wireguard conf

[rshad muhammad]

hi,
would anyone share or show me how to configure wireguard using configuration files from vpn providers. in my case, its proton vpn.
i have tried few configurations, but seemed unsuccessful.
Thankx in advanced

 

[xsouku04]

If you install wireguard-tools package, the usage of wg-quick is the same as on Linux, unless there is bug on wg-quick on FreeBSD and it does not work as intended.

 

[hruodr]

Download wireguard-tools package, download config files from proton, then use:

wg-quick up /full/path/to/config/file
wg-quick down /full/path/to/config/file

Where /full/path/to/config/file is downloaded from:

Proton

Our encrypted services let you control who has access to your emails, plans, files, and online activity. Free plans are available.

account.proton.me

Select file for Linux.

 

[rshad muhammad]

Thanks for the reply.
I'm connected to wireguard, I think so. Still I'm unable to connect to the net using those commands.
I'm using the gateway of my wlan0: 10.96.247.28, but my resolvconf is the gateway of the wg0

wg show
interface: pjs-CH-SG-2
  public key: 5kqPLgPavs/GmFUnTupuV4hW5ERSzX7AptaB7nMwhUQ=
  listening port: 30920
peer: XXXXXXX=
endpoint: xx.xx.xx.xx:51820
  allowed ips: ::/0, 0.0.0.0/0
  latest handshake: 19 seconds ago
  transfer: 2.64 KiB received, 1.05 KiB sent
route -q -n add -inet xx.xx.xx.xx -gateway 10.96.247.28
cat /etc/resolv.conf
# Generated by resolvconf
nameserver 10.2.0.1

 

[hruodr]

Do not change the gateway, wg-quick does all, it must work after giving above commands.

 

[rshad muhammad]

Do not change the gateway, wg-quick does all, it must work after giving above commands.

I did not change it. The wrong gateway was given by wg-quick. It's the gateway for wlan0

 

[xsouku04]

When I was testing wg-quick on FreeBSD it did not work for me. One of the steps needed was not finished properly. You could see it.
Now I use this way. https://forums.freebsd.org/threads/my-notes-about-setting-wireguard-the-freebsd-way.100032/

With that example you have to do the routing manually so wg-quick may be more comfortable.

If you want to get a help you should send the the result of the "wg-quick up" command. You only need to keep secret your private key and possibly public ip. And possible the routing before and after the command.

 

[rshad muhammad]

When I was testing wg-quick on FreeBSD it did not work for me. One of the steps needed was not finished properly. You could see it.
Now I use this way. https://forums.freebsd.org/threads/my-notes-about-setting-wireguard-the-freebsd-way.100032/

With that example you have to do the routing manually so wg-quick may be more comfortable.

If you want to get a help you should send the the result of the "wg-quick up" command. You only need to keep secret your private key and possibly public ip. And possible the routing before and after the command.

 

[rshad muhammad]

fyi, i hv already tried all those steps before asking for assistance.
as noTiced to the thumbnail, the gateway is the gateway of wlan0. the gateway of vpn is different

 

[rshad muhammad]

i even use the same setup on openbsd. same issue too

 

[putney]

After seeing a few threads here re wireguard I decided to write up my notes on my own experience:

Using kernel Wireguard on FreeBSD (with credit to monwarez)

It's mostly about running my own VPN "server" in my home lab for remote laptop access. I did some playing with a FreeBSD "client" configuration for accessing it - that also works. But I haven't tried connecting to a commercial or any other VPN service from that, so I'm not sure how helpful it might be.

 

[rshad muhammad]

After seeing a few threads here re wireguard I decided to write up my notes on my own experience: Using kernel Wireguard on FreeBSD (with credit to monwarez) It's mostly about running my own VPN "server" in my home lab for remote laptop access. I did some playing with a FreeBSD "client" configuration for accessing it - that also works. But I haven't tried connecting to a commercial or any other VPN service from that, so I'm not sure how helpful it might be.

After seeing a few threads here re wireguard I decided to write up my notes on my own experience: Using kernel Wireguard on FreeBSD (with credit to monwarez) It's mostly about running my own VPN "server" in my home lab for remote laptop access. I did some playing with a FreeBSD "client" configuration for accessing it - that also works. But I haven't tried connecting to a commercial or any other VPN service from that, so I'm not sure how helpful it might be.

Thankx for the response. unfortunately, it still did not work. i found that i could not stop the wg0 service,

below is the setup i use i use in my rc.conf

cloned_interfaces="wg0"
ifconfig_wg0="inet 10.2.0.2/32 netmask 0xffffffff"
static_routes="wg0"
route_wg0="-net 45.83.126.1 10.2.0.1"

I took it from the forum n online. Thankx for the guys who gave the tips. with the above setup, it still did not work. what puzzles me is the "route" cmd did not change the getaway.
doas route -q -n add -inet 10.2.0.1/32 -interface wg0
it does not change the gateway. still using the getaway from the wlan0

my other setup manually;
doas ifconfig wg create name wg0
doas ifconfig wg0 mtu 1420
doas wg setconf wg0 /etc/wireguard/wg0.conf
doas ifconfig wg0 inet 10.2.0.2/32 alias
doas ifconfig wg0 up
doas route -q -n add -inet 0.0.0.0/1 -interface wg0
doas route -q -n add -inet 128.0.0.0/1 -interface wg0
doas route -q -n add -inet xx.xx.xx.xx 127.0.0.1 -blackhole
doas route -q -n add -inet 10.2.0.1/32 -interface wg0

did not work too.
i used to have another vpn provider. The setup was working. no issues. no dns leaks.
proton vpn came with a setup that include the privatekey n publickey. so, i did not use my private or publickey.
does anyone have a working setup for protonvpn???

 

[xsouku04]

Wireguard is easy to block. I found it is blocked in Egypt and it may be blocked in Pakystan after a while.
Is it possible it is blocked in your country?

In this case the only solution is to use VPN which is hard to recognize so difficult to block.

 

[rshad muhammad]

Wireguard is easy to block. I found it is blocked in Egypt and it may be blocked in Pakystan after a while.
Is it possible it is blocked in your country?

In this case the only solution is to use VPN which is hard to recognize so difficult to block.

i m using protonvpn. i prefer wireguard over opnvpn, which protonvpn offer.

 

[xsouku04]

Wireguard protocol is easy to block doing packet inspection. It could be a reason why it does not work for you. You can try the same settings with mobile phone or Windows or Linux computer to see if it works.
Protonvpn is good service but if wireguard is detected and blocked it does not work.

 

[rshad muhammad]

Wireguard protocol is easy to block doing packet inspection. It could be a reason why it does not work for you. You can try the same settings with mobile phone or Windows or Linux computer to see if it works.
Protonvpn is good service but if wireguard is detected and blocked it does not work.

it works on my android phone. maybe protonvpn does not support bsd variants yet. only certain unix-like oses.

 

[xsouku04]

it works on my android phone. maybe protonvpn does not support bsd variants yet. only certain unix-like oses.

Do you wireguard APP and the same confing on the phone? If you use special protonvpn app, the app is probably not using wireguard. But some changed hidden protocol not to be detected. You need to do test with the wireguard app. https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en

 

[rshad muhammad]

i downloaded the config from protonvpn site. each os uses their own config. i downloaded the app from the protonvpn github i try not to us playstore. i hv no issue on android, only on freebsd!!!

 

[xsouku04]

i downloaded the config from protonvpn site. each os uses their own config. i downloaded the app from the protonvpn github i try not to us playstore. i hv no issue on android, only on freebsd!!!

As far as I know there is only one wireguard config which works for all platforms. Maybe they thing it is more cool if they let you shoos the OS, but you should download the same. You protonvpn the app does not use wireguard ,but is using something different protocol, which hard to detect and block.
You can download real wireguard client for android here. https://download.wireguard.com/android-client/

 

[rshad muhammad]

i downloaded the config from protonvpn site. each os uses their own config. i downloaded the app from the protonvpn github i try not to us playstore. i hv no issue on android, only on freebsd!!!

As far as I know there is only one wireguard config which works for all platforms. Maybe they thing it is more cool if they let you shoos the OS, but you should download the same. You protonvpn the app does not use wireguard ,but is using something different protocol, which hard to detect and block.
You can download real wireguard client for android here. https://download.wireguard.com/android-cl

As far as I know there is only one wireguard config which works for all platforms
Try subscribing protonvpn paid version, esp plus version. Then you will understand what i m talkin about.
You can download real wireguard client for android here. https://download.wireguard.com/android-client/
Whats the difference between that n the one at protonvpn github???
Thankx anyway.

 

[xsouku04]

Protonvpn on github probably does not use wireguard. It is not wireguard client, but protonvpn client. Wireguard is very easy to detect and block, which makes difference.

 

[AdamAlgaert]

After seeing a few threads here re wireguard I decided to write up my notes on my own experience:

Using kernel Wireguard on FreeBSD (with credit to monwarez)

It's mostly about running my own VPN "server" in my home lab for remote laptop access. I did some playing with a FreeBSD "client" configuration for accessing it - that also works. But I haven't tried connecting to a commercial or any other VPN service from that, so I'm not sure how helpful it might be.

I just went through setting this up myself, and I wanted to use FreeBSD's existing network scripts and not have to install any packages or download any 3rd party scripts as they mostly don't have any support for multiple fibs and the existing netif scripts do.

Add net.fibs=2 to /boot/loader.conf

In /etc/rc.conf add lines like below, using IP's provided by your VPN provider

cloned_interfaces="wg0"
ifconfig_wg0="inet 10.1.2.3/32"
ifconfig_wg0_ipv6="inet6 fd00:10:10::1234/128"
static_routes="vpn:wg0"
route_vpn="-inet default -interface wg0 -fib 1"

Create /usr/local/etc/wireguard/wg0.conf with your wireguard settings according to wg(8)

[Interface]
PrivateKey = private_key

[Peer]
PublicKey = public_key
PresharedKey = preshared_key
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = vpn.server:port
PersistentKeepalive = 25

Create the file /etc/start_if.wg0 with the contents:

/usr/bin/wg setconf $1 /usr/local/etc/wireguard/$1.conf

If your primary interface is configured using DHCP then edit the config in /etc/rc.conf to change it to SYNCDHCP so that the interface is up before the wireguard config is applied.

ifconfig_genet0="SYNCDHCP inet6 accept_rtadv"

And now reboot and test the results with:

root@rpi4:~ # setfib 0 drill -4 -Q whoami.cloudflare @1.1.1.1 TXT CH                                                           
"<real public ip>"                                          
root@rpi4:~ # setfib 1 drill -4 -Q whoami.cloudflare @1.1.1.1 TXT CH                                                           
"<vpn public ip>"

Now you can attach jails or run daemons or programs under FIB 1 and their traffic will go through the VPN, you can also assign FIB 1 to a interface and any traffic coming in on that interface will be forwarded using the FIB1 routing table.
/etc/rc.conf

ifconfig_ue0="192.168.194.1 netmask 255.255.255.0 fib 1"

/etc/pf.conf

nat on wg0 from 192.168.194.0/24 to any -> ( wg0 )
match in from 192.168.194.0/24 to any rtable 1

 

[rshad muhammad]

I just went through setting this up myself, and I wanted to use FreeBSD's existing network scripts and not have to install any packages or download any 3rd party scripts as they mostly don't have any support for multiple fibs and the existing netif scripts do.

Add net.fibs=2 to /boot/loader.conf

In /etc/rc.conf add lines like below, using IP's provided by your VPN provider

cloned_interfaces="wg0"
ifconfig_wg0="inet 10.1.2.3/32"
ifconfig_wg0_ipv6="inet6 fd00:10:10::1234/128"
static_routes="vpn:wg0"
route_vpn="-inet default -interface wg0 -fib 1"

Create /usr/local/etc/wireguard/wg0.conf with your wireguard settings according to wg(8)

[Interface]
PrivateKey = private_key

[Peer]
PublicKey = public_key
PresharedKey = preshared_key
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
Endpoint = vpn.server:port
PersistentKeepalive = 25

Create the file /etc/start_if.wg0 with the contents:

/usr/bin/wg setconf $1 /usr/local/etc/wireguard/$1.conf

If your primary interface is configured using DHCP then edit the config in /etc/rc.conf to change it to SYNCDHCP so that the interface is up before the wireguard config is applied.

ifconfig_genet0="SYNCDHCP inet6 accept_rtadv"

And now reboot and test the results with:

root@rpi4:~ # setfib 0 drill -4 -Q whoami.cloudflare @1.1.1.1 TXT CH                                                          
"<real public ip>"                                         
root@rpi4:~ # setfib 1 drill -4 -Q whoami.cloudflare @1.1.1.1 TXT CH                                                          
"<vpn public ip>"

Now you can attach jails or run daemons or programs under FIB 1 and their traffic will go through the VPN, you can also assign FIB 1 to a interface and any traffic coming in on that interface will be forwarded using the FIB1 routing table.
/etc/rc.conf

ifconfig_ue0="192.168.194.1 netmask 255.255.255.0 fib 1"

/etc/pf.conf

nat on wg0 from 192.168.194.0/24 to any -> ( wg0 )
match in from 192.168.194.0/24 to any rtable 1

Thankx. i tried your methods with another vpn provider, but it leaks dns.
i have solved the issue for the time being with the new provider. The former provider has issues with bsd variants, i think! This was the 2nd time i tried, n still have issues.
i only installed wireguard-tools-lite as i do not need wg-quick.
i just put
wireguard_enable="yes"
wireguard_interfaces="wg0"
in my rc.conf and wireguard works without any dns leak.