03-09-2022, 07:01 AM
(This post was last modified: 03-23-2022, 04:39 AM by robocone.
Edit Reason: Update with resolution
)
On my android smartphone I had an 'always on' VPN. Has anyone configured their pinephone in the same way?
I would like it to start a wireguard VPN before bringing up the wifi or mobile interfaces, as well as a kill-switch if the VPN disconnects somehow.
Edit: This is what I ended up doing:
I used wg-quick and the iptables rules @tophneal suggested (I didn't use the ip6tables commands).
1. Create an appropriate config /etc/wireguard/wg0.conf and create the private/public keys
2. I turned off ipv6 because I'm not using it
/etc/sysctl.d/disable-ipv6.conf
For the wg-quick script utility and for wg-quick to be able to set the DNS
(https://wiki.archlinux.org/title/WireGua...resolution)
3. Start the service and enable it at boot
Caveats:
The VPN is not started until the network is already up, so there is a short time during boot where packets could leak. Since it should still stay online when it's disconnected and when we changing interfaces, this was an acceptable compromise for me.
We could further improve it by copying and modifying the wg-quick systemd service so that it adds the firewall rule before we connect to the vpn and have it start earlier in the boot.
(see https://www.wireguard.com/netns/ for other ideas and explanation of how the wg-quick routing works)
Edit 2:
Now that I've tested it with the mobile modem as well, it turns out that the connection is not maintained when the interface changes. Based on the wg-quick rules I thought that it would continue to work, so further changes are needed.
Edit 3:
To work around this issue in the meantime I am persisting the killswitch firewall rule when restarting the VPN, using ' -C <rule> || -I <rule' so that the rule is only added once.
I would like it to start a wireguard VPN before bringing up the wifi or mobile interfaces, as well as a kill-switch if the VPN disconnects somehow.
Edit: This is what I ended up doing:
I used wg-quick and the iptables rules @tophneal suggested (I didn't use the ip6tables commands).
Code:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
1. Create an appropriate config /etc/wireguard/wg0.conf and create the private/public keys
2. I turned off ipv6 because I'm not using it
/etc/sysctl.d/disable-ipv6.conf
Code:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
For the wg-quick script utility and for wg-quick to be able to set the DNS
Code:
pacman -S wireguard-tools systemd-resolvconf
# use systemd-resolved for dns
systemctl enable systemd-resolved
3. Start the service and enable it at boot
Code:
# Try starting and stopping the service to ensure the configuration is working
wg-quick up wg0
# test the config
wg-quick down wg0
# enable the service
systemctl enable wg-quick@wg0
Caveats:
The VPN is not started until the network is already up, so there is a short time during boot where packets could leak. Since it should still stay online when it's disconnected and when we changing interfaces, this was an acceptable compromise for me.
We could further improve it by copying and modifying the wg-quick systemd service so that it adds the firewall rule before we connect to the vpn and have it start earlier in the boot.
(see https://www.wireguard.com/netns/ for other ideas and explanation of how the wg-quick routing works)
Edit 2:
Now that I've tested it with the mobile modem as well, it turns out that the connection is not maintained when the interface changes. Based on the wg-quick rules I thought that it would continue to work, so further changes are needed.
Edit 3:
To work around this issue in the meantime I am persisting the killswitch firewall rule when restarting the VPN, using ' -C <rule> || -I <rule' so that the rule is only added once.
Code:
PostUp = iptables -C OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT || iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
# PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT