Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
WireGuard on Debian OpenVZ6, OpenVZ7 NAT VPS
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

WireGuard on Debian OpenVZ6, OpenVZ7 NAT VPS

hkhan03hkhan03 Member
edited December 2019 in Tutorials

Big thanks to Daniel who wrote guide on "WireGuard on OpenVZ/LXC" https://d.sb/2019/07/wireguard-on-openvz-lxc . I have tried & tested Daniel's guide and its even working on Debian OpenVZ6 & 7 NAT VPS

OpenVZ6
Debian 8.11 x64 - 128MB NAT VPS Kernal: 2.6.32-042stab130.1
Debian 8.11 x64 - 256MB NAT VPS Kernal: 2.6.32-042stab140.1

Only one client is working, tried to add multiple clients but still only one client worked
IPv6 doesn't work
Speed is faster than Openvpn
low memory usage
OpenVZ7
Debian 9.11 x64 - 512MB NAT VPS - Kernal: 4.9.0

Multiple clients working
IPv6 working
Speed is good
low memory usage

KVM
Used installer Angristan https://github.com/angristan/wireguard-install

Automated installer for setup & client profile file.
Multiple profile not supported, you can add manually
IPv6 working
Speed is very good
low memory usage

Big Thanks to Daniel (https://d.sb/2019/07/wireguard-on-openvz-lxc). If anyone try to play, here are the details and commands. I have used Daniel's guide, please follow all steps, I added few commands as i got errors i.e apt install make and wg-quick up wg0 and wg-quick down wg0

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list && printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable && apt update

apt install wireguard-tools --no-install-recommends

cd /tmp && wget https://dl.google.com/go/go1.13.4.linux-amd64.tar.gz && tar zvxf go1.13.4.linux-amd64.tar.gz && sudo mv go /opt/go1.13.4 && sudo ln -s /opt/go1.13.4/bin/go /usr/local/bin/go

go version

(have to install make, it wasn't install in my vps)
apt install make

cd /usr/local/src && wget https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20191012.tar.xz && tar xvf wireguard-go-0.0.20191012.tar.xz && cd wireguard-go-0.0.20191012

(set these variables if you are using VPS less than 256MB)

`nano device/queueconstants_default.go`

MaxSegmentSize = 1700
PreallocatedBuffersPerPool = 1024

(Run make command)
make

sudo cp wireguard-go /usr/local/bin

wireguard-go --version

(Create public & private keys for Server)
wg genkey | tee private key | wg pubkey > publickey

`nano /lib/systemd/system/[email protected]`

add this line directly below
Environment=WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD=1

(Perform these commands or wg0-quick will give error and wg0 interface won't come UP)
wg-quick up wg0

wg-quick down wg0

Add following two lines in Server [Interface] /etc/wireguard/wg0.conf only if you using only IPv4

PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE)

For IPv6, add these in /etc/wireguard/wg0.conf

PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o venet0 -j MASQUERADE

    systemctl enable [email protected]
    systemctl start [email protected]

wg
(check wg running)

Install Wireguard Client. I have used android and windows 10 client. Generate public and private keys in client software/App and set client "public key" in server wg0.conf on SERVER & set server "public key" in CLIENT

thats it

===============
Following are my conf

OpenVZ6 VPS

Server Config /etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.1/24
PrivateKey = PRIVATE KEY OF SERVER
ListenPort = PORT
PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE
SaveConfig = false
[Peer]
PublicKey = PUBLIC KEY OF CLIENT
AllowedIPs = 10.66.66.3/24

Client Config

[Interface]
PrivateKey = PRIVATE KEY OF CLIENT
Address = 10.66.66.3/24
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = PUBLIC KEY OF SERVER
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER IP:PORT
PersistentKeepalive = 25

Frequently used commands

nano /etc/wireguard/wg0.conf

systemctl enable [email protected]

systemctl status [email protected]

systemctl start [email protected]

systemctl stop [email protected]

wg-quick up wg0

wg-quick down wg0

===============

OpenVZ7

Server Config /etc/wireguard/wg0.conf

[Interface]
Address = 10.123.0.1/24,fd42:42:42::1/80
PrivateKey = PRIVATE KEY OF SERVER
ListenPort = PORT
PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o venet0 -j MASQUERADE
SaveConfig = false

[Peer]
PublicKey = PUBLIC KEY OF CLIENT1
AllowedIPs = 10.123.0.3/32,fd42:42:42::3/128

[Peer]
PublicKey = PUBLIC KEY OF CLIENT2
AllowedIPs = 10.123.0.4/32,fd42:42:42::4/128

Client1 Config

[Interface]
PrivateKey = PRIVATE KEY OF CLIENT1
Address = 10.123.0.3/24, fd42:42:42::3/80
DNS = 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888

[Peer]
PublicKey = PUBLIC KEY OF SERVER
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER IP:PORT
PersistentKeepalive = 25

Client2 Config

[Interface]
PrivateKey = PRIVATE KEY OF CLIENT2
Address = 10.123.0.4/24, fd42:42:42::4/80
DNS = 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888

[Peer]
PublicKey = PUBLIC KEY OF SERVER
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER IP:PORT
PersistentKeepalive = 25

Comments

  • Thanks. I never knew it could work on 2.6 kernel.

    FYI, there's a code button to help format config file and commands when posting on LET. Just makes it easier to read and distinguish instructions from commands and config.

  • hkhan03hkhan03 Member
    edited December 2019

    @TimboJones ops, forgot, done it now. Thank you

    Thanked by 1TimboJones
  • TimboJones said: Thanks. I never knew it could work on 2.6 kernel.

    In case you didn't see, his 2.6 clients are OVZ so he's running the Go userland daemon not the kernel modules.

  • Hey, that's my guide you linked to. I'm glad you found it useful :)

    I didn't need the PostUp and PostDown lines in my config.

    Thanked by 2NanoG6 zxxx
  • Hi Daniel, thanks for the great guide. Yes, initially I tried on my NAT VPS without PostUp & PostDown, but peer was connected successfully but there was no data transfer or browsing, then added PostUp & PostDown and it worked

  • I would like a Docker image version, with good docs.

  • Daniel15Daniel15 Member
    edited December 2019

    @dragon1993 said:
    I would like a Docker image version, with good docs.

    I don't think OpenVZ supports Docker. If you have a KVM VPS, you can install the regular Wireguard kernel module, then create Wireguard interfaces to pass to the Docker containers. The Wireguard site actually calls this out as a use case for Wireguard on their site:

    Ready for Containers

    WireGuard sends and receives encrypted packets using the network namespace in which the WireGuard interface was originally created. This means that you can create the WireGuard interface in your main network namespace, which has access to the Internet, and then move it into a network namespace belonging to a Docker container as that container's only interface. This ensures that the only possible way that container is able to access the network is through a secure encrypted WireGuard tunnel.

    From https://www.wireguard.com/

    There's some very rough instructions at https://www.wireguard.com/netns/, but it's not a full tutorial.

  • dtokerdtoker Member

    How do you upgrade packages installed by "make" command?

  • Does we need to inform administrator/support? I'm using tutorial from post in reddit but it's still support from administrator to activate some features

  • EtnousEtnous Member

    Nice tutorial

  • havocxhavocx Member

    From memory...think you might be missing a ipv4 forwarding tweak

    Not sure about ovz but on kvm the masquerading rules need to be changed to eth0 probably

    @dragon1993 said:
    I would like a Docker image version, with good docs.

    Tried this first. Didn't find anything nice & clean. Ended up deciding a straight install is better than a half baked docker. Native wireguard is coming to kernel soon though

  • @dtoker said:
    How do you upgrade packages installed by "make" command?

    Upgrade source code, run make again.

  • m4num4nu Member, Provider

    Did the same with a cheap VPS I picked up here in the forum. Used the same guide, but couldn't compile the Go binary with 128MB RAM 🥺, so here a pre-compiled binary for amd64, if anyone still needs it. Comes with a free bitcoin miner included 🥳 (Just kidding, would prefer if the developers would do a few binary releases).

    Link and blog post: https://blog.snapdragon.cc/2019/12/23/wireguard-go-binary-for-use-on-low-end-openvz-linux-vps/

    Simple and secure Borg Backup hosting from $2/month: BorgBase.com

  • Not working with Google cloud which assigns an internal IP.

  • m4num4nu Member, Provider

    @Luke007 said:
    Not working with Google cloud which assigns an internal IP.

    May need some different iptables rules. Works fine on my NATed VPS that only has 10 ports open. Try those PostUp/Down:

    PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE
    

    (adjust venet0 to use the actual main interface)

    Simple and secure Borg Backup hosting from $2/month: BorgBase.com

  • I got an ipconfig error that prevented wireguard-go from starting. (Openvz 7 NAT VPS, Debian 10)
    iptables v1.8.2 (nf_tables): Chain 'MASQUERADE' does not exist

    It was resolved by changing iptables to legacy mode
    update-alternatives --config iptables
    update-alternatives --config ip6tables

    Thanked by 1NanoG6
  • wrastlerwrastler Member
    edited January 26

    Based on the firewall rules & config guide above and elsewhere, all my clients' public IPv6 address is the same as the venet0. I want the clients to have their own IPv6 address instead of being router through the VPS IPv6 (Of course that's okay for IPv4).
    Any suggestions? I think it may have to do with the firewall rules and IP forwarding. Thanks

  • wrastler said: I want the clients to have their own IPv6 address instead of being router through the VPS IPv6

    If you add new IPv6 addresses in the OpenVZ control panel and remove the new addresses in Debian it should work. Since venet0 is a pointopoint interface you don't need to use NDP proxy which would have been needed otherwise.

    One problem is that OpenVZ likes to rewrite the configuration when booting. Which I have fixed using the following /etc/network/interfaces.head

    source /etc/network/interfaces.d/*
    

    Then you can write you the real network interface configuration files in /etc/network/interfaces.d/. It will take precedence over OpenVZ's configuration in /etc/network/interfaces since the above source line will be at the top.

Sign In or Register to comment.