Wireguard on Raspberry Pi

Forums › IT Pro and developers › Wireguard on Raspberry Pi

Paul1977

5043 posts

Uber Geek

#285950 27-May-2021 15:21

So I'm trying our Wireguard (via PiVPN). I like the speed, but I'm not keen that there's no option to require a password at the time of connection. This means if someone were able to obtain your config file they can access the VPN.

What are peoples thoughts on this, and is there any way to make it more secure?

marpada

476 posts

Ultimate Geek

#2713910 27-May-2021 15:53

That's right, unless you can enable security controls at the IP level (firewall rules or wireguard allowed peers) having the key allows you to connect to the server. You might prefer other alternative like OpenVPN that support multiple authentication mechanisms.

Paul1977

5043 posts

Uber Geek

#2713997 27-May-2021 16:46

marpada:

That's right, unless you can enable security controls at the IP level (firewall rules or wireguard allowed peers) having the key allows you to connect to the server. You might prefer other alternative like OpenVPN that support multiple authentication mechanisms.

I used OpenVPN in the past. It's just a shame it's performance is a lot slower than Wireguard).

michaelmurfy

meow
13244 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2714004 27-May-2021 16:57

I, too use Wireguard. The speed is great etc. How I see it is what is the likelihood of somebody obtaining one of your keys? Do you invalidate keys or roll keys on a monthly basis? Do you have security measures on your devices to prevent others from grabbing your keys?

More often than not on these devices there are more juicy things than a Wireguard VPN. There may be a banking app that may share the same pin number as your device, your emails which gives the ability to password reset or your password manager which is logged in, and accepting the same pin number as your device.

These are the things you need to really focus on securing. You're over-thinking it by thinking a VPN product is insecure because there is a remote risk of somebody getting your key.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Paul1977

5043 posts

Uber Geek

#2714015 27-May-2021 17:11

michaelmurfy:

I, too use Wireguard. The speed is great etc. How I see it is what is the likelihood of somebody obtaining one of your keys? Do you invalidate keys or roll keys on a monthly basis? Do you have security measures on your devices to prevent others from grabbing your keys?

More often than not on these devices there are more juicy things than a Wireguard VPN. There may be a banking app that may share the same pin number as your device, your emails which gives the ability to password reset or your password manager which is logged in, and accepting the same pin number as your device.

These are the things you need to really focus on securing. You're over-thinking it by thinking a VPN product is insecure because there is a remote risk of somebody getting your key.

I'm reasonably happy to use Wireguard from devices that only I can access - iPhone, iPad, personal laptop etc. But there's one PC that I use as an RDP client that (in theory) is accessible by others.

Since I only use RDP on that PC, would it generally be considered secure if I used an old fashioned RDP port forward, but have it locked down on the firewall to only accept connections from the static public address of the PC I use as the RDP client? And by firewall i mean a proper hardware firewall, not a software one on the target PC.

michaelmurfy

meow
13244 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2714021 27-May-2021 17:20

Wireguard = fully encrypted. I personally wouldn't port forward RDP in any way, only access this over a VPN.

You don't have to keep your private key on that one PC. You could keep your private key in a password manager, apply it to that pc, use it and delete it from the client afterwards.

But yes, ideally you'd only use Wireguard on a trusted device. Wireguard itself, being opensource, could have an alternative client with the features you're after you could use perhaps? I have not looked into this.

Paul1977

5043 posts

Uber Geek

#2716005 31-May-2021 10:02

The Wireguard iOS apps "On Demand" feature is driving me mad.

It only seems to trigger an "On Demand" if that VPN was also the last one connected. @michaelmurfy, do you use it Wireguard with iOS, and do you experience this issue?

michaelmurfy

meow
13244 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2716006 31-May-2021 10:05

Yep I use wireguard on iOS however not too often. I just trigger it when I need it. Have not tried the ondemand feature.

As I don't use any other VPN's I don't suspect I'll have this issue.

GoodSync

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).

Paul1977

5043 posts

Uber Geek

#2716030 31-May-2021 10:47

michaelmurfy:

Yep I use wireguard on iOS however not too often. I just trigger it when I need it. Have not tried the ondemand feature.

As I don't use any other VPN's I don't suspect I'll have this issue.

I wanted it to auto connect either a split or full tunnel depending on cellular connection or which wifi SIDD so no matter the circumstances so I'm always using my pi-hole for DNS to get ad blocking (trusted SIDDs and cellular split tunnel, untrusted SIDDS full vpn). In theory it would have been perfect, all the settings are there, but it just doesn't work :(

From a couple of things I've read (but I can't find a lot) it sounds like it might have worked up unitl iOS 14.4 and then broke, but I can't find anything official.

Paul1977

5043 posts

Uber Geek

#2716235 31-May-2021 15:50

@michaelmurfy you're much better with Linux than me, so I'm hoping you can help me out a little more with Wireguard on the Raspberry Pi. Googling isn't coming up with answers.

Note that I installed Wireguard via PiVPN since that's easier than installing manually.

The problem I have is I can't figure out a way to prevent it from using NAT. The Pi has an address of 192.168.1.200, and Wireguard hands out client addresses in the 10.6.0.0/24 range. So my laptop might get an address of 10.6.0.5, but because Wireguard is using NAT the traffic presents as coming from the 192.168.1.200 (the Pi) instead of 10.6.0.5 (the client). I want to be able to apply different rules for different clients, but this prevents me from being able to.

From what I can tell, in a manual Wireguard install this happens because of a masquerade rule that gets put in /etc/wireguard/wg0.conf. But with my PiVPN install the wg0.conf file doesn't have any rules like this.

Do you have any ideas?

Thanks

Paul1977

5043 posts

Uber Geek

#2717055 2-Jun-2021 09:57

Found the biggest part of the solution here. Missed it initially as the post describing the solution started with "I managed to fix it by actually installing OpenVPN after this issue...", so didn't read the rest thinking his solution was to use OpenVPN instead. But it turns out it actually was a solution for Wireguard.

sudo iptables -t nat -L -n -v reveals the following rule:

MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */

(where 10.6.0.0/24 is the subnet that VPN clients are assigned their IPs from).

This rule can be manually removed using:

sudo iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE

However the rule is recreated after a reboot if you use this method, and the post didn't specify how to make the change persist after a reboot.

I couldn't figure out how to get rid of it using iptables-restore, and couldn't get my head around using rc.local to run a script with the required privilege level. In the end I found the easiest solution was to create a basic script to remove the rule, and schedule it as a cron job on startup.

Script contents:

iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE

Add as a cron job by running sudo crontab -e and adding the line:

@reboot sudo bash /full_path_to_script/script_name

In addition you obviously also need to create a route to the VPN client subnet with the IP address of the Raspberry Pi as the gateway.

Now all the VPN clients present their assigned VPN IP instead of the IP of the Raspberry Pi, so I can set different rules for different clients in my router/firewall. And it persists after a reboot!

Being a Linux n00b it took me a while to get my head around this, but perhaps it will help anyone else wishing to achieve the same thing. And if anyone has comments or advice on a better way to do it would be great.

fe31nz

1230 posts

Uber Geek

#2717501 3-Jun-2021 01:24

How is Wireguard started? If it is done in a systemd .service file, then the proper way to remove the NAT rule would be to modify the .service file to get it to run the iptables command after Wireguard is started. To see if there is a wireguard.service file, and show its contents:

sudo systemctl cat wireguard

Presuming that there is a wireguard.service file, you should be able to do this:

sudo systemctl edit wireguard

Then in the override file being created by that command, put these two lines:

[Service]

ExecStartPost=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE

Save the file, then run:

sudo systemctl daemon-reload

And restart Wireguard to see if it works:

sudo systemctl restart wireguard

Paul1977

5043 posts

Uber Geek

#2717704 3-Jun-2021 14:55

fe31nz:

How is Wireguard started? If it is done in a systemd .service file, then the proper way to remove the NAT rule would be to modify the .service file to get it to run the iptables command after Wireguard is started. To see if there is a wireguard.service file, and show its contents:

sudo systemctl cat wireguard

Presuming that there is a wireguard.service file, you should be able to do this:

sudo systemctl edit wireguard

Then in the override file being created by that command, put these two lines:

[Service]

ExecStartPost=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE

Save the file, then run:

sudo systemctl daemon-reload

And restart Wireguard to see if it works:

sudo systemctl restart wireguard

@fe31nz I'm not sure how it starts since it's done via PiVPN, after installation it just automatically starts on reboot. Neither sudo systemctl cat wireguard and sudo systemctl cat pivpn return any results.