www.wireguard.com/install/

    The Wireguard Quick Setup
    In the top video, two peers are displayed side by side setting up each end.
    The second video is setting up only one endpoint.
    Below that, there is some text describing step by step instructions.
    You have your choice of any of the above that describes how to create your public and private keys, create the wg0 interface and configure its properties with the encryption keys, local IP address, routing and remote vpn endpoint.
    https://www.wireguard.com/quickstart/https://www.linode.com/docs/networki...vpn-on-ubuntu/

    You will likely also find the following short Ubuntu guide helpful... it covers specifying the specific UDP port to use and that you need to open a FR port (We have a different procedure on openSUSE). Of course, don't try to use apt to install on openSUSE, but otherwise everything else looks generic to Linux.
    https://www.linode.com/docs/networki...vpn-on-ubuntu/

    Post if you have any questions, there are details involved in setting up but nothing looks mysterious.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3

    Default Re: Issues with configuring wireguard VPN server

    Right, from the first looks it seems like an easy task, but for some reasons it doesn't work for me. Maybe this is not an issue with opensuse at all, but rather with my network topology (or lack of knowledge in this area) - this is something I plan to verify sooner or later using separate VM with Ubuntu....

    But... What seems weird for me, is that why do I see difference in behaviour in 'nm' mode and 'wicked' mode? Just to clarify I'm not using any wireguard plugins to 'nm' or something. I'm using 'wg-quick up wg0'. What do I mean by 'nm' mode is just selecting 'nm' in yast.

    Again, as I said previously:

    nm mode:

    Client can ping VPN server and vice versa, but VPN server lose ability to access its LAN and stops being accessible over ssh.

    wicked mode:

    In wicked mode Client can't ping VPN server and VPN server can't ping client but VPN server can access other machines on LAN and is accessible over ssh



    Could you please comment on this? Where does this difference come from? I suspect that *maybe* ip forwarding is not applied at all (or needs to be configured in a different way) for nm or wicked. Or maybe one of this services doesn't respect disabled firewall or even has its own firewall on top which I'm not aware of so can't even disable. I mean there should be some reason for the difference.


    Quote Originally Posted by tsu2 View Post
    I took a look at wireguard vpn, assuming that you're referring to
    https://www.wireguard.com/

    Taking a few minutes to skim the Install, Quick Setup and links for openSUSE, without actually doing the install, I think I understand the whole thing.

    The wireguard vpn is a different way to approach a VPN, instead of using a conventional VPN protocol, the endpoints set up public and private keys similar to how public encryption is commonly done (but wireguard provides this capability on its own for convenience) and uses that to encrypt data between the endpoints.
    It shouold not make any difference whether you use NM or Wicked to manage your networking, but you should not try to manage your wireguard vpn using NM.

    The wireguard vpn is not managed using NM or any other common management tool,
    You install and set up a special network interface device (The documentation suggests wg0) which looks like a common bridge device commonly used by nearly all virtualization networking, but with the properties associated with the wireguard vpn.

    The result is an "always on" VPN, you simply direct traffic to the NetworkID or address of the other vpn endpoint, and the VPN "just works."

    So,
    This looks like it's pretty easy to set up, particularly if you have had any experience with a networking bridge device like br0 or virbr0.
    But even without that background, if you can follow the steps exactly as described, you can setup... And, if something is not clear then yes, I think that I or others can clear up any problems you might run into.

    The things you should follow or know for openSUSE...

    The Wireguard Install page, execute the commands to add the repo and install the wireguard tools package
    https://www.wireguard.com/install/

    The Wireguard Quick Setup
    In the top video, two peers are displayed side by side setting up each end.
    The second video is setting up only one endpoint.
    Below that, there is some text describing step by step instructions.
    You have your choice of any of the above that describes how to create your public and private keys, create the wg0 interface and configure its properties with the encryption keys, local IP address, routing and remote vpn endpoint.
    https://www.wireguard.com/quickstart/https://www.linode.com/docs/networki...vpn-on-ubuntu/

    You will likely also find the following short Ubuntu guide helpful... it covers specifying the specific UDP port to use and that you need to open a FR port (We have a different procedure on openSUSE). Of course, don't try to use apt to install on openSUSE, but otherwise everything else looks generic to Linux.
    https://www.linode.com/docs/networki...vpn-on-ubuntu/

    Post if you have any questions, there are details involved in setting up but nothing looks mysterious.

    TSU

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •