Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WireGuard on Debian OpenVZ6, OpenVZ7 NAT VPS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WireGuard on Debian OpenVZ6, OpenVZ7 NAT VPS

hkhan03hkhan03 Member
edited December 2019 in Tutorials

Big thanks to Daniel who wrote guide on "WireGuard on OpenVZ/LXC" https://d.sb/2019/07/wireguard-on-openvz-lxc . I have tried & tested Daniel's guide and its even working on Debian OpenVZ6 & 7 NAT VPS

OpenVZ6
Debian 8.11 x64 - 128MB NAT VPS Kernal: 2.6.32-042stab130.1
Debian 8.11 x64 - 256MB NAT VPS Kernal: 2.6.32-042stab140.1

Only one client is working, tried to add multiple clients but still only one client worked
IPv6 doesn't work
Speed is faster than Openvpn
low memory usage
OpenVZ7
Debian 9.11 x64 - 512MB NAT VPS - Kernal: 4.9.0

Multiple clients working
IPv6 working
Speed is good
low memory usage

KVM
Used installer Angristan https://github.com/angristan/wireguard-install

Automated installer for setup & client profile file.
Multiple profile not supported, you can add manually
IPv6 working
Speed is very good
low memory usage

Big Thanks to Daniel (https://d.sb/2019/07/wireguard-on-openvz-lxc). If anyone try to play, here are the details and commands. I have used Daniel's guide, please follow all steps, I added few commands as i got errors i.e apt install make and wg-quick up wg0 and wg-quick down wg0

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list && printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable && apt update

apt install wireguard-tools --no-install-recommends

cd /tmp && wget https://dl.google.com/go/go1.13.4.linux-amd64.tar.gz && tar zvxf go1.13.4.linux-amd64.tar.gz && sudo mv go /opt/go1.13.4 && sudo ln -s /opt/go1.13.4/bin/go /usr/local/bin/go

go version

(have to install make, it wasn't install in my vps)
apt install make

cd /usr/local/src && wget https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20191012.tar.xz && tar xvf wireguard-go-0.0.20191012.tar.xz && cd wireguard-go-0.0.20191012

(set these variables if you are using VPS less than 256MB)

`nano device/queueconstants_default.go`

MaxSegmentSize = 1700
PreallocatedBuffersPerPool = 1024

(Run make command)
make

sudo cp wireguard-go /usr/local/bin

wireguard-go --version

(Create public & private keys for Server)
wg genkey | tee private key | wg pubkey > publickey

`nano /lib/systemd/system/[email protected]`

add this line directly below
Environment=WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD=1

(Perform these commands or wg0-quick will give error and wg0 interface won't come UP)
wg-quick up wg0

wg-quick down wg0

Add following two lines in Server [Interface] /etc/wireguard/wg0.conf only if you using only IPv4

PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE)

For IPv6, add these in /etc/wireguard/wg0.conf

PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o venet0 -j MASQUERADE

    systemctl enable wg-quick@wg0
    systemctl start wg-quick@wg0

wg
(check wg running)

Install Wireguard Client. I have used android and windows 10 client. Generate public and private keys in client software/App and set client "public key" in server wg0.conf on SERVER & set server "public key" in CLIENT

thats it

===============
Following are my conf

OpenVZ6 VPS

Server Config /etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.1/24
PrivateKey = PRIVATE KEY OF SERVER
ListenPort = PORT
PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE
SaveConfig = false
[Peer]
PublicKey = PUBLIC KEY OF CLIENT
AllowedIPs = 10.66.66.3/24

Client Config

[Interface]
PrivateKey = PRIVATE KEY OF CLIENT
Address = 10.66.66.3/24
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = PUBLIC KEY OF SERVER
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER IP:PORT
PersistentKeepalive = 25

Frequently used commands

nano /etc/wireguard/wg0.conf

systemctl enable wg-quick@wg0

systemctl status wg-quick@wg0

systemctl start wg-quick@wg0

systemctl stop wg-quick@wg0

wg-quick up wg0

wg-quick down wg0

===============

OpenVZ7

Server Config /etc/wireguard/wg0.conf

[Interface]
Address = 10.123.0.1/24,fd42:42:42::1/80
PrivateKey = PRIVATE KEY OF SERVER
ListenPort = PORT
PostUp = iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o venet0 -j MASQUERADE
SaveConfig = false

[Peer]
PublicKey = PUBLIC KEY OF CLIENT1
AllowedIPs = 10.123.0.3/32,fd42:42:42::3/128

[Peer]
PublicKey = PUBLIC KEY OF CLIENT2
AllowedIPs = 10.123.0.4/32,fd42:42:42::4/128

Client1 Config

[Interface]
PrivateKey = PRIVATE KEY OF CLIENT1
Address = 10.123.0.3/24, fd42:42:42::3/80
DNS = 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888

[Peer]
PublicKey = PUBLIC KEY OF SERVER
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER IP:PORT
PersistentKeepalive = 25

Client2 Config

[Interface]
PrivateKey = PRIVATE KEY OF CLIENT2
Address = 10.123.0.4/24, fd42:42:42::4/80
DNS = 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888

[Peer]
PublicKey = PUBLIC KEY OF SERVER
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = SERVER IP:PORT
PersistentKeepalive = 25

Comments

  • Thanks. I never knew it could work on 2.6 kernel.

    FYI, there's a code button to help format config file and commands when posting on LET. Just makes it easier to read and distinguish instructions from commands and config.

  • hkhan03hkhan03 Member
    edited December 2019

    @TimboJones ops, forgot, done it now. Thank you

    Thanked by 1TimboJones
  • TimboJones said: Thanks. I never knew it could work on 2.6 kernel.

    In case you didn't see, his 2.6 clients are OVZ so he's running the Go userland daemon not the kernel modules.

  • Hey, that's my guide you linked to. I'm glad you found it useful :)

    I didn't need the PostUp and PostDown lines in my config.

    Thanked by 2NanoG6 zxxx
  • Hi Daniel, thanks for the great guide. Yes, initially I tried on my NAT VPS without PostUp & PostDown, but peer was connected successfully but there was no data transfer or browsing, then added PostUp & PostDown and it worked

  • I would like a Docker image version, with good docs.

  • Daniel15Daniel15 Veteran
    edited December 2019

    @dragon1993 said:
    I would like a Docker image version, with good docs.

    I don't think OpenVZ supports Docker. If you have a KVM VPS, you can install the regular Wireguard kernel module, then create Wireguard interfaces to pass to the Docker containers. The Wireguard site actually calls this out as a use case for Wireguard on their site:

    Ready for Containers

    WireGuard sends and receives encrypted packets using the network namespace in which the WireGuard interface was originally created. This means that you can create the WireGuard interface in your main network namespace, which has access to the Internet, and then move it into a network namespace belonging to a Docker container as that container's only interface. This ensures that the only possible way that container is able to access the network is through a secure encrypted WireGuard tunnel.

    From https://www.wireguard.com/

    There's some very rough instructions at https://www.wireguard.com/netns/, but it's not a full tutorial.

  • How do you upgrade packages installed by "make" command?

  • Does we need to inform administrator/support? I'm using tutorial from post in reddit but it's still support from administrator to activate some features

  • Nice tutorial

  • From memory...think you might be missing a ipv4 forwarding tweak

    Not sure about ovz but on kvm the masquerading rules need to be changed to eth0 probably

    @dragon1993 said:
    I would like a Docker image version, with good docs.

    Tried this first. Didn't find anything nice & clean. Ended up deciding a straight install is better than a half baked docker. Native wireguard is coming to kernel soon though

  • @dtoker said:
    How do you upgrade packages installed by "make" command?

    Upgrade source code, run make again.

  • m4num4nu Member, Patron Provider

    Did the same with a cheap VPS I picked up here in the forum. Used the same guide, but couldn't compile the Go binary with 128MB RAM 🥺, so here a pre-compiled binary for amd64, if anyone still needs it. Comes with a free bitcoin miner included 🥳 (Just kidding, would prefer if the developers would do a few binary releases).

    Link and blog post: https://blog.snapdragon.cc/2019/12/23/wireguard-go-binary-for-use-on-low-end-openvz-linux-vps/

  • Not working with Google cloud which assigns an internal IP.

  • m4num4nu Member, Patron Provider

    @Luke007 said:
    Not working with Google cloud which assigns an internal IP.

    May need some different iptables rules. Works fine on my NATed VPS that only has 10 ports open. Try those PostUp/Down:

    PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o venet0 -j MASQUERADE
    

    (adjust venet0 to use the actual main interface)

  • I got an ipconfig error that prevented wireguard-go from starting. (Openvz 7 NAT VPS, Debian 10)
    iptables v1.8.2 (nf_tables): Chain 'MASQUERADE' does not exist

    It was resolved by changing iptables to legacy mode
    update-alternatives --config iptables
    update-alternatives --config ip6tables

    Thanked by 1NanoG6
  • wrastlerwrastler Member
    edited January 2020

    Based on the firewall rules & config guide above and elsewhere, all my clients' public IPv6 address is the same as the venet0. I want the clients to have their own IPv6 address instead of being router through the VPS IPv6 (Of course that's okay for IPv4).
    Any suggestions? I think it may have to do with the firewall rules and IP forwarding. Thanks

  • wrastler said: I want the clients to have their own IPv6 address instead of being router through the VPS IPv6

    If you add new IPv6 addresses in the OpenVZ control panel and remove the new addresses in Debian it should work. Since venet0 is a pointopoint interface you don't need to use NDP proxy which would have been needed otherwise.

    One problem is that OpenVZ likes to rewrite the configuration when booting. Which I have fixed using the following /etc/network/interfaces.head

    source /etc/network/interfaces.d/*
    

    Then you can write you the real network interface configuration files in /etc/network/interfaces.d/. It will take precedence over OpenVZ's configuration in /etc/network/interfaces since the above source line will be at the top.

  • @Prajwal said:
    Hello,
    Try this installer.
    https://github.com/complexorganizations/wireguard-manager

    • Prajwal

    Dont try it- Dude is a total asshole

  • Has anyone tried to install wireguard successfully in the euserv free ipv6 container?

    I want to do this because euserv only supports ipv6. I want to connect to Cloudflare's 1.1.1.1 wireguard server through its ipv6, so that euserv can access the ipv4 website through the cloudflare channel established by wireguard.

    But I can install wireguard in euserv and reference the configuration of 1.1.1.1, but once I start wg, my euserv connection is lost.

    Don't know what the problem is?

  • @wrastler said:
    Based on the firewall rules & config guide above and elsewhere, all my clients' public IPv6 address is the same as the venet0. I want the clients to have their own IPv6 address instead of being router through the VPS IPv6 (Of course that's okay for IPv4).
    Any suggestions? I think it may have to do with the firewall rules and IP forwarding. Thanks

    You need to login to your provider control panel for that. Specifically the menu where it says you have been allocated with IPv6_Address/ .

    Create several IPv6 address using that control panel and login to your VPS. Output ifconfig/ip a should state the IPv6 address that you just created.

    Using wireguard's PreUp lines, tear down those IPv6 from venet0 interface and assigned it to wireguard's interface/clients

    Example:

    PreUp = ip -6 a del 2402:xxxx:xxxx:xxxx:102/64 dev venet0 || true
    PreUp = ip -6 a del 2402:xxxx:xxxx:xxxx:103/64 dev venet0 || true

    Then as usual, you might need proxy ndp adjusted in your sysctl.conf and add ip -6 neigh dev venet0 . You might want to check other areas such as ip6tables for the traffic from/to client to flow.

    Regards

  • DewlanceVPSDewlanceVPS Member, Patron Provider
    edited February 2021

    I am using WireGuard on CentOS 8 from last few months.

    Speed is good, In starting it was not working but I fix it by matching keys on server and client.

    Going to test your tutorial on NAT VPS.

  • @DewlanceVPS said:
    I am using WireGuard on CentOS 8 from last few months.

    Speed is good, In starting it was not working but I fix it by matching keys on server and client.

    Going to test your tutorial on NAT VPS.

    It works on OpenVZ, but it's a lot slower than on KVM since you need to use the userspace implementation (wireguard-go) rather than the kernel implementation.

    Thanked by 1DewlanceVPS
Sign In or Register to comment.