#1 2019-03-31 05:49:01

greybeard
Trusted Member
Registered: 2015-01-09
Posts: 19

LES NAT VPS with wireguard, basic notes on how to

I've been experimenting with getting wireguard running on a NAT VPS.
Main problem is that you can only run the userspace version of wireguard (wireguard-go) not the std kernel version. Couple of reasons for this, one older kernel in openVZ, would require loading a kernel module on the host (not going to happen).

So, some notes on what to do.
Focusing on variations to the std wireguard install from various places on the web.

My setup 64k LES NAT VPS running debian 8.
1/ You need a compiled binary of wireguard-go. I followed the instructions from here (https://github.com/WireGuard/wireguard-go) on a linux VM I had also running debian 8.
2/ logon onto NAT VPS as root (or su once logged on) Much simpler to do this as root, YMMV.
3/ copy binary wireguard-go from VM to NAT  VPS server.
4/ on NAT VPS
apt install wireguard-tools --no-install-recommends (otherwise it tries to install all sorts of unneeded packages the kernel wireguard)
copy wireguard-go to /usr/bin
chmod 755 /usr/bin/wireguard-go
5/ pick an unused port within your allocated port range to use for the wireguard connection.
6/ create the config file as per the std wireguard docs on the web.
7/ make sure you have tun enabled on your NAT VPS.
8/ start the wg interface with
wg-quick up wg0
This will probably throw an error with lots of text and a warning about how you should use the kernel module for wireguard and how it isn't fit for production.
To fix this and ignore the warning
export WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD="1"
and run
wg-quick up wg0
Should now start up and have a wireguard interface.
running
wg show
or ifconfig
should have a wg0 interface.
Set up a peer and off you go.
9/ to auto start the wireguard interface I added the following to /etc/rc.local
export WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD="1"
wg-quick up wg0

Gotcha's:
Double check the config files for correct keys, ports and addresses.
Works from windows with the TUNSafe client (don't tell the wireguard author as he's a go issues with it)
Works from my Android phone (on WIFI see below for mobile data issue in Australia) with both the wireguard and tunsafe apps.

(And for anyone using prepaid Telstra 4G/LTE (australia) they have a system that doesn't work for pretty much any VPN, corporate or post paid accounts can get around this, google for solutions).

I currently have this running from my adsl account to my NAT VPS.
FWIW I was running openvpn on my NAT VPS, wireguard is using less cpu and memory. However I didn't keep records to give a definitive number.
Rod

Last edited by greybeard (2019-03-31 05:52:39)

Offline

#2 2019-04-19 10:04:28

mikho
Low End Mod
From: Hell and gore == Sweden
Registered: 2013-03-02
Posts: 1,807
Website

Re: LES NAT VPS with wireguard, basic notes on how to

Thanks!

Interesting read and i'm sure other users will find it helpful.

Offline

#3 2019-04-22 18:54:09

skorous
Trusted Member
Registered: 2019-03-21
Posts: 34

Re: LES NAT VPS with wireguard, basic notes on how to

Very much so. Well done greybeard.

Offline

#4 2019-05-03 01:15:52

skorous
Trusted Member
Registered: 2019-03-21
Posts: 34

Re: LES NAT VPS with wireguard, basic notes on how to

It's slightly more annoying on yum distro's because you have to download the wireguard-tools rpm and install it with rpm or else it'll install all the junk to compile the modules but it works fine.

Offline

#5 2019-05-03 01:20:32

skorous
Trusted Member
Registered: 2019-03-21
Posts: 34

Re: LES NAT VPS with wireguard, basic notes on how to

Rats, I forgot to mention it works over IPv6 so you don't have to pick weird ports if you don't want. You can use the 51820 semi-standard.

Offline

#6 2019-07-04 07:12:27

Daniel
Member
From: Palo Alto, CA
Registered: 2019-07-04
Posts: 2
Website

Re: LES NAT VPS with wireguard, basic notes on how to

I actually just wrote a blog post about this, before seeing your post: https://d.sb/2019/07/wireguard-on-openvz-lxc. Mostly the same as yours, but I used the systemd unit rather than modifying /etc/rc.local.

One issue I initially had was that under heavy load, wireguard-go tries to allocate a lot of memory, and subsequently gets killed by the OOM killer. I chat to the developer of WireGuard over IRC, and he suggested modifying device/queueconstants_default.go to use the same values as device/queueconstants_ios.go. Those settings are designed for the iOS app which has strict memory requirements, but they also work great for VPSes with limited RAM. In device/queueconstants_default.go, replace this:

	MaxSegmentSize             = (1 << 16) - 1 // largest possible UDP datagram
	PreallocatedBuffersPerPool = 0 // Disable and allow for infinite memory growth

With this:

	MaxSegmentSize             = 1700
	PreallocatedBuffersPerPool = 1024

And recompile (run "make"). This makes it use a fixed amount of RAM (~20 MB) rather than allowing memory usage to grow infinitely.

Last edited by Daniel (2019-07-04 07:17:45)

Offline

#7 2019-07-05 05:17:18

greybeard
Trusted Member
Registered: 2015-01-09
Posts: 19

Re: LES NAT VPS with wireguard, basic notes on how to

That's a more elegant way of starting/stopping the wg-go process than editing rc.local (Also rc.local has been depreciated and required some additions to make it work. http://www.pc-freak.net/blog/rc-local-m … f-its-not/ )

Offline

#8 2019-07-22 21:48:53

Kryptocomicon
Trusted Member
Registered: 2019-07-19
Posts: 6

Re: LES NAT VPS with wireguard, basic notes on how to

Thanks all - this is very helpful, and one of the things I wish to do with my shiny new VPS ..

Edit: Here's an alternate way to build the wireguard-go binary for linux that uses docker instead of installing go.

This was done on my local system running Linux Mint, but will work on other OS as go can cross-compile.
Some details will be OS dependent though.

Install docker if you don't have it.
Then do:

docker run -e GOOS=linux -e GOARCH=amd64 -v $HOME/go:/go \
golang go get github.com/WireGuard/wireguard-go/...

This will create a local directory go under your home directory and mount it to /go in the golang container, fetch the wireguard code and compile it for linux amd64.
The first time, you'll see an error

# github.com/WireGuard/wireguard-go
src/github.com/WireGuard/wireguard-go/donotuseon_linux.go:10:36: undefined: UseTheKernelModuleInstead

as there's a deliberate undefined variable that prevents compiling on linux, as we're supposed to use the kernel module instead of the userspace version.

Now, create an executable script with the contents:

sed -i 's/MaxSegmentSize             = (1 << 16) - 1/MaxSegmentSize             = 1700/g' $HOME/go/src/github.com/WireGuard/wireguard-go/device/queueconstants_default.go
sed -i 's/MaxSegmentSize             = (1 << 16) - 1/MaxSegmentSize             = 1700/g' $HOME/go/src/golang.zx2c4.com/wireguard/device/queueconstants_default.go
sed -i 's/PreallocatedBuffersPerPool = 0  /PreallocatedBuffersPerPool = 1024/g' $HOME/go/src/github.com/WireGuard/wireguard-go/device/queueconstants_default.go 
sed -i 's/PreallocatedBuffersPerPool = 0  /PreallocatedBuffersPerPool = 1024/g' $HOME/go/src/golang.zx2c4.com/wireguard/device/queueconstants_default.go
sed -i 's/UseTheKernelModuleInstead/0/g' $HOME/go/src/github.com/WireGuard/wireguard-go/donotuseon_linux.go
sed -i 's/UseTheKernelModuleInstead/0/g' $HOME/go/src/golang.zx2c4.com/wireguard/donotuseon_linux.go

And run it as root. This will make the code compile-able as linux and also tweak the memory usage as posted above.

Now just do

docker run -e GOOS=linux -e GOARCH=amd64 -v $HOME/go:/go \
golang go get github.com/WireGuard/wireguard-go/...

again, and the local modified code will be used. The binary will be built and appear in $HOME/go/bin.

Last edited by Kryptocomicon (2019-07-23 23:30:15)

Offline

Board footer

Powered by FluxBB