OpenVPN or Wireguard tutorial?

Could someone point me to a tutorial for getting OpenVPN working on a Vero 4K+? If possible I’d like to be able to turn it on and off from inside the Kodi UI.

EDIT: We seem to have ended up talking about Wireguard quite a lot in this thread, too, so I’ve amended the subject line.

What you want OpenVPN for?

IMHO, wireguard is way easier to setup. Kind of like SSH for network connections.
And there are several nice UI’s (web-based) you can use to manage the users/accesses on it.

1 Like

Feel free to point me towards a Wireguard tutorial as well. :slightly_smiling_face:

For the Wireguard installation: How To Set Up WireGuard on Ubuntu 20.04 | DigitalOcean (My firewall runs ubuntu, so that’s why I have that one).

For the UI: GitHub - ngoduykhanh/wireguard-ui: Wireguard web interface

Since I discovered it, I leave the openvpn stuff on but only because legacy!

That’s about ten times more complex than I can possibly handle: for starters, I don’t have anything else I could run a Wireguard server on. I just need a way to run a VPN client on the Vero 4K+ itself that can connect to a commercial VPN service (I’m trying Surfshark at the moment).

For a Client, yes. Even though wireguard for a client is about copying a wg.conf file into /etc/wireguard and start the wireguard service (if they - commercial VPN - have it).

@angry.sardine this should handle all your needs!

Matrix version:

Hey Tom
I just wrote a tutorial and posted it a few minutes ago.
Everything works except I can’t get it to autostart at boot time and pick up SurfSharks DNS servers. Give it a try.

Would this work on a Vero 4K as well?

Hi angry.sardine,

Both should work fine. For wireguard if you are running the latest osmc update, don’t install the backport repositories as they are not needed and are for buster.

Regards Tom.

just in case somebody stumbles over this topic trying to configure wireguard (as I did) and hitting a dead end as the pastes in the linked thread are down by now (as expected), I share with you my pseudo-tutorial (what eventually worked for me) to set up a Vero as a WireGuard “client”:

ssh to your Vero
first we install wireguard and openresolv, which you need if you want to provide a DNS in your conf

sudo apt install wireguard-tools
sudo apt install openresolv

now we configure the client (you can name wg0 however you want, just change it accordingly in the following):

sudo nano /etc/wireguard/wg0.conf

paste the config, save and exit nano
you can now establish and test the connection with

sudo wg-quick up wg0
sudo wg

if you want to have the connection to be automatically established, you can enable a system.d service. we will first manually disconnect, then configure the service and test it:

sudo wg-quick down wg0
sudo systemctl enable wg-quick@wg0.service

I think it is prudent to wait for network in this case, so we edit the service and add connman-wait-for-network.service to the Wants and After line in Unit, so it looks like this in the beginning::

sudo nano /lib/systemd/system/wg-quick@.service

[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target connman-wait-for-network.service
After=connman-wait-for-network.service
PartOf=wg-quick.target

now we can start the service and test it:

sudo systemctl start wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service
sudo wg

now it should work. hooray.

feel free to point out problems with my approach, I’m pretty much learning as I go. What tripped me up was the resolve error when having a DNS = line in the conf. it got sorted by installing openresolv.

cheers

3 Likes

This looks good – for now, I’d just suggest systemctl daemon-reload after editing the wg-quick unit.

I’ll see if we can adapt ConnMan to satisfy the network-online target directly. It’s been a while since we introduced this service and I know ConnMan does have a waiting method, so things may have changed somewhat

Hi @dasdreHmomenT

Thank you again for the tutorial, all is working fine, except that I have to manually launch with :

sudo wg-quick up wg0

Everytime I reboot, I get the following errors

Dec 27 21:19:45 osmc wg-quick[2715]: Name or service not known: `my.service:xxxxx' [EDITED]
Dec 27 21:19:45 osmc wg-quick[2715]: Configuration parsing error
Dec 27 21:19:45 osmc wg-quick[2624]: [#] ip link delete dev wg0
Dec 27 21:19:46 osmc systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ An ExecStart= process belonging to unit wg-quick@wg0.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Dec 27 21:19:46 osmc systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ The unit wg-quick@wg0.service has entered the 'failed' state with result 'exit-code'.
Dec 27 21:19:46 osmc systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.
░░ Subject: A start job for unit wg-quick@wg0.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░ 
░░ A start job for unit wg-quick@wg0.service has finished with a failure.
░░ 
░░ The job identifier is 98 and the job result is failed.

It would seem that osmc does not immediately find my wireguard server, possibly because of wlan0 not being enabled? If that is the case, how could I delay wg0 being loaded up upon startup?

Any other ideas what could be causing this?

Many thanks for your input.

I’m using Wireguard here on a Vero V and it’s connecting reliably every time.
Using an Ethernet connection.

I just did systemctl enable on the service to make it persistent.
Your issue looks like a configuration problem potentially.

Thanks, I’ll run through the different commands again, hopefully something I have missed.

Apart from that WireGuard seems very good indeed.

Give it another go and let me know how you get on.

OK, basically this is the verdict:

  • reboot = OK. WireGuard boots up fine, all works great.
  • power off (remove plug) = the next day WireGuard seems to be failing. This is what I get:
osmc@osmc:~$ systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
     Active: active (exited) since Wed 2023-12-27 21:41:14 CET; 4min 23s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 2631 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 2631 (code=exited, status=0/SUCCESS)

Dec 27 21:41:14 osmc wg-quick[2631]: [#] ip -4 address add x.x.x.x/32 dev wg0 [IP removed)
Dec 27 21:41:14 osmc wg-quick[2631]: [#] ip link set mtu 1420 up dev wg0
Dec 27 21:41:14 osmc wg-quick[2976]: [#] resolvconf -a wg0 -m 0 -x
Dec 27 21:41:14 osmc wg-quick[2631]: [#] wg set wg0 fwmark xxxxx [port removed]
Dec 27 21:41:14 osmc wg-quick[2631]: [#] ip -4 route add 0.0.0.0/0 dev wg0 table xxxxx [port removed]
Dec 27 21:41:14 osmc wg-quick[2631]: [#] ip -4 rule add not fwmark xxxxx[port removed] table xxxxx[port removed]
Dec 27 21:41:14 osmc wg-quick[2631]: [#] ip -4 rule add table main suppress_prefixlength 0
Dec 27 21:41:14 osmc wg-quick[2631]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Dec 27 21:41:14 osmc wg-quick[3049]: [#] iptables-restore -n
Dec 27 21:41:14 osmc systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

Interestingly, the service is “active (exited)”.
Now, I did notice the time is all wrong! osmc also shows up in the interface as “21h41” (and counting), so unplugging has killed the time. Could this be related? Isn’t there an RTC module with battery to keep time?

Otherwise, what could explain this? Last time I think I took the WG down, and then up, before it worked again.

Thanks for the advice.

No, time is set at boot time via a local file and then synced via internet.

Wireguard depends on exact time otherwise tunnel can not be established.

Check your DNS and IP configuration ensure the Vero can communicate with the internet before you try to establish the tunnel.