Feature request: Support for Wireguard

[qdm12]

VPN providers support

Natively

• AirVPN
• Mullvad
• Windscribe
• IVPN
• Surfshark since 5989f29
• NordVPN since 07459ee
• FastestVPN since 13ffffb
• ProtonVPN since ac9446e

Using provider custom

Supported since 8645d97 using VPN_SERVICE_PROVIDER=custom

• VPNUnlimited
• Torguard
• PureVPN
• Cyberghost
• VyprVPN
• WeVPN
• PIA
• ProtonVPN
• PrivateVPN

Requires API

This is not done, and requires API communication to get the Wireguard keys etc.

• PIA - need to make PIA API package since it also depends on the token etc.
• PureVPN

Wireguard not supported

• HideMyAss
• SlickVPN
• VPNSecure.me
• IPVanish not supported
• Perfect privacy not supported
• Privado not supported
• ExpressVPN not supported

Extraction needed

This requires to extract the wireguard config from their proprietary app. Let's face it, this is a lot of work for little result, and I might never get to it. But here is the list still:

• NordVPN, see this comment
• Cyberghost, see this comment
• VyprVPN, following supported devices using VyprVPN version 4.0 and higher and Wireguard is not available to configure with Manual setup

Extra todos

• Adapt logger prefix to openvpn or wireguard depending on VPN chosen instead of vpn
• Read keys from files/secrets see Feature request: Allow WIREGUARD_PRIVATE_KEY to be specified via a secret file #614
• Read custom Wireguard configuration file => see Feature request: Wireguard configuration files reading for VPNSP=custom #610
• Rotate private keys
  • For Mullvad see Feature request: Support for Wireguard #134 (comment)

[burkasaurusrex]

Excited to see this under consideration. With wireguard being merged into the 5.6 kernel, it would be awesome to see kernel space support in addition to user space support via the wireguard-go.

Assuming the host's kernel is 5.6+ (or has been backported like in Ubuntu or Debain), I believe you could install wireguard in the container with apk add -U wireguard-tools. Then when you run the container, add --cap-add sys_module to give access to the wireguard kernel module.

It looks like there are a couple of examples (cmulk/wireguard-docker and activeeos/wireguard-docker) that attempt to even install the OOT kernel module in the host. Instead of doing that, maybe it would make the most sense to enable kernel support for hosts running 5.6+ / backported wireguard and wireguard-go for hosts running earlier kernels? 😄

Wireguard's official container framework is probably the most performant, but doesn't look particularly docker-friendly since it requires a lot of host-level config. I'd guess sharing the kernel module would still be more performant than wireguard-go, but I haven't done any testing. For what it's worth, it looks like wireguard-go has come a long way in the last few months.

[qdm12]

Hi there, thanks for the good read 👍

So wireguard-go is probably fast enough for pretty much any personal need. It might not be suitable if you have huge loads and multiple clients. But Go is very quick at networking things, it is a system language originally.

There is also a Rust version of Wireguard the team is developing, which is again faster, as fast or faster than C, so it should be very close to the kernel space implementation although it could run in a container in user space.

We could indeed add instructions on how to use the kernel space Wireguard if you have it setup on your host, that would be a nice addition.

[burkasaurusrex]

Cool, sounds good to me. Also I just noticed that LinuxServer.io added a Wireguard container last month here: linuxserver/docker-wireguard. In case it's helpful.

[qdm12]

@burkasaurusrex Thanks, unfortunately it's the same problem I want to avoid:

This image is designed for Ubuntu and Debian based systems only. During container start, it will download the necessary kernel headers and build the kernel module (until kernel 5.6, which has the module built-in, goes mainstream).

For now it seems only kernel based docker images exist out there which seem pointless to me, you might as well just run it without Docker in that case. Luckily a Go version exists (and a Rust one too) which can work across platforms, cpu arch and kernels 😉

[lavaguy1]

There is also a NordVPN docker container that uses Wireguard... https://github.com/bubuntux/nordvpn they call it "NordLynx" if that helps any. Doesn't seem to do any voodoo on the host...

[qdm12]

NordLynx - NordVpn wireguard implementation (3x-5x times faster). NOTE: Requires --cap-add=SYS_MODULE and --sysctl net.ipv4.conf.all.rp_filter=2

It installs Wireguard on your host kernel --cap-add=SYS_MODULE, not really a big fan of giving access to the Kernel to a container (even mine 😄). Gluetun already has net admin capability and runs the entrypoint as root (no way around it) but I would ideally like to avoid it for security reasons. Especially since it does tunneling to vpn servers which are not the safest places either (i. e. other VPN malicious clients). But I'll plug in the Go implementation of Wireguard (Windows GUI uses it too), it should give fast enough performance and won't require to modify the kernel. I did Shadowsocks in Go last weekend (#220) to replace the C Alpine one, this weekend will be about being able to persist and update ip addresses of vpn servers (for now it's hardcoded). I can try doing Wireguard next or next next weekend 😉

[lavaguy1]

https://www.youtube.com/watch?v=wv_phi5Z288

…

On Sat, Aug 22, 2020 at 3:18 PM Quentin McGaw ***@***.***> wrote: NordLynx - NordVpn wireguard implementation (3x-5x times faster). NOTE: Requires --cap-add=SYS_MODULE and --sysctl net.ipv4.conf.all.rp_filter=2 It installs Wireguard on your host kernel --cap-add=SYS_MODULE, not really a big fan of giving access to the Kernel to a container (even mine 😄). Gluetun already has net admin capability and runs the entrypoint as root (no way around it) but I would ideally like to avoid it for security reasons. Especially since it does tunneling to vpn servers which are not the safest places either (i. e. other VPN malicious clients). But I'll plug in the Go implementation of Wireguard (Windows GUI uses it too), it should give fast enough performance and won't require to modify the kernel. I did Shadowsocks in Go last weekend (#220 <#220>) to replace the C Alpine one, this weekend will be about being able to persist and update ip addresses of vpn servers (for now it's hardcoded). I can try doing Wireguard next or next next weekend 😉 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#134 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFHXQC66AJCVCN36BYCPXU3SB7ASPANCNFSM4MGNIPWA> .

[qdm12]

Sorry everyone for the big delay. I'm working hard on getting Wireguard ready for Mullvad and PIA.

I have some pre-pre-alpha program based on the official Go wireguard Code. It's quite nice since it tries to use the Kernel wireguard module if it's there and otherwise falls back to a Go implementation (which is also decently fast). So performance should be quite nice.

Anyway, I'll report back with image tags and instructions especially to test it for other providers than Mullvad. Cheers!

[C0Nd3Mnd]

It's quite nice since it tries to use the Kernel wireguard module if it's there and otherwise falls back to a Go implementation (which is also decently fast).

That's probably the best way to do it, awesome! Looking forward to it.

[VMax2]

Do you plan to add Wireguard for GyberGhost VPN too? I checked both OVPN and Wireguard protocols with their app and Wireguard one is 3 or more times faster, when with OVPN i reach 100 Mbit with Wireguard i reach 300 ...

[ghost]

Will NordLynx (the protocol used by NordVPN, which seems to be based on Wireguard) be supported? 😄

[qdm12]

@VP-EN See @lavaguy1's comment it should be possible although I haven't looked at it yet.

@VP-EN @VMax2 I have added an order of support for Wireguard in the issue description above.

[VMax2]

Thank you so much

[qdm12]

I have a question that you can answer for your VPN provider. So far for Mullvad:

• The interface Address is user specific only
• The peer PublicKey is server specific only
• The interface PrivateKey is user specific only
• The peer Endpoint is server specific only
• The peer AllowedIPs is the same for all (tunnel everything) and we don't care about DNS since we use DNS over TLS in gluetun

so I would like to have environment variables WIREGUARD_PRIVATE_KEY and WIREGUARD_ADDRESS only. The rest (publicKey and Endpoint) is server specific and I can automate it without needing user input, I hope.

How is it for PIA, Cyberghost and NordVPN? (download multiple config files and check what's common or not really). Thanks!

Anyway, I made some good progress today, almost there. I have it working for a single Mullvad server and it tunnels everything correctly. What's nice is it really doesn't cry about sysctl or kernel modules unlike wg-quick. Although I still need to wire it up with the rest and find a way to get the server public keys automagically too 😄

[ghost]

Related to the ones testing NordVPN.. The WireGuard configs are not available in their server config download tool. You need to use their Linux version of their NordVPN app to get the WireGuard configs.

A small reddit guide here

Not sure if I have the time in the near future, as I don't have a Linux device available atm to test this method.

[qdm12]

@VP-EN OK I think I should design something to easily extract that information. I guess some debian based image with nordlynx and wireguard installed and some shell scripting would do (e. g. qmcgaw/gluetun:nordvpn-extract). Problem is that would most likely require you to have wireguard in your Kernel, which can be troublesome for some odd systems like NAS OSes. But I guess that's how nordlynx works (using the kernel) so no way around it. I'll let you know when I have something so you can test it out.

[qdm12]

Note you can now use /gluetun/wireguard/wg0.conf to set fields (with all VPN providers), see this wiki section

[parthmodi]

@macdis Would you be able to share how you were able to do this? I'm also wondering if you are able to issue commands to change regions on the fly with this configuration?

[macdis]

I just butchered the pia-foss/manual-connections scripts in order to do things exactly how I wanted them done, putting everything into one script. It basically depends on your setup and needs. Everything you need is in the scripts except for how you use the output in gluetun.

Regarding gluetun integration, I just use sed to update the environment variables for my gluetun service in my docker-compose.yml file. (Don't forget to recreate the container and restart dependent services, if required.) I change these:

- FIREWALL_VPN_INPUT_PORTS=xxxxx
- VPN_ENDPOINT_IP=xx.xx.xx.xx
- VPN_ENDPOINT_PORT=1337 # For PIA you don't need to change this at the moment as it's always the same port
- WIREGUARD_PRIVATE_KEY=xxxxx
- WIREGUARD_PUBLIC_KEY=xxxxx
- WIREGUARD_ADDRESSES=xx.xx.xx.xx/32

HOWEVER, now that wg0.conf files are supported by gluetun (see here and here), you can presumably use the pia-foss scripts to generate a wg0.conf file and just use that (set PIA_CONNECT=false and PIA_CONF_PATH=/your/path/wg0.conf in the pia-foss scripts). If you need port forwarding, though, you may need to fiddle with your docker-compose.yml environment variables anyway (FIREWALL_VPN_INPUT_PORTS). But I haven't got round to trying wg0.conf files yet.

As for region switching, look at the PREFERRED_REGION environment variable in the pia-foss scripts.

[dougNetD]

Will ProtonVPN wiregaurd be natively supported in the future?

Indeed Protonvpn now supports Wireguard so you can use it with gluetun through the custom provider (not natively supported since private key + peer address changes for each server, so there is no point). I have updated the list above.

I know this is old to reply to, but ProtonVPN does allow the same private key across multiple wireguard sever IPs & public-keys like Nord, so I assume ProtonVPN could be native too. Proton even has an article stating their client doesn't generate new private keys until it's completely logged out. I tested a few server IP+public-keys in gluetun using the same private key and it works fine.
https://protonvpn.com/support/wireguard-key-rotation/

The reason I was looking into this was because my one custom provider entry kept failing (protonVPN server was offline) resulting unhealthy status and I couldn't figure out how to have multiple proton sever IP & pubkey sets with the custom provider option. I started trying to run my own script to update wg0.conf from the proton server list here: https://api.protonmail.ch/vpn/logicals ...but I'm not having any luck.

[qdm12]

• Perfect privacy added since 7bc2972 (lastest and > v3.38 releases)
• FastestVPN added since 13ffffb (lastest and > v3.38 releases) @Jadonr @ZaxLofful

@macdis

If you need port forwarding, though, you may need to fiddle with your docker-compose.yml environment variables anyway (FIREWALL_VPN_INPUT_PORTS)

See #2320 this is work in progress 😉

@goluftwaffe

Can this be use to configure PrivadoVPN wireguard in Gluetun?

Not for now (same problem as PIA), since it needs network access before the tunnel is up, which is - for now - a no-go for Gluetun. I moved Privado to the Requires API section.

@dougNetD

Will ProtonVPN wiregaurd be natively supported in the future?

I'm looking into this now! 😉

[Slevin7]

For your information, the provider Privadodo can be connected via "custom". Maybe you can adjust this in the description above.
Thanks for the cool container, by the way