WireGuard on Sailfish

So, I currently have WireGuard working on my Xperia 10 Plus by using mcencora’s reply to this TJC thread and making some modifications. I built a newer wireguard-go from trunk, and also grabbed newer versions of wg and wg-quick from within this package. I also chose to place binaries (wg and wg-quick) under /usr/local/bin so as to not litter up /usr/bin. Note that the newest wireguard-tools package, wireguard-tools_1.0.20200820-1ubuntu1_armhf.deb, will not work due to a bug which should be fixed the next time that wireguard-tools is packaged. For more information about that, see here.

One benefit of a newer wg binary is that there is no longer a requirement for libmnl, which is nice, as the newer wg binary is not linked against libmnl.

I did hit problems though in this entire process. The biggest problem is that you cannot specify 0.0.0.0/0 for AllowedIPs due to an outdated iproute2 package. This required me to have a fairly long AllowedIPs line with a ton of IP ranges, since unfortunately you can’t just get around this problem by specifying the AllowedIPs as 0.0.0.0/1,128.0.0.0/1 as then with the way the routing is set up, connections to the public IP for the VPN peer (server in my case) are routed through the private IP of the VPN peer, which won’t work since the tunnel hasn’t been established yet. I did start going down the rabbit hole of providing an updated iproute2 (the ip command, specifically), and that required one to supply libmnl and libbsd. I did that, but then I was hitting another error. It isn’t clear to me if the problem was with iptables or the kernel, but I decided to stop trying anything further since I had a working solution already.

Anyway…

Has anybody else explored WireGuard on Sailfish recently? While it would be nice to have native support under the VPN settings eventually, I am looking for a simpler/better way to have this implemented. Obviously if/when Jolla provides a UI under the VPN settings, and updates ConnMan, iproute2, and optionally provides kernel-level support for WireGuard, that will be the way to go, but I am just wondering if there is a better way to go about this currently than I have been doing.

Thanks.

9 Likes