distribution/documentation/SETUP_VPN_WIREGUARD.md
2023-07-15 10:06:30 +00:00

123 lines
5.8 KiB
Markdown

&nbsp;&nbsp;<img src="https://raw.githubusercontent.com/JustEnoughLinuxOS/distribution/dev/distributions/JELOS/logos/jelos-logo.png" width=192>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[![Latest Version](https://img.shields.io/github/release/JustEnoughLinuxOS/distribution.svg?color=5998FF&label=latest%20version&style=flat-square)](https://github.com/JustEnoughLinuxOS/distribution/releases/latest) [![Activity](https://img.shields.io/github/commit-activity/m/JustEnoughLinuxOS/distribution?color=5998FF&style=flat-square)](https://github.com/JustEnoughLinuxOS/distribution/commits) [![Pull Requests](https://img.shields.io/github/issues-pr-closed/JustEnoughLinuxOS/distribution?color=5998FF&style=flat-square)](https://github.com/JustEnoughLinuxOS/distribution/pulls) [![Discord Server](https://img.shields.io/discord/948029830325235753?color=5998FF&label=chat&style=flat-square)](https://discord.gg/seTxckZjJy)
#
# Using WireGuard VPN
JELOS now supports WireGuard VPN, which connects securely to your local network from any place in the world. As game streaming becomes more popular, it enables AAA games, streamed over the internet from your home computer, to be played on your console while traveling.
## Configuring WireGuard VPN in JELOS
Typically the configuration involves copying your WireGuard VPN config file over to your JELOS device and then enabling WireGuard VPN in Emulation Station Network Settings menu.
### WireGuard Config
JELOS uses standard WireGuard config file format. The file is typically provided by your VPN provider. If you want to host your own VPN Server on your local network, there are plenty of tutorials available online.
Currently only the single connection is supported. The WireGuard config file must be placed in the following location - `/storage/.config/wireguard/wg0.conf`. Please use SSH or Samba to create the file there.
Don't forget to restart Emulation Station to pick up the changes.
Sample `wg0.conf` file
```
[Interface]
PrivateKey = <your private key>
Address = 10.111.10.2/24
[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server>:<port>
```
> Note: "DNS" option is not yet supported in the config. Please remove line starting with "DNS" from your config file.
### Enabling WireGuard connection
Emulation Station now has a new menu item toggle to enable or disable WireGuard VPN connection. Use it turn the connection on or off.
> Note: make sure that WireGuard config file is present on the device, see the [Configuring WireGuard VPN in JELOS](https://github.com/JustEnoughLinuxOS/distribution/documentation/SETUP_VPN_WIREGUARD.md#Configuring-WireGuard-VPN-in-JELOS) section above. The menu option is only available when the config file is present.
Connect to configured VPN server
* Press "start" button to go into Emulation Station Main Menu
* Select Network Settings submenu
* Select "Wireguard VPN" and turn it on
* Select "Back" button to exit setting dialog
* WireGuard VPN should be connected
Disconnect from configured VPN server
* Press "start" button to go into Emulation Station Main Menu
* Select Network Settings submenu
* Select "Wireguard VPN" and turn it off
* Select "Back" button to exit setting dialog
* WireGuard VPN should be disconnected
### Server Configuration (for advanced users)
The local PC can be setup to be a WireGuard server. This allows accessing that PC (and a local network if SNAT is enabled) from the remote location using the device.
The configuration is the following:
* Generate pair of configuration files
* Install WireGuard on your local PC and import server config
* Setup Port Forwarding for WireGuard port from your local router to your local PC
* Enable WireGuard on your device
#### Config Pair generation
The device have a helper script which can generate a pair of configuration files for the device and for the local PC with WireGuard server.
The script should be executed from SSH terminal.
```
# Generate config file
wg-genconfig
```
The script will generate `wg0.conf` and `wg0.conf.server` files.
##### `wg0.conf.server` server config
```
[Interface]
PrivateKey = <server private key>
# PublicKey = <server public key>
Address = 10.111.10.1/24
ListenPort = 51820
# If you want to access other devices on the same network,
# you need to enable SNAT, the lines below.
# Make sure that eth0 matches your main network interface.
#PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -s 10.111.10.0/24 -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -s 10.111.10.0/24 -o eth0 -j MASQUERADE
[Peer]
PublicKey = <device public key>
AllowedIPs = 10.111.10.2/32
```
If you want you device to access your local network, you need to enable SNAT, allow your local PC forward network packets to other devices on your local network. That is done by uncommenting PostUp/PostDown commands in the config.
#### Install WireGuard on your local PC
* Download the client for your OS from [here](https://www.wireguard.com/install/).
* Import wg0.conf.server and enable the tunnel.
## Troubleshooting
### Diagnostics
Sometimes the tunnel doesn't establish successfully. The following commands can useful to diagnose issues.
The commands below should be executed on the device using SSH shell access.
```
# Check the status of active tunnels.
# You should see the connection statistics.
wg show
```
```
# Check my public ip address
curl ifconfig.co -4
```
```
# Bring tunnel up
wg-quick up /storage/.config/wireguard/wg0.conf
```
```
# Bring tunnel down
wg-quick down /storage/.config/wireguard/wg0.conf
```
### Links
* WireGuard homepage [link](https://www.wireguard.com/)
* WireGuard is also supported in ConnMan VPN plugin using ssh command line [link](https://wiki.libreelec.tv/configuration/wireguard)