We have moved to a new Sailfish OS Forum. Please start new discussions there.
48

[wish] Wireguard

asked 2018-03-31 17:43:15 +0200

cy8aer gravatar image

updated 2018-05-31 08:20:53 +0200

molan gravatar image

It would be nice to have Wireguard (https://www.wireguard.com) implemented for all Sailfishos devices. Wireguard is a very modern vpn system running in kernel mostliy and because of chacha20 for payload this is very fast without hardware acceleration.

Because there are endpoint implementations for e.g. openwrt and edgerouters this would be a cool alternative to openvpn.

Wireguard needs kernel modules and a user space program.

[Update] additional information at easterhegg 18 (in german...):

https://pretalx.eh18.easterhegg.eu/eh18/talk/BFFC3X/

https://media.ccc.de/v/BFFC3X

[Update] And when you do it, implement it for v6 too.

edit retag flag offensive close delete

Comments

1

@Edz: too early for writing right english today ;-)

cy8aer ( 2018-03-31 17:53:04 +0200 )edit

i dont know it. but another open source alternative to openvpn- id vote for that.

kaktux ( 2018-04-01 12:24:43 +0200 )edit

WireGuard requires at least Linux kernel version 3.10; it will be mainlined in Linux 5.6 in a few weeks.

If Jolla won't allow kernel modules loading, then we will have to resort to userland versions.

Alfonso ( 2019-12-27 10:00:06 +0200 )edit
1

Connman 1.38 now supports WireGuard (source) but it doesn't help that much because the kernel bits are missing... :(

Direc ( 2020-02-19 11:21:51 +0200 )edit

5 Answers

Sort by » oldest newest most voted
14

answered 2019-02-06 12:55:18 +0200

mcencora gravatar image

updated 2019-06-04 15:10:44 +0200

I managed to get wireguard running on Sailfish X. I used userspace go-based implementation of wireguard available here https://git.zx2c4.com/wireguard-go/about/.

Instructions

Inside Sailfish SDK docker:

  • download golang i386 compiler https://dl.google.com/go/go1.11.5.linux-386.tar.gz
  • unpack to /usr/local/, add PATH to /usr/local/go/bin
  • download and extract wireguard-go sources
  • cross compile to ARMHFv7: GOOS=linux GOARCH=arm make
  • single statically-linked executable is generated 'wireguard-go'
  • extract wg utility from Ubuntu wireguard-ppa and libmnl0 from main repo

Push 'wireguard-go', 'wg' and 'libmnl0.so' on your phone, and enjoy wireguard vpn.

Update

Here is prepared 'package' with all needed binaries, scripts and systemd files: wireguard.tar.gz

If you create proper configuration file for given wireguard interface (e.g. /etc/default/wg0.conf) then you can enable automatic startup with:

systemd enable wg-quick@wg0.service
systemd start wg-quick@wg0.service

If given endpoint has dynamic IP, you can force automatic refresh of endpoint DNS (currently refreshes every 6 hours):

systemd enable wireguard_reresolve-dns.timer
systemd start wireguard_reresolve-dns.timer

or trigger it manually:

systemd start wireguard_reresolve-dns.service

If you are configuring wireguard manually don't forget to set WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD=1 env var before running 'wireguard-go', or 'wg-quick'.

edit flag offensive delete publish link more

Comments

Unfortunately the link expired. Any chance you might be able to upload it somewhere more permanent, or just re-upload it on filebin (and I'll try to find a more permanent place for it (if you don't mind)?)

mynameisnotimportant ( 2019-04-20 05:08:19 +0200 )edit

Thank you for your work. I just tried it to install your prepared package and it looks promising. Unfortunately it cancels when I try to start wg-quick@wg0.service with an error:

/usr/bin/wg-quick: line 31: resolvconf: command not found

With pkcon I can't find resolvconf to install. So what did I miss? How can I resolve this dependency?

nasi ( 2020-02-05 17:29:23 +0200 )edit

Hi.

Thank you very much for this guide. I made it work together with my OpenWrt-powered router and everything works as expected.

But there is one thing I didn't manage to fix. I cannot access the devide via ssh when Wireguard is enabled. This also happened when I enabled an VPN connection and I was able to enable remote VPN access editing the file:

/etc/connman/firewall.d/00-devmode-firewall.conf

My problem is that this connman is not aware of any available WireGuard connection:

Does anyone know a way to allow incoming ssh connections via WireGuard interfaces?

Regards.

Pasko ( 2020-03-15 21:37:02 +0200 )edit
3

answered 2018-05-28 13:38:49 +0200

ghling gravatar image

I totally agree, it would be great to have support for Wireguard. Building the user space program shouldn't be a big issue since the source is available, but since Wiregurad needs kernel modules, there really are only two options here:

  • The modules are built into the official SFOS kernel: Definitely the better way to go, since it means Wireguard is available for all users. However, I'd imagine it is not easy to get Jolla into adding the modules to the kernel. I'd recommend adding the topic to the next Community Meeting and discussing it there.
  • Custom-build kernels: Probably the easier option, as it can be done by anyone. But it also means that it probably will reach few users (who are willing to replace their official kernel) and requires trust towards the person compiling the kernel or bigger efforts building your own one.

Nevertheless, I also want to state the information from the official Wireguard website:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change.

So while it's certainly a good idea asking Jolla for implementation (as stated above: add it as topic for the next community meeting), it may be a good idea to wait until Wireguard reaches a stable (and reviewed) state.

edit flag offensive delete publish link more

Comments

I now tried it out: Edgerouter, linux road warrior notebook. The main problem today is the support in - say - desktop environments. you need to set it up by your own. But when it is running it is building up very fast, your cpus are happy and it simply works. You need to know what you are configuring (allowed ips are a bit confusing - or not??) and if this would be hidden in the network manager, connman, whatever ui - maybe with qrcode key exchange - than it would be fine for every day usability.

The android app (I did not get it working...) says that there is also a fuser space version available?

cy8aer ( 2018-05-28 13:52:21 +0200 )edit
1

This does not change the fact that Wireguard is still in development. Speed and usability is an important factor, I agree with you there. But the most important issue is security which you can one assume after the security and code audits were completed. I'm sure the Wireguard team is doing a great job, but everyone can make mistakes, that's why audits exist. But in the end, what good is a VPN which is fast and easy to use when it's security is broken (e.g. due to a faulty implementation) and the traffic can be decrypted by an attacker?

ghling ( 2018-05-28 15:42:40 +0200 )edit

sic! Security is needed...

cy8aer ( 2018-05-28 16:21:57 +0200 )edit
1

The thing is, however, that the userspace interfaces aren’t very likely to change since the overall design and configuration is simple. So whether or not the official kernels will ship with a WireGuard module anytime soon, implementing support for it in the GUI should not be hard. NetworkManager added support for it recently while it still can’t deal with OpenVPN properly after all these years. Quite telling :)

And as far as security is concerned, I trust the WireGuard developers more than I trust anybody who believes that having x.509 as part of a design is a good idea. It’s very hard to screw up WireGuard’s configuration, and that also goes for its inner workings: It only uses one set of crypto primitives in one specific configuration, and changing these means changing the protocol version. It avoids complexity, which makes it much easier to use, review and audit.

WireGuard is also much better suited for use with unstable mobile connections than any other VPN protocol I know of, and it doesn’t eat your battery.

mia ( 2018-09-10 14:51:37 +0200 )edit
3

answered 2020-04-26 14:13:11 +0200

TBK gravatar image

updated 2020-04-26 15:36:31 +0200

Maus gravatar image

Latest Sailfish OS release Rokua (v3.3.0.16) for XA2 uses kernel version 4.4.194 and ConnMan v1.38 got WireGuard (correct way to spell it) support built-in.

So building the kernel module (https://git.zx2c4.com/wireguard-linux-compat/) and updating ConnMan will resolve the required lower level OS parts.

For the abstractions, contributions could be made to the following to push this request along:

And at last, for the Sailfish UI, Jolla would have to add that. It should be a comparatively small effort when all the other pieces are in place.

edit flag offensive delete publish link more

Comments

That's good news, as at least AOSP 8/9 based phones could eventually make use of this technology.

Maus ( 2020-04-26 15:37:29 +0200 )edit
2

answered 2019-03-28 22:52:36 +0200

bomo gravatar image

updated 2019-07-07 18:55:46 +0200

1.) download and run https://static.rust-lang.org/rustup/dist/armv7-unknown-linux-gnueabihf/rustup-init

2.) run cargo install boringtun. It case it fails, it may be due to this bug. In this case, edit ~/.cargo/registry/src/github.com-<some random stuff>/boring-tun-0.2.0/src/device/tun_linux.rs as said the linked issue and run cargo install boringtun again.

3.) enjoy boringtun

edit flag offensive delete publish link more

Comments

Is there any working Rust compiler for Sailfish?

bionade24 ( 2019-05-18 11:25:04 +0200 )edit

@bionade24 you are asking the real question. Maybe you want to give this a try: http://repo.merproject.org/obs//home:/sfietkonstantin:/sailfish:/rust/

Just noticed that its empty?! Maybe check https://build.merproject.org/project/show/home:sfietkonstantin and its sub-repos (e.g. devel)

bomo ( 2019-05-18 15:54:11 +0200 )edit

Is this tested? As I curently develop the user itnerface option for wireguard, it would maybe nice to can choose between both implementations.

bionade24 ( 2019-07-07 18:40:09 +0200 )edit

A while ago I successfully cross-compiled Rust programs both aarch64+musl (no wayland support because SailfishX libraries are 32 bit only) and armv7+glibc. You don't actually need a native Rust compiler on your cellphone. You will have anyway to fiddle with Qt support.

Alfonso ( 2019-12-27 09:48:50 +0200 )edit
0

answered 2019-05-27 11:35:25 +0200

bionade24 gravatar image

The Kernels for the Xperias are made by Sony, so this option won't be working in the future. We have to use userspace.

edit flag offensive delete publish link more

Comments

Well, we dont “need to”. The Xperia kernel source is available. But we do “need” to kindly ask Jolla to enable loadable Module support in the kernel. Then, we can compile and use modules as-needed.

Nieldk ( 2019-05-28 20:10:49 +0200 )edit
1

I don't believe DKMS is a good idea. And we have to do this for every sailfish device, even unofficial ports. What's so bad about using userspace? Is there any andavantage of the kernel module which can be used in a smartphone?

bionade24 ( 2019-05-28 20:57:59 +0200 )edit

SailfishX features a Linux 3.10 kernel, that's exactly the bare minimum to compile the native WireGuard kernel module.

WireGuard will be eventually added to mainline Linux kernel 5.6.

Alfonso ( 2019-12-27 09:51:32 +0200 )edit
Login/Signup to Answer

Question tools

Follow
18 followers

Stats

Asked: 2018-03-31 17:43:15 +0200

Seen: 3,802 times

Last updated: Apr 26 '20