Ask / Submit
36

[wish] Wireguard

asked 2018-03-31 17:43:15 +0300

cy8aer gravatar image

updated 2018-05-31 08:20:53 +0300

molan gravatar image

It would be nice to have Wireguard (https://www.wireguard.com) implemented for all Sailfishos devices. Wireguard is a very modern vpn system running in kernel mostliy and because of chacha20 for payload this is very fast without hardware acceleration.

Because there are endpoint implementations for e.g. openwrt and edgerouters this would be a cool alternative to openvpn.

Wireguard needs kernel modules and a user space program.

[Update] additional information at easterhegg 18 (in german...):

https://pretalx.eh18.easterhegg.eu/eh18/talk/BFFC3X/

https://media.ccc.de/v/BFFC3X

[Update] And when you do it, implement it for v6 too.

edit retag flag offensive close delete

Comments

1

@Edz: too early for writing right english today ;-)

cy8aer ( 2018-03-31 17:53:04 +0300 )edit

i dont know it. but another open source alternative to openvpn- id vote for that.

kaktux ( 2018-04-01 12:24:43 +0300 )edit

4 Answers

Sort by » oldest newest most voted
12

answered 2019-02-06 12:55:18 +0300

mcencora gravatar image

updated 2019-06-04 15:10:44 +0300

I managed to get wireguard running on Sailfish X. I used userspace go-based implementation of wireguard available here https://git.zx2c4.com/wireguard-go/about/.

Instructions

Inside Sailfish SDK docker:

  • download golang i386 compiler https://dl.google.com/go/go1.11.5.linux-386.tar.gz
  • unpack to /usr/local/, add PATH to /usr/local/go/bin
  • download and extract wireguard-go sources
  • cross compile to ARMHFv7: GOOS=linux GOARCH=arm make
  • single statically-linked executable is generated 'wireguard-go'
  • extract wg utility from Ubuntu wireguard-ppa and libmnl0 from main repo

Push 'wireguard-go', 'wg' and 'libmnl0.so' on your phone, and enjoy wireguard vpn.

Update

Here is prepared 'package' with all needed binaries, scripts and systemd files: wireguard.tar.gz

If you create proper configuration file for given wireguard interface (e.g. /etc/default/wg0.conf) then you can enable automatic startup with:

systemd enable wg-quick@wg0.service
systemd start wg-quick@wg0.service

If given endpoint has dynamic IP, you can force automatic refresh of endpoint DNS (currently refreshes every 6 hours):

systemd enable wireguard_reresolve-dns.timer
systemd start wireguard_reresolve-dns.timer

or trigger it manually:

systemd start wireguard_reresolve-dns.service

If you are configuring wireguard manually don't forget to set WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD=1 env var before running 'wireguard-go', or 'wg-quick'.

edit flag offensive delete publish link more

Comments

Unfortunately the link expired. Any chance you might be able to upload it somewhere more permanent, or just re-upload it on filebin (and I'll try to find a more permanent place for it (if you don't mind)?)

mynameisnotimportant ( 2019-04-20 05:08:19 +0300 )edit
3

answered 2018-05-28 13:38:49 +0300

ghling gravatar image

I totally agree, it would be great to have support for Wireguard. Building the user space program shouldn't be a big issue since the source is available, but since Wiregurad needs kernel modules, there really are only two options here:

  • The modules are built into the official SFOS kernel: Definitely the better way to go, since it means Wireguard is available for all users. However, I'd imagine it is not easy to get Jolla into adding the modules to the kernel. I'd recommend adding the topic to the next Community Meeting and discussing it there.
  • Custom-build kernels: Probably the easier option, as it can be done by anyone. But it also means that it probably will reach few users (who are willing to replace their official kernel) and requires trust towards the person compiling the kernel or bigger efforts building your own one.

Nevertheless, I also want to state the information from the official Wireguard website:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change.

So while it's certainly a good idea asking Jolla for implementation (as stated above: add it as topic for the next community meeting), it may be a good idea to wait until Wireguard reaches a stable (and reviewed) state.

edit flag offensive delete publish link more

Comments

I now tried it out: Edgerouter, linux road warrior notebook. The main problem today is the support in - say - desktop environments. you need to set it up by your own. But when it is running it is building up very fast, your cpus are happy and it simply works. You need to know what you are configuring (allowed ips are a bit confusing - or not??) and if this would be hidden in the network manager, connman, whatever ui - maybe with qrcode key exchange - than it would be fine for every day usability.

The android app (I did not get it working...) says that there is also a fuser space version available?

cy8aer ( 2018-05-28 13:52:21 +0300 )edit
1

This does not change the fact that Wireguard is still in development. Speed and usability is an important factor, I agree with you there. But the most important issue is security which you can one assume after the security and code audits were completed. I'm sure the Wireguard team is doing a great job, but everyone can make mistakes, that's why audits exist. But in the end, what good is a VPN which is fast and easy to use when it's security is broken (e.g. due to a faulty implementation) and the traffic can be decrypted by an attacker?

ghling ( 2018-05-28 15:42:40 +0300 )edit

sic! Security is needed...

cy8aer ( 2018-05-28 16:21:57 +0300 )edit
1

The thing is, however, that the userspace interfaces aren’t very likely to change since the overall design and configuration is simple. So whether or not the official kernels will ship with a WireGuard module anytime soon, implementing support for it in the GUI should not be hard. NetworkManager added support for it recently while it still can’t deal with OpenVPN properly after all these years. Quite telling :)

And as far as security is concerned, I trust the WireGuard developers more than I trust anybody who believes that having x.509 as part of a design is a good idea. It’s very hard to screw up WireGuard’s configuration, and that also goes for its inner workings: It only uses one set of crypto primitives in one specific configuration, and changing these means changing the protocol version. It avoids complexity, which makes it much easier to use, review and audit.

WireGuard is also much better suited for use with unstable mobile connections than any other VPN protocol I know of, and it doesn’t eat your battery.

lachs0r ( 2018-09-10 14:51:37 +0300 )edit
1

answered 2019-03-28 22:52:36 +0300

bomo gravatar image

updated 2019-07-07 18:55:46 +0300

1.) download and run https://static.rust-lang.org/rustup/dist/armv7-unknown-linux-gnueabihf/rustup-init

2.) run cargo install boringtun. It case it fails, it may be due to this bug. In this case, edit ~/.cargo/registry/src/github.com-<some random stuff>/boring-tun-0.2.0/src/device/tun_linux.rs as said the linked issue and run cargo install boringtun again.

3.) enjoy boringtun

edit flag offensive delete publish link more

Comments

Is there any working Rust compiler for Sailfish?

bionade24 ( 2019-05-18 11:25:04 +0300 )edit

@bionade24 you are asking the real question. Maybe you want to give this a try: http://repo.merproject.org/obs//home:/sfietkonstantin:/sailfish:/rust/

Just noticed that its empty?! Maybe check https://build.merproject.org/project/show/home:sfietkonstantin and its sub-repos (e.g. devel)

bomo ( 2019-05-18 15:54:11 +0300 )edit

Is this tested? As I curently develop the user itnerface option for wireguard, it would maybe nice to can choose between both implementations.

bionade24 ( 2019-07-07 18:40:09 +0300 )edit
0

answered 2019-05-27 11:35:25 +0300

bionade24 gravatar image

The Kernels for the Xperias are made by Sony, so this option won't be working in the future. We have to use userspace.

edit flag offensive delete publish link more

Comments

Well, we dont “need to”. The Xperia kernel source is available. But we do “need” to kindly ask Jolla to enable loadable Module support in the kernel. Then, we can compile and use modules as-needed.

Nieldk ( 2019-05-28 20:10:49 +0300 )edit

I don't believe DKMS is a good idea. And we have to do this for every sailfish device, even unofficial ports. What's so bad about using userspace? Is there any andavantage of the kernel module which can be used in a smartphone?

bionade24 ( 2019-05-28 20:57:59 +0300 )edit
Login/Signup to Answer

Question tools

Follow
13 followers

Stats

Asked: 2018-03-31 17:43:15 +0300

Seen: 1,858 times

Last updated: Jul 07