Troubleshooting Wireguard

Started by gDanix, November 25, 2020, 12:58:14 am

Previous topic - Next topic

gDanix

I've faced recently the problem of installing Wireguard in my A64 board (apparently, I'm the first one that has tried to install it, because I've been completely unable to find any information), and wanted to share the experience with you all, in case there's anyone stuck with the process.

TL;DR: The package "wireguard" can't be properly installed, because of a dependencies issue. Install ONLY the package "wireguard-tools" (shouldn't depend on "wireguard", at least in Buster) from the repositories, then compile Wireguard-go [1], and copy the executable to a $PATH location. "wg-quick" will automatically detect and use it.


The problem:
I used to install some servers in this board (like Octoprint), and always had to workaround my NAT router with TOR hidden services, or other cumbersome solutions. So this time, now that I have a working Wireguard VPN infrastructure (it's very easy to set up, really), I wanted so hard to make my A64 board join the VPN.

But there's a problem with the official Debian & Ubuntu's "wireguard" package, and is that, by default, they will try to install an old version of the kernel headers, in order to compile the kernel module, while simultaneously will prevent you to build it manually with appropriate headers version, since the module was merged into the kernel in the version 5.6 (and the appropriate headers version is > 5.6) but, for some reason, "wg" was unable to set up a wireguard interface.



The solution:
In order to make Wireguard work the easy way, you probably use a Wireguard implementation and "wg-quick", to set up the networking. "wg-quick" is included in package "wireguard-tools", which can be simply installed from the Backports repository, in case of Buster, and from the main repository in case of Focal (Beware that in Focal, unlike Buster, if I recall correctly, "wireguard-tools" depends on "wireguard" package, without apparently reason. You may need extra steps to leave APT clean).

As for the implementation, a kernel module is not the only one of the Wireguard protocol, there also exist an userspace one, Wireguard-go [1], which is actually used in the official Wireguard client for Android. Luckily, it's easy to compile it and having it running in a A64 board. (This solution should work for other boards as well, but I don't own these, so please, if you find this information useful, and worked for you in other board, let us know in the comments. Thank you!).

It's one of the easiest build you'll find out there. Only 3 packages are required to install: "git", "make", and "golang" >= 1.13. The default version in Buster main repository is 1.11, but you'll find the 1.14 version in the Backports repository (that you also need to install "wireguard tools"). Then it's just a matter of cloning the repository, cd into it, and run "make". The build will produce the executable "wireguard-go", that should be copied into a $PATH directory (/usr/bin will do the trick), and then you can use "wg-quick" to set up the interface as usual. The A64 should have enough memory (didn't measured the process) to build it after a clean image boot.


Bonus:
You can freely reuse your "wireguard-go" executable in other A64 (possibly others, didn't try) board, just by copying it (So you only need to install "wireguard-tools" from the repos. The executable is absolutely standalone, and you can even save it in your PC, write a clean OS image in the SD, and copy the executable back to the SD, so you save extra ~100Mb that are required by the build process.


Link:
[1] https://github.com/WireGuard/wireguard-go



I hope you can find this useful, it's one of my first contributions to this forum, and knowing this beforehand would have saved me a couple of days pulling my hair... Looking forward to read your comments!
Stay safe, and happy hacking!
Dani.