Wireguard in SailfishOS 5.0

kan_ibal · 25 February 2025 16:02

Since there is no official documentation so far, there is a short how to make wireguard working.

pkcon remove wireguard-go
pkcon remove wireguard-tools
pkcon install jolla-settings-networking-plugin-vpn-wireguard

reboot or systemctl restart connman

and, especially for those that have been using wireguard already, you have to forget wireguard configs and set it from scratch or import again.

247 · 25 February 2025 17:50

Thanks, anyway was trying wireguard today and it does not work (didn’t have the old plugin installed)

Wonder if it’s possible that is not compatible (for now) with my vpn (windscribe)

kan_ibal · 25 February 2025 18:21

I do not think so. Most likely there is something wrong with your wireguard configs. Do you configure it manually or do you import config files generated from Windscribe?

247 · 25 February 2025 20:18

Tried both, manual won’t connect at all, auto will connect but then it’s not working

Ofc no problems with openvpn

kan_ibal · 25 February 2025 21:18

I would start with this one. That means that config file is good but credentials has expired or there is something other wrong with config file. I would try to generate the new config file and import. Should it connect it will work.

WT.Sane · 25 February 2025 22:20

Just upgraded my system, installed Wireguard, imported the config file from my Fritz!Box: Works

TcCoy · 25 February 2025 22:21

@kan_ibal Thanks for the hint. A reboot was needed for me to get wireguard in the VPN menu.

@247 My connection also did not work at first, and I needed to set the public IP of my server in the “server address” field instead of its name (that previously worked with the openrepos package), if it is of any help.

247 · 26 February 2025 10:05

Tried and it does not work

Windscribe says i have 5 keys to choose from and i can’t generate more but says those 5 keys should work everywhere

247 · 26 February 2025 10:06

Thank you, but didn’t help…

WT.Sane · 26 February 2025 13:56

But…does not route the traffic through the expected endpoint. I will check the generated config and see what happens then.

joonne · 26 February 2025 20:20

Hey, I also was not able to connect via the dns name but via ip address it works nicely. I have a pivpn setup and I’m using dy.fi as the dns provider. Does someone have an idea why the dns name would not work?

adekker · 26 February 2025 20:54

I encountered the same issue right after installing SFOS5 and wireguard a while ago. Created a bug report Wireguard cannot handle dns server names

kan_ibal · 26 February 2025 21:21

I use DNS alternative as DNS system instead of default SFOS DNS and it works.
What does
cat /etc/resolv.conf
shows while connected via wireguard?

adekker · 26 February 2025 22:22

The nameserver is a fixed 127.0.0.1 by default, as “connmand” always handles the DNS requests, VPN or not.

kan_ibal · 27 February 2025 06:26

I don’t know how it IIS done in 5.0 but it used to be a link to conman’s resolv.conv.
Then what does show /var/run/connman/resolv.conf?

rob_kouw · 14 March 2025 14:02

I get the same answer in both cases: nameserver::1 nameserver 127.0.0.1

kan_ibal · 14 March 2025 15:52

Localhost in the /var/run/connman/resolv.conf is very wrong. There should be a local router DNS address or VPN provider DNS. I have local router DNS addresses. No change after wireguard connection.
Could you check if you have DNS address in your wireguard VPN provider config file and what is the address?

adekker · 14 March 2025 16:17

/etc/resolv.conf is a symlink to /run/connman-resolv.conf so the content will be the same. As I mentioned in Wireguard in SailfishOS 5.0 - #14 by adekker, I can see nothing wrong with 127.0.0.1. You might see other values by using your DNS alternative.

kan_ibal · 14 March 2025 16:31

DNS Alternative has nothing in common with /run/connman/resolv.conf. This file is managed by connmand and provides DNS addresses for system.
Localhost address in /etc/resolv.conf is inherently wrong, because in default setup, it redirects all DNS requests to connmand DNS proxy that is running at localhost that uses DNS’es from /var/run/connman/resolv.conf and you are in the dead loop.
DNS Alternative disables connmand DNS proxy and provides its own(dnsmasq+dnsxcrypt-proxy).

rob_kouw · 14 March 2025 17:17

My WireGuard config file said something like the following.

#
# Use this configuration with WireGuard client
#
[Interface]
Address = 77.14.0.2/16
PrivateKey = ...
DNS = 88.252.172.57, 66.154.159.92
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = nl-ams.prod.surfshark.com:51820

(Some of the numbers were changed)

When I look at the settings file in .local/share/system/privileged/connman-vpn/provider…/ then maybe the DNS isn’t there?

provider-…/settings:

Name=Wireguard Surfshark NL-AMS
Type=wireguard
Host=nl-ams.prod.surfshark.com
VPN.Domain=sailfishos.org.3
WireGuard.Address=77.14.0.2/16
WireGuard.PrivateKey=...
WireGuard.PublicKey=...
WireGuard.AllowedIPs=0.0.0.0/0
WireGuard.EndpointPort=51820

and vpn-…/settings:

Name=Wireguard Surfshark NL-AMS
SplitRouting=false
AutoConnect=false
Modified=2025-03-14T15:06:38Z
IPv4.method=fixed
IPv4.netmask_prefixlen=16
IPv4.local_address=77.14.0.2
IPv4.gateway=nl-ams.prod.surfshark.com
IPv6.method=off
IPv6.privacy=disabled