Issues with configuring wireguard VPN server

elderorb · August 26, 2019, 6:59pm

I’m trying configure wireguard vpn on Leap 15.1 and here I have couple of questions:

First of all, is there any up-to-date guide on doing it on OpenSuse? If yes, please provide a link and I’ll follow the instructions.

If no, then should I use network-manager or wicked? Most likely I’m doing something incorrectly but currently for the same wireguard configuration, in nm mode: Client can ping VPN server and vice versa, but VPN server lose ability to access its LAN and stops being accessible over ssh. In wicked mode Client can’t ping VPN server and VPN server can’t ping client but VPN server can access other machines on LAN and is accessible over ssh.

I feel like there should be some difference in how nm handle firewall/ip-forwarding/whatever in comparison with wicked. I enabled ip forwarding / arp proxy via editing sysctl.conf but does it really have any influence on system behaviour for nm / wicked? Also for simplicity I disabled firewall via yast.

I would appreciate any hints on what I’m doing wrong/how to do it properly.

tsu2 · August 28, 2019, 1:40am

I took a look at wireguard vpn, assuming that you’re referring to
https://www.wireguard.com/

Taking a few minutes to skim the Install, Quick Setup and links for openSUSE, without actually doing the install, I think I understand the whole thing.

The wireguard vpn is a different way to approach a VPN, instead of using a conventional VPN protocol, the endpoints set up public and private keys similar to how public encryption is commonly done (but wireguard provides this capability on its own for convenience) and uses that to encrypt data between the endpoints.
It shouold not make any difference whether you use NM or Wicked to manage your networking, but you should not try to manage your wireguard vpn using NM.

The wireguard vpn is not managed using NM or any other common management tool,
You install and set up a special network interface device (The documentation suggests wg0) which looks like a common bridge device commonly used by nearly all virtualization networking, but with the properties associated with the wireguard vpn.

The result is an “always on” VPN, you simply direct traffic to the NetworkID or address of the other vpn endpoint, and the VPN “just works.”

So,
This looks like it’s pretty easy to set up, particularly if you have had any experience with a networking bridge device like br0 or virbr0.
But even without that background, if you can follow the steps exactly as described, you can setup… And, if something is not clear then yes, I think that I or others can clear up any problems you might run into.

The things you should follow or know for openSUSE…

The Wireguard Install page, execute the commands to add the repo and install the wireguard tools package
https://www.wireguard.com/install/

The Wireguard Quick Setup
In the top video, two peers are displayed side by side setting up each end.
The second video is setting up only one endpoint.
Below that, there is some text describing step by step instructions.
You have your choice of any of the above that describes how to create your public and private keys, create the wg0 interface and configure its properties with the encryption keys, local IP address, routing and remote vpn endpoint.
https://www.wireguard.com/quickstart/https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/

You will likely also find the following short Ubuntu guide helpful… it covers specifying the specific UDP port to use and that you need to open a FR port (We have a different procedure on openSUSE). Of course, don’t try to use apt to install on openSUSE, but otherwise everything else looks generic to Linux.
https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/

Post if you have any questions, there are details involved in setting up but nothing looks mysterious.

TSU

elderorb · August 28, 2019, 4:16pm

Right, from the first looks it seems like an easy task, but for some reasons it doesn’t work for me. Maybe this is not an issue with opensuse at all, but rather with my network topology (or lack of knowledge in this area) - this is something I plan to verify sooner or later using separate VM with Ubuntu…

But… What seems weird for me, is that why do I see difference in behaviour in ‘nm’ mode and ‘wicked’ mode? Just to clarify I’m not using any wireguard plugins to ‘nm’ or something. I’m using ‘wg-quick up wg0’. What do I mean by ‘nm’ mode is just selecting ‘nm’ in yast.

Again, as I said previously:

nm mode:

Client can ping VPN server and vice versa, but VPN server lose ability to access its LAN and stops being accessible over ssh.

wicked mode:

In wicked mode Client can’t ping VPN server and VPN server can’t ping client but VPN server can access other machines on LAN and is accessible over ssh

Could you please comment on this? Where does this difference come from? I suspect that maybe ip forwarding is not applied at all (or needs to be configured in a different way) for nm or wicked. Or maybe one of this services doesn’t respect disabled firewall or even has its own firewall on top which I’m not aware of so can’t even disable. I mean there should be some reason for the difference.

tsu2:

I took a look at wireguard vpn, assuming that you’re referring to
https://www.wireguard.com/

Taking a few minutes to skim the Install, Quick Setup and links for openSUSE, without actually doing the install, I think I understand the whole thing.

The wireguard vpn is a different way to approach a VPN, instead of using a conventional VPN protocol, the endpoints set up public and private keys similar to how public encryption is commonly done (but wireguard provides this capability on its own for convenience) and uses that to encrypt data between the endpoints.
It shouold not make any difference whether you use NM or Wicked to manage your networking, but you should not try to manage your wireguard vpn using NM.

The wireguard vpn is not managed using NM or any other common management tool,
You install and set up a special network interface device (The documentation suggests wg0) which looks like a common bridge device commonly used by nearly all virtualization networking, but with the properties associated with the wireguard vpn.

The result is an “always on” VPN, you simply direct traffic to the NetworkID or address of the other vpn endpoint, and the VPN “just works.”

So,
This looks like it’s pretty easy to set up, particularly if you have had any experience with a networking bridge device like br0 or virbr0.
But even without that background, if you can follow the steps exactly as described, you can setup… And, if something is not clear then yes, I think that I or others can clear up any problems you might run into.

The things you should follow or know for openSUSE…

The Wireguard Install page, execute the commands to add the repo and install the wireguard tools package
https://www.wireguard.com/install/

The Wireguard Quick Setup
In the top video, two peers are displayed side by side setting up each end.
The second video is setting up only one endpoint.
Below that, there is some text describing step by step instructions.
You have your choice of any of the above that describes how to create your public and private keys, create the wg0 interface and configure its properties with the encryption keys, local IP address, routing and remote vpn endpoint.
https://www.wireguard.com/quickstart/https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/

You will likely also find the following short Ubuntu guide helpful… it covers specifying the specific UDP port to use and that you need to open a FR port (We have a different procedure on openSUSE). Of course, don’t try to use apt to install on openSUSE, but otherwise everything else looks generic to Linux.
https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/

Post if you have any questions, there are details involved in setting up but nothing looks mysterious.

TSU