Feature request: Support for Wireguard

[qdm12]

VPN providers support

Natively

• [x] AirVPN
• [x] Mullvad
• [x] Windscribe
• [x] IVPN
• [x] Surfshark since 5989f29035da1770d1d8ba290a0b3ed942b24ad8
• [x] NordVPN since 07459ee854f9609c1e9aa7d7161f9af04a59199b
• [x] FastestVPN since 13ffffb157a6c43b0ab3fee7266f87315b4d5f1b
• [x] ProtonVPN since ac9446e296d8bce2bb43da5e42a9cc0b5e5c1a0d

Using provider custom

Supported since 8645d978ba84b68a012356a0e5d40a770d487803 using VPN_SERVICE_PROVIDER=custom

• [x] VPNUnlimited
• [x] Torguard
• [x] PureVPN
• [x] Cyberghost
• [x] VyprVPN
• [x] WeVPN
• [x] PIA
• [x] ~ProtonVPN~
• [x] PrivateVPN

Requires API

This is not done, and requires API communication to get the Wireguard keys etc.

• [ ] PIA - need to make PIA API package since it also depends on the token etc.
• [ ] PureVPN

Wireguard not supported

• [x] HideMyAss
• [x] SlickVPN
• [x] VPNSecure.me
• [x] IPVanish not supported
• [x] Perfect privacy not supported
• [x] Privado not supported
• [x] ExpressVPN not supported

Extraction needed

This requires to extract the wireguard config from their proprietary app. Let's face it, this is a lot of work for little result, and I might never get to it. But here is the list still:

• [x] NordVPN, see this comment
• [ ] Cyberghost, see this comment
• [ ] VyprVPN, following supported devices using VyprVPN version 4.0 and higher and Wireguard is not available to configure with Manual setup

Extra todos

• [x] Adapt logger prefix to openvpn or wireguard depending on VPN chosen instead of vpn
• [x] ~Read keys from files/secrets~ see #614
• [x] Read custom Wireguard configuration file => see #610
• [ ] Rotate private keys
  • [ ] For Mullvad see https://github.com/qdm12/gluetun/issues/134#issuecomment-918039180

[burkasaurusrex]

Excited to see this under consideration. With wireguard being merged into the 5.6 kernel, it would be awesome to see kernel space support in addition to user space support via the wireguard-go.

Assuming the host's kernel is 5.6+ (or has been backported like in Ubuntu or Debain), I believe you could install wireguard in the container with apk add -U wireguard-tools. Then when you run the container, add --cap-add sys_module to give access to the wireguard kernel module.

It looks like there are a couple of examples (cmulk/wireguard-docker and activeeos/wireguard-docker) that attempt to even install the OOT kernel module in the host. Instead of doing that, maybe it would make the most sense to enable kernel support for hosts running 5.6+ / backported wireguard and wireguard-go for hosts running earlier kernels? 😄

Wireguard's official container framework is probably the most performant, but doesn't look particularly docker-friendly since it requires a lot of host-level config. I'd guess sharing the kernel module would still be more performant than wireguard-go, but I haven't done any testing. For what it's worth, it looks like wireguard-go has come a long way in the last few months.

[qdm12]

Hi there, thanks for the good read 👍

So wireguard-go is probably fast enough for pretty much any personal need. It might not be suitable if you have huge loads and multiple clients. But Go is very quick at networking things, it is a system language originally.

There is also a Rust version of Wireguard the team is developing, which is again faster, as fast or faster than C, so it should be very close to the kernel space implementation although it could run in a container in user space.

We could indeed add instructions on how to use the kernel space Wireguard if you have it setup on your host, that would be a nice addition.

[burkasaurusrex]

Cool, sounds good to me. Also I just noticed that LinuxServer.io added a Wireguard container last month here: linuxserver/docker-wireguard. In case it's helpful.

[qdm12]

@burkasaurusrex Thanks, unfortunately it's the same problem I want to avoid:

This image is designed for Ubuntu and Debian based systems only. During container start, it will download the necessary kernel headers and build the kernel module (until kernel 5.6, which has the module built-in, goes mainstream).

For now it seems only kernel based docker images exist out there which seem pointless to me, you might as well just run it without Docker in that case. Luckily a Go version exists (and a Rust one too) which can work across platforms, cpu arch and kernels :wink:

[lavaguy1]

There is also a NordVPN docker container that uses Wireguard... https://github.com/bubuntux/nordvpn they call it "NordLynx" if that helps any. Doesn't seem to do any voodoo on the host...

[qdm12]

NordLynx - NordVpn wireguard implementation (3x-5x times faster). NOTE: Requires --cap-add=SYS_MODULE and --sysctl net.ipv4.conf.all.rp_filter=2

It installs Wireguard on your host kernel --cap-add=SYS_MODULE, not really a big fan of giving access to the Kernel to a container (even mine 😄). Gluetun already has net admin capability and runs the entrypoint as root (no way around it) but I would ideally like to avoid it for security reasons. Especially since it does tunneling to vpn servers which are not the safest places either (i. e. other VPN malicious clients). But I'll plug in the Go implementation of Wireguard (Windows GUI uses it too), it should give fast enough performance and won't require to modify the kernel. I did Shadowsocks in Go last weekend (#220) to replace the C Alpine one, this weekend will be about being able to persist and update ip addresses of vpn servers (for now it's hardcoded). I can try doing Wireguard next or next next weekend 😉

[lavaguy1]

https://www.youtube.com/watch?v=wv_phi5Z288

On Sat, Aug 22, 2020 at 3:18 PM Quentin McGaw [email protected] wrote:

NordLynx - NordVpn wireguard implementation (3x-5x times faster). NOTE: Requires --cap-add=SYS_MODULE and --sysctl net.ipv4.conf.all.rp_filter=2

It installs Wireguard on your host kernel --cap-add=SYS_MODULE, not really a big fan of giving access to the Kernel to a container (even mine 😄). Gluetun already has net admin capability and runs the entrypoint as root (no way around it) but I would ideally like to avoid it for security reasons. Especially since it does tunneling to vpn servers which are not the safest places either (i. e. other VPN malicious clients). But I'll plug in the Go implementation of Wireguard (Windows GUI uses it too), it should give fast enough performance and won't require to modify the kernel. I did Shadowsocks in Go last weekend (#220 https://github.com/qdm12/gluetun/pull/220) to replace the C Alpine one, this weekend will be about being able to persist and update ip addresses of vpn servers (for now it's hardcoded). I can try doing Wireguard next or next next weekend 😉

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/134#issuecomment-678640218, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFHXQC66AJCVCN36BYCPXU3SB7ASPANCNFSM4MGNIPWA .

[qdm12]

Sorry everyone for the big delay. I'm working hard on getting Wireguard ready for Mullvad and PIA.

I have some pre-pre-alpha program based on the official Go wireguard Code. It's quite nice since it tries to use the Kernel wireguard module if it's there and otherwise falls back to a Go implementation (which is also decently fast). So performance should be quite nice.

Anyway, I'll report back with image tags and instructions especially to test it for other providers than Mullvad. Cheers!

[birdhimself]

It's quite nice since it tries to use the Kernel wireguard module if it's there and otherwise falls back to a Go implementation (which is also decently fast).

That's probably the best way to do it, awesome! Looking forward to it.

[VMax2]

Do you plan to add Wireguard for GyberGhost VPN too? I checked both OVPN and Wireguard protocols with their app and Wireguard one is 3 or more times faster, when with OVPN i reach 100 Mbit with Wireguard i reach 300 ...

[ghost]

Will NordLynx (the protocol used by NordVPN, which seems to be based on Wireguard) be supported? 😄

[qdm12]

@VP-EN See @lavaguy1's comment it should be possible although I haven't looked at it yet.

@VP-EN @VMax2 I have added an order of support for Wireguard in the issue description above.

[VMax2]

Thank you so much

[qdm12]

I have a question that you can answer for your VPN provider. So far for Mullvad:

• The interface Address is user specific only
• The peer PublicKey is server specific only
• The interface PrivateKey is user specific only
• The peer Endpoint is server specific only
• The peer AllowedIPs is the same for all (tunnel everything) and we don't care about DNS since we use DNS over TLS in gluetun

so I would like to have environment variables WIREGUARD_PRIVATE_KEY and WIREGUARD_ADDRESS only. The rest (publicKey and Endpoint) is server specific and I can automate it without needing user input, I hope.

How is it for PIA, Cyberghost and NordVPN? (download multiple config files and check what's common or not really). Thanks!

Anyway, I made some good progress today, almost there. I have it working for a single Mullvad server and it tunnels everything correctly. What's nice is it really doesn't cry about sysctl or kernel modules unlike wg-quick. Although I still need to wire it up with the rest and find a way to get the server public keys automagically too 😄

[ghost]

Related to the ones testing NordVPN.. The WireGuard configs are not available in their server config download tool. You need to use their Linux version of their NordVPN app to get the WireGuard configs.

A small reddit guide here

Not sure if I have the time in the near future, as I don't have a Linux device available atm to test this method.

[qdm12]

@VP-EN OK I think I should design something to easily extract that information. I guess some debian based image with nordlynx and wireguard installed and some shell scripting would do (e. g. qmcgaw/gluetun:nordvpn-extract). Problem is that would most likely require you to have wireguard in your Kernel, which can be troublesome for some odd systems like NAS OSes. But I guess that's how nordlynx works (using the kernel) so no way around it. I'll let you know when I have something so you can test it out.

[marciocm]

Related to PIA, the WireGuard configs are also not available for download. However, I did find this repo with information/scripts on how to create the WireGuard connections.

[qdm12]

I see this script for PIA, requiring

• Server hostname
• Server IP
• PIA token

Hostname and IP can be found at https://serverlist.piaservers.net/vpninfo/servers/v5, PIA token is user specific.

The rest is generated on the fly and obtained from their API, so I can code all this in gluetun 😉

So I think the only part needed would be WIREGUARD_PIA_TOKEN as an env variable for it to work with gluetun.

[marciocm]

So I think the only part needed would be WIREGUARD_PIA_TOKEN as an env variable for it to work with gluetun.

In this script the token is generated with a call to https://privateinternetaccess.com/gtoken/generateToken using the PIA_USERNAME and PIA_PASSWORD.

[bozzfozz]

what about Windscribe WireGuard? They have a config file for WireGuard.

and it is structured like this

[Interface]
PrivateKey = 
Address = 
DNS = 10.255.255.4

[Peer]
PublicKey = uFOg97vQhHVCUfZy/HwmGH+dR6/9lpeWZ5tV3PysHRE=
AllowedIPs = 0.0.0.0/0
Endpoint = zrh-112-wg.whiskergalaxy.com:65142
PresharedKey =

[qdm12]

PIA

@marciocm thanks, yeah I use that to get the PIA port forwarded, it shouldn't be too hard changing it.

Windscribe

@blckwhtx thanks for the help! From their API they also provide the wg_pubkey so that's good. However, a few important questions:

1. How is the address 100.92.150.12/32 assigned? Do you have the same for all servers or is it by server?
2. How is the PresharedKey given, is it by server or common to all servers?
3. How to register your private key with Windscribe? Do you do it through their web ui?
4. Is the port 65142 common to all servers? Or is it by server?

Update

I'm still working on integrating Wireguard with Mullvad, this obviously takes the longest since it requires more code changes than the integration of subsequent providers.

I am also re-ordering the order of VPN providers to integrate with Wireguard from easiest to hardest (see above). I might do Windscribe before PIA depending on the answers of @blckwhtx

[bozzfozz]

1. Adress 100.92.150.12/32 is the same everywhere, have now looked through several config files
2. PresharedKey is also the same everywhere
3. I automatically have the privatekey in the config file, it is assigned by windscribe
4. available ports are 443, 80, 53, 123, 1194, 65142
5. PublicKey changes everywhere

[qdm12]

@blckwhtx that's perfect. I'll do Windscribe after Mullvad then since it's the simplest in the list. So for Windscribe, you'll have to set:

• WIREGUARD_PRESHARED_KEY
• WIREGUARD_PRIVATE_KEY
• WIREGUARD_ADDRESS (100.92.150.12/32 in your case)

With optional:

• WIREGUARD_PORT (defaults to 65142 I guess?)

And use the existing variables to filter servers to use.

Maybe later on add a parsing feature to extract those values automagically from a Wireguard file bind mounted; although these variables should not change once set really so not it's not a big need either.

[bozzfozz]

port 80, 443, 53 are mostly in use, that's why I took 65142

[qdm12]

For whoever use Mullvad, you can (finally duh!) run it in beta. It looks quite stable to me so far, but I haven't done much testing yet.

docker run -it --rm --name gluetun --cap-add=NET_ADMIN -e VPNSP=mullvad -e VPN_TYPE=wireguard \
-e WIREGUARD_PRIVATE_KEY="yourbase64key" -e WIREGUARD_ADDRESS="1.2.3.4/32" \
qmcgaw/gluetun:wireguard

💁 note that that image tag :wireguard is not permanent, and only lives whilst the Wireguard PR is in development. I'll merge it in qmcgaw/gluetun once it supports as many providers as possible from the already supported providers.

[qdm12]

@blckwhtx Windscribe should now work. Try with -e VPNSP=windscribe and the same command as above, substituting your private key and address there. You can also use WIREGUARD_PRESHARED_KEY if you have one set (also valid for Mullvad).

Now I'm trying to squash and merge Wireguard for the repo's 1000th commit (we're at 996!), a few more providers to go! I may skip ones that are troublesome for this initial PR though (maybe nordvpn for example).

[bozzfozz]

@blckwhtx Windscribe should now work. Try with -e VPNSP=windscribe and the same command as above, substituting your private key and address there. You can also use WIREGUARD_PRESHARED_KEY if you have one set (also valid for Mullvad).

Now I'm trying to squash and merge Wireguard for the repo's 1000th commit (we're at 996!), a few more providers to go! I may skip ones that are troublesome for this initial PR though (maybe nordvpn for example).

I get an error message 2021/08/20 14:46:41 ERROR vpn: failed creating Wireguard: public key is missing

public key is missing -e WIREGUARD_PUBLIC_KEY

  - VPNSP=Windscribe
  - VPN_TYPE=wireguard
  - WIREGUARD_PRIVATE_KEY=
  - WIREGUARD_ADDRESS=
  - WIREGUARD_PRESHARED_KEY=
 
  - WIREGUARD_PUBLIC_KEY=we still need to test it

[qdm12]

That was a bug, sorry. I fixed it now, you can try by repulling the image. Note that the public key is specific to each server and is saved in https://github.com/qdm12/gluetun/blob/wireguard/internal/constants/servers.json (built in the program and also mirrored in /gluetun/servers.json)

[ghost]

Managed to get Linux machine up and running.. @qdm12 - Here's a sample of a few NordVPN (NordLynx) WireGuard configs: https://0bin.net/paste/2hyZ2DuE#WneS0jdmJimiNsHPMR8Fa5wr-xidSJ8bkCBfxZO+P6I

I hope it's useful. If you need other information, just ping me :+1:

[bozzfozz]

VPN is running that's perfect other containers have internet access via vpn

but you can't access the UI via the shared ports

thanks for your work

[qdm12]

@blckwhtx indeed, there is some routing issue I think.

For OpenVPN I get

$ ip route
0.0.0.0/1 via 10.8.0.1 dev tun0 
default via 172.17.0.1 dev eth0 
10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.0.18 
89.36.78.18 via 172.17.0.1 dev eth0 
128.0.0.0/1 via 10.8.0.1 dev tun0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2 

$ ip rule
0:      from all lookup local
100:    from 172.17.0.2 lookup 200
32766:  from all lookup main
32767:  from all lookup default

Where 89.36.78.50 is the VPN server IP, 10.8.0.0/16 is the tun0 addresses assigned, and 172.17.0.2 is my Docker network IP address.

For Wireguard I get

$ ip route
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2

$ ip rule
0:      from all lookup local
99:     not from all fwmark 0xca6c lookup 51820
100:    from 172.17.0.2 lookup 200
32766:  from all lookup main
32767:  from all lookup default

Now I just need to play around with it... If you want to play around too to find what we need, you can with docker exec gluetun ip route (or ip rule). It might just be because of the ip rule, Wireguard seems to use that fwmark rule which comes before our rule 100 (access from outside ports)

EDIT: I think I figured it out...

[qdm12]

It's fixed now 🎉 It was indeed an ip rule priority issue

On to the next provider!

[jathek]

Tested this with 7 Windscribe locations, worked great. Could you make it possible to add the private and preshared keys via a secret, like is currently possible for openvpn usernames and passwords?

[romainguinot]

Hi,

Thanks for this project ! I'm new to WireGuard. I'm assuming WIREGUARD_ADDRESS env var should be set to the Address referenced in the [Interface] section of the config file downloaded from Mullvad ?

I'm not sure as well how i can target which server/endpoint i would like to connect to ? In your docker command exemple it seems you only supply the address and private key, but not the endpoint target address (or public key, if that's necessary) ?

Thanks !

[qdm12]

Hi @romainguinot

I'm assuming WIREGUARD_ADDRESS env var should be set to the Address referenced in the [Interface] section of the config file downloaded from Mullvad

Yes. It's also the same by user/private key combination, so you should only have to set it once.

I'm not sure as well how i can target which server/endpoint i would like to connect to ?

Use existing filter environment variables, for example with -e CITY=Stockholm,Brussels (it will pick one of the two at random)

I'm updating the Github Wiki now with Wireguard information

[qdm12]

@nearcatch I'll create an issue for files/secrets once #565 is merged.

@VP-EN Cool thanks! The problem is the public key, can you try re-connecting to the same server with a few hours of interval, do you get the same public key? Also if you try wg showconf wg0 do you get the interface address? That's something missing from your logs I think.

Anyway, I'll merge that first pull request #565 soon and add more providers then, since there are dependencies on other PRs. I also updated the order of support above (from easiest to hardest to implement). I also updated other TODOs to do after merging it, in the issue body above.

[vp-en]

@qdm12 The public keys seem to vary from city to city. If only a single city is available in a country, the whole country seems to share the same public key. E.g. public key differs from Berlin / Frankfurt - but in a country with only one city, the public key is the same.

Log from 20/08/21: https://0bin.net/paste/2hyZ2DuE#WneS0jdmJimiNsHPMR8Fa5wr-xidSJ8bkCBfxZO+P6I

Log from today (22/08/21) edit: added more city logs https://0bin.net/paste/wM-LmbpM#de0lRa5ATFraDLbwyrQexbNdBM7zzoikjdkvu1CS9Kg

Edit: Obviously removed the private key from the logs. They have changed from last time I connected, but I guess that's expected behavior

Using wg showconf wg0 and/or sudo wg showconf wg0 reports:

lnx@lnxlptp:~$ sudo wg showconf wg0
Unable to access interface: No such device

Not sure what to do about that tbh :confused:

[romainguinot]

@qdm12 Thanks for your quick reply !

I was able to test it earlier and all seems to be working great, with really great speeds even when selecting another country. And i'm running it on a Synology NAS which has a 4.4 kernel, so i sort of expected the performance to not be great without the in-kernel stuff that appeared as of 5.6 iirc. I was planning to compare with OpenVPN but given these results there is no need. I will just repull the container when the wireguard support has been merged into latest.

I chose to route the necessary containers network through gluetun's container network rather than using a proxy, presumably with less overhead but i haven't compared both scenarios. At the moment i don't have a need to have other LAN devices routed through gluetun.

I also expected the performance to drop significantly when not picking the closest city, but even when picking a city from a neighbouring country the performance is more than ample enough.

I was wondering if it was able to select a wireguard server solely by providing a CITY/COUNTRY but i guess this is what the VPN_TYPE is there for, since Mullvad has different types of servers within the same location.

Thanks again for the hard work !

[qdm12]

@VP-EN nice thanks. Don't worry too much yet, I'll get back to you when I fiddled with nordvpn more. We do need some way to easily extract values using their nordlynx application anyway. Public keys are expected to be unique by server, I doubt they would change them over time. If the private key and interface address are the same for all servers, it would be ideal such that the extraction only need to run once. Otherwise, I think there is little point adding native support in gluetun and having a way to extract the Wireguard config and plug it as a file in gluetun would be best (as it would be the same difficulty user-wise).

[qdm12]

@romainguinot thanks for the feedback!

And i'm running it on a Synology NAS which has a 4.4 kernel, so i sort of expected the performance to not be great without the in-kernel stuff that appeared as of 5.6 iirc.

Nice! Good to know performance is great using the user space code as well. Also note wireguard uses all CPU cores so it gets faster with more cores (in case you need it).

this is what the VPN_TYPE is there for, since Mullvad has different types of servers within the same location.

Yep, although usually a single Mullvad server supports both openvpn and wireguard. It's more required so gluetun knows what to use. I decided to have it like that rather than act as a filter (meaning it would pick openvpn or wireguard at random).

[romainguinot]

Thanks @qdm12 ! I was looking at mullvad's server list and noticed the wireguard servers had a -wireguard in the hostname so that's why i was wondering if anything had to be specified for these or not, but it does pick a wireguard server without specifying a hostname so no issue there.

Do you know if there is anything to consider regarding the private key rotation or it's not considered necessary ? Assuming mullvad has an API for that, it could probably be scripted to change the container's environment variable / restart it with some reasonable frequency, or even done inside of gluetun itself, but it's maybe overkill (not familiar enough with wireguard to know if that's useful or not).

[Astroamadeus]

Hi @qdm12, Thank you again for the wonderful docker container. I will be very happy to test the "Read custom Wireguard configuration file" when it is available. Having a single lightweight docker container which can handle any OpenVPN and WireGuard tunnels with HTTP proxies, SOCKS and all would be really awesome. Best, OP

[ksurl]

The Vpnunlimited wireguard config is just a conf file download so supporting the custom config would cover it

[qdm12]

@romainguinot

Do you know if there is anything to consider regarding the private key rotation or it's not considered necessary

No idea. Does Mullvad rotate private keys, or are you trying to rotate private keys yourself? It could be an interesting feature such as i.e. have WIREGUARD_PRIVATE_KEY accept a comma separated list of keys and restart wireguard periodically to rotate them, although probably not a priority for now. I added it to the Extra todos section up there.

[qdm12]

@Astroamadeus

Thanks!

I will be very happy the test the "Read custom Wireguard configuration file" when it will be available.

What VPN provider are you using? Note the custom configuration will be restricted to client tunneling only, and not run as a Wireguard server. Although I have also thoughts about running another Wireguard as a server inside gluetun so you could connect LAN devices to it through Wireguard as well... but that for another day 😄

[qdm12]

Wireguard support for ivpn is up on :latest

[qdm12]

@ksurl

The Vpnunlimited wireguard config is just a conf file download so supporting the custom config would cover it

Actually whilst we're at it!...

Can you generate a few Wireguard configs for different servers and find out the following:

1. Is the Interface's Address the same for all configurations? If yes, continue:
2. Is the Interface's PrivateKey the same for all configurations? If yes, continue:
3. If you do have a PresharedKey given, is it the same for all configurations? If yes, continue:
4. Is the Endpoint port the same for all configurations?

If any is different, then it will have to be a custom configuration file as a bind mount. Otherwise we could find our way with env variables that you set once for your account (better I think).

[Astroamadeus]

What VPN provider are you using? Note the custom configuration will be restricted to client tunneling only, and not run as a Wireguard server. Although I have also thoughts about running another Wireguard as a server inside gluetun so you could connect LAN devices to it through Wireguard as well... but that for another day 😄

I am using TorGuard personally. Their configuration files for WireGuard clients look like this, in case it can help :

# TorGuard WireGuard Config
[Interface]
PrivateKey = XXXXXXXXX
ListenPort = 51820
DNS = 1.1.1.1
Address = 10.13.X.X/24

[Peer]
PublicKey = XXXXXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = 93.177.X.X:1443
PersistentKeepalive = 25

Between several configuration files:

• Interface's Addresses do change;
• Interface's PrivateKeys do change as well;
• PresharedKeys also change;
• Endpoint ports appear to remain the same however.

Best, OP

[qdm12]

@Astroamadeus thanks, we'll use a custom configuration file for it then.

If anyone is using Surfshark (maybe @frepke right?), can you try the image qmcgaw/gluetun:surfshark-wireguard with

docker run -it --rm --name gluetun --cap-add=NET_ADMIN -e VPNSP=surfshark -e VPN_TYPE=wireguard \
-e WIREGUARD_PRIVATE_KEY="yourbase64key" -e WIREGUARD_ADDRESS="1.2.3.4/32" \
qmcgaw/gluetun:surfshark-wireguard

Also a few extra questions for Surfshark

1. Do you know what endpoint port they use? I have set it to 51820 (default Wireguard) but I'm not sure.
2. Is your Wireguard private key common to all server configurations? (I was hoping so)
3. Is your Wireguard interface address common to all server configurations? (I was hoping so as well)

Thanks!

[frepke]

@Astroamadeus thanks, we'll use a custom configuration file for it then.

If anyone is using Surfshark (maybe @frepke right?), can you try the image qmcgaw/gluetun:surfshark-wireguard with

docker run -it --rm --name gluetun --cap-add=NET_ADMIN -e VPNSP=surfshark -e VPN_TYPE=wireguard \
-e WIREGUARD_PRIVATE_KEY="yourbase64key" -e WIREGUARD_ADDRESS="1.2.3.4/32" \
qmcgaw/gluetun:surfshark-wireguard

Also a few extra questions for Surfshark

1. Do you know what endpoint port they use? I have set it to 51820 (default Wireguard) but I'm not sure.
2. Is your Wireguard private key common to all server configurations? (I was hoping so)
3. Is your Wireguard interface address common to all server configurations? (I was hoping so as well)

Thanks!

Didn't know Surfshark has Wireguard support for a manual setup, so I don't know (jet) where to find the Wireguard config file from Surfshark. If I've got the info, I can test the image.

[qdm12]

@frepke Ah indeed, they might not support manual setup. I have all the code and their Wireguard servers and public keys ready in #587 but it might come to the same workaround as for NordVPN, which is to somehow use their proprietary app to extract the configuration 😢 I'll let you know when I come to it, thanks!

[frepke]

@frepke Ah indeed, they might not support manual setup. I have all the code and their Wireguard servers and public keys ready in #587 but it might come to the same workaround as for NordVPN, which is to somehow use their proprietary app to extract the configuration 😢 I'll let you know when I come to it, thanks!

No problem, I can help when you're ready 😊

[ksurl]

@ksurl

The Vpnunlimited wireguard config is just a conf file download so supporting the custom config would cover it

Actually whilst we're at it!...

Can you generate a few Wireguard configs for different servers and find out the following:

1. Is the `Interface`'s `Address` the same for all configurations? If yes, continue:

2. Is the `Interface`'s `PrivateKey` the same for all configurations? If yes, continue:

3. If you do have a `PresharedKey` given, is it the same for all configurations? If yes, continue:

4. Is the `Endpoint` port the same for all configurations?

If any is different, then it will have to be a custom configuration file as a bind mount. Otherwise we could find our way with env variables that you set once for your account (better I think).

I checked 10+ servers. They're all different private key, address, preshared key, public key, and endpoint. the only way to check if the public key, preshared key and endpoint are the same is if different accounts can compare.

here's an example for Toronto, CA

[Interface]
PrivateKey = X
ListenPort = 51820
Address = 10.100.X.Y/32
DNS = 10.100.0.1

[Peer]
PublicKey = Ep24***VMCs=
PresharedKey = BE1w***Q1QM=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.34:51820
PersistentKeepalive = 25

I left a few starting and end characters for the public key and preshared key if anyone wants to compare to theirs.

[jathek]

I checked 10+ servers. They're all different private key, address, preshared key, public key, and endpoint. the only way to check if the public key, preshared key and endpoint are the same is if different accounts can compare.

here's an example for Toronto, CA

[Interface]
PrivateKey = X
ListenPort = 51820
Address = 10.100.X.Y/32
DNS = 10.100.0.1

[Peer]
PublicKey = Ep24***VMCs=
PresharedKey = BE1w***Q1QM=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.34:51820
PersistentKeepalive = 25

I left a few starting and end characters for the public key and preshared key if anyone wants to compare to theirs.

Checked with mine:

[Peer]
PublicKey = Ep24***VMCs=
PresharedKey = RscT***N5qU=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.34:51820
PersistentKeepalive = 25

The PublicKey and Endpoint are the same but the PresharedKey is different. But when I generated a second conf for the same city again:

[Peer]
PublicKey = +riT***9LB0=
PresharedKey = 2qG3***3SUI=
AllowedIPs = 0.0.0.0/0
Endpoint = 104.254.90.58:51820
PersistentKeepalive = 25

Different values for everything, including Endpoint. Must be multiple servers and each has its own values.

[romainguinot]

@romainguinot

Do you know if there is anything to consider regarding the private key rotation or it's not considered necessary

No idea. Does Mullvad rotate private keys, or are you trying to rotate private keys yourself? It could be an interesting feature such as i.e. have WIREGUARD_PRIVATE_KEY accept a comma separated list of keys and restart wireguard periodically to rotate them, although probably not a priority for now. I added it to the Extra todos section up there.

@qdm12 i have noticed that sometimes Mullvad rotates the key by registering a new key and retiring the previous one themselves through their mobile app or desktop client.

I was therefore wondering if there was a "best practice" to recycle keys after some duration, or if that isn't necessary / justified by the protocol. I didn't find any documentation regarding their API though.

In any case if that's necessary, one can generate a new key, update the env var manually every 6 months or so for example.

[qdm12]

Thanks @nearcatch and @ksurl for your help. Alright, it will have to be through a custom configuration file then. Maybe one day I can hack together something to imitate what their website API does (log in, then generate a config using parameters etc.), but that could also break at anytime they change it, so not that ideal either.

I've updated the order to Torguard+VPN Unlimited first (custom config file), then PIA (as it's quite the API gymnastics), then Surfshark+NordVPN (use proprietary app to extract config)

@romainguinot interesting. I'll check what API endpoint they use on their website to register a Wireguard public key, and we could use that to generate keys within gluetun and register them. I added that to the list of extra todos.

For Windscribe and IVPN users, is it possible that you register your own Wireguard public key somewhere, even on their website? Although again, that's also risky as it might break whenever they decide to change the API / website. EDIT: so we should keep it optional 😉

[pratikbin]

Looking forward to use WireGuard out of the box with nordVPN.

[romainguinot]

@romainguinot interesting. I'll check what API endpoint they use on their website to register a Wireguard public key, and we could use that to generate keys within gluetun and register them. I added that to the list of extra todos.

Thanks ! i found this script which could be helpful : https://github.com/DanielG/dxld-mullvad/blob/master/mullvad-wg-netns.sh Would be real nice if it could rotate the key with a cron expression or similar supplied as an env var.

I don't know if the other containers that are routed through gluetun's container network would need to be also restarted if the key is rotated. For now i've noticed that dependent containers need to be restarted if gluetun's container is restarted or if the connection is manullay taken down for a test, but everything has been working fine since i put it in place.

[stoli412]

@qdm12 Thanks so much for your work on Wireguard! I'm using it with Mullvad and it's working great. I just had a question: is IPv6 tunnelling supported? Can I add the IPv6 subnet from my Mullvad config file to the WIREGUARD_ADDRESS variable in docker-compose?

[qdm12]

@romainguinot Nice, I'll have a look later, thanks for the research!

would need to be also restarted if the key is rotated

No, I can just restart Wireguard from within gluetun without a container restart to rotate keys. You can already try restarting wireguard with the http control server (well it's the /v1/openvpn route but oh well, we need a v4.x.x some time)...

@stoli412 Thanks! For now, it has ::/0 in the Wireguard allowed IPs but it only sets a route for IPv4. For now AFAIK, the firewall blocks ipv6 so it doesn't leak. As a consequence, I'm not sure if it tunnels IPv6 through Wireguard or just blocks it. If you host supports IPv6 (mine doesn't shame on me!), let me know if it does or doesn't tunnel it (with some online tests I guess?). If it doesn't / is blocked by the firewall, please create another issue and I'll address it. And for WIREGUARD_ADDRESS, well have a Go and see 😄 I haven't tried myself!

[Astroamadeus]

The home page says

ANNOUNCEMENT: Wireguard is now supported for all providers supporting it!

Does this mean that I can now use the .conf file provided by TorGuard to create a WireGuard VPN tunnel ?

Right now I am getting the following error: 2021/08/28 19:33:52 ERROR cannot read VPN settings: cannot read provider settings: environment variable VPNSP: value is not within the accepted values: torguard: it can only be one of: mullvad, windscribe, ivpn

[ksurl]

The home page says

ANNOUNCEMENT: Wireguard is now supported for all providers supporting it!

Does this mean that I can now use the .conf file provided by TorGuard to create a WireGuard VPN tunnel ?

Right now I am getting the following error: 2021/08/28 19:33:52 ERROR cannot read VPN settings: cannot read provider settings: environment variable VPNSP: value is not within the accepted values: torguard: it can only be one of: mullvad, windscribe, ivpn

where are you seeing that? the readme says "Supports Wireguard for Mullvad, Ivpn and Windscribe (more in progress, see #134)"

edit: I see it now near the top. good point, that should be removed or updated to reflect the current status. maybe link to the progress at the top of this thread.

[harrytheeskimo]

Hey @qdm12 thanks for the great work on this!!

I've just tested with Mullvad and it seems that a commit between the :wireguard branch last week and the :latest (possibly the one earlier today) seems to have broken the WIREGUARD_ADDRESS parameter parsing, in my case anyway.

When using :wireguard I'm up and running fine, but when flipping to :latest (docker cache flushed) I'm receiving the following error:

ERROR vpn: failed creating Wireguard: interface address is missing

I've tried using some CSV based on the description of the latest commit (i.e. multiple values of the same wireguard CIDR address, just in case that worked) but doesn't seem to change things. Tested from both Docker command line and docker-compose with same results.

Most previous tests used the following commands:

docker run -it --rm --name gluetun-test --cap-add=NET_ADMIN -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="my priv key from Mullvad config file" -e WIREGUARD_ADDRESS="10.64.x.y/32" qmcgaw/gluetun:latest

docker run -it --rm --name gluetun-test --cap-add=NET_ADMIN -e VPNSP=mullvad -e VPN_TYPE=wireguard -e WIREGUARD_PRIVATE_KEY="my priv key from Mullvad config file" -e WIREGUARD_ADDRESS="10.64.x.y/32,10.64.x.y/32,10.64.x.y/32" qmcgaw/gluetun:latest

But when running the above using :wireguard it works just fine.

[qdm12]

@harrytheeskimo thanks for reporting the issue! It's fixed now (still building) with https://github.com/qdm12/gluetun/commit/61afdce788c8eb8896bb15a3276808ac819055f5

[harrytheeskimo]

@harrytheeskimo thanks for reporting the issue! It's fixed now (still building) with 61afdce

That did it - all working now, thanks!

[romainguinot]

I rebased to the "latest" branch a few days ago and all still works fine with wireguard support. Thanks again for the work !

[jathek]

I think support needs to be added to the http api for wireguard? I tried toggling the vpn using the api and it appeared to toggle off fine but got {"outcome":"crashed"} when I tried turning it back on.

[VMax2]

@qdm12 Hi, what's the Wireguard support situation for CyberGhost VPN?

[qdm12]

I tried toggling the vpn using the api and it appeared to toggle off fine

That's a bug, I'll check. EDIT: definitely a bug, the tun device doesn't seem to be created on the 2nd run.

Also yes the api should be changed somehow since openvpn and wireguard run in the same 'loop', so that http route should be renamed to vpn instead of openvpn

@VMax2 can you ask cyberghost support if they support manual wireguard or if you can download wireguard configs? If you can, can you attach some wireguard config files as a zip here please? Don't forget to remove the Private Key and Preshared key.

[qdm12]

@nearcatch It should be fixed by 82ac568ee349992ae4c592ee5d24908a3780be75 in the :latest image. It was the Wireguard link wg0 not being shutdown & removed properly, so it would prevent a second one from taking its place. Thanks for letting me know.

EDIT: Everyone if you find a Wireguard issue in the future, please create an issue instead of commenting here as this one is getting quite long already 😄

[VMax2]

@qdm12 of course i will but i wouldn't be so confident about they supply a manual method, i searched inside their site and till now i only found that the sole way using Wireguard protocol (it's the same for Linux and Windows) it's by using their app... i will update you here as soon as they will reply me

[VMax2]

@qdm12 As i was supposing...nothing to do for now, they told that they are planning to give a manual method in a next future but at the moment the only way to use Wireguard protocol is by their app... :(

[Akirainblack]

@qdm12 any news on Torguard support? It says use custom config but I can't find any information on how to use a custom config. Thank you for all your work on this. I'm really looking forward to being able to use wireguard in the future. If you need beta testing I'm more than happy to do so.

[Jonathan34]

@Akirainblack Custom config is not yet supported. I understood same as you when I first read this. You need a Torguard custom config and gluetun needs to support it. I ended up using the linuxserver.io wireguard docker image and route traffic from other containers to it. Works very well and easy setup.

[Akirainblack]

@Jonathan34 Thank you. Yes, sadly that doesn't work on my Synology as a client (I have it running as a server so I can connect back in when I'm away from home) and they refuse to support a Synology device using Wireguard. I've been lead to believe this container does work.

[qdm12]

I'm adding support for wireguard config files now, it should work on older kernels without wireguard too. I'll comment back with an image tag to try.

[Akirainblack]

@qdm12 wonderful.. I would love to say I'll wait patiently.. BUT I'd be lying. ;)

[qdm12]

@Akirainblack 😅

Torguard and VPN Unlimited

EDIT: See https://github.com/qdm12/gluetun/issues/134#issuecomment-918521952

qmcgaw/gluetun:wireguard-test adds environment variables for Torguard and VPN Unlimited only WIREGUARD_ENDPOINT_IP and WIREGUARD_PUBLIC_KEY which should allow you to copy paste values from your config file as env variables, together with existing variables.

docker pull qmcgaw/gluetun:wireguard-test
docker run -it --rm --cap-add=NET_ADMIN -e VPNSP=torguard -e VPN_TYPE=wireguard -e WIREGUARD_ENDPOINT_IP=1.2.3.4 -e WIREGUARD_PORT=51820 -e WIREGUARD_PUBLIC_KEY=blabla -e WIREGUARD_ADDRESS="5.6.7.8/32" -e WIREGUARD_PRIVATE_KEY=blabla -e WIREGUARD_PRESHARED_KEY=blabla qmcgaw/gluetun

Substitude torguard with vpn unlimited if you need to, as well as the other env variables values.

⚠️ This will not make it to the master branch. Instead I'm solving #611 which will allow the exact same usage but using VPNSP=custom so it is VPN provider independent. Feel free to subscribe to it to know when it's in the master branch (latest image).

Cyberghost, NordVPN, Surfshark and WeVPN

EDIT: See https://github.com/qdm12/gluetun/issues/134#issuecomment-918521952

• Subscribe and comment on #611 to reduce noise here.
• I'll add a VPNSP=custom value for both OpenVPN and Wireguard to use custom configurations (from env first, from files later with #610)
• I'll leave the responsibility to extract the Wireguard configuration files from their app to the users for now

Config files

Subscribe to #610 for support of Wireguard configuration files, with a bunch of side features.

PIA

Subscribe to and comment on #612 which sums up everything everyone said about it for now. PIA is next on my list so that should be resolved soon.

[Akirainblack]

Sadly doesn't appear to be working for me at the moment:

2021/09/12 10:10:36 INFO vpn: Wireguard is up,
2021/09/12 10:10:45 ERROR ip getter: Get "https://ipinfo.io/ip": dial tcp: lookup ipinfo.io on 1.1.1.1:53: read udp <externalIP>:54798->1.1.1.1:53: i/o timeout,
2021/09/12 10:10:25 INFO vpn: Wireguard is up,
2021/09/12 10:10:36 INFO vpn: starting,
2021/09/12 10:10:25 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/12 10:10:35 WARN dns over tls: cannot update files,
2021/09/12 10:10:35 INFO dns over tls: attempting restart in 10s,
2021/09/12 10:10:36 INFO healthcheck: program has been unhealthy for 6s: restarting OpenVPN,
2021/09/12 10:10:36 INFO vpn: stopping,
2021/09/12 10:10:36 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled,
2021/09/12 10:10:36 INFO firewall: setting VPN connection through firewall...,
2021/09/12 10:10:45 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/12 10:10:45 INFO ip getter: retrying in 5s,
2021/09/12 10:10:47 INFO healthcheck: program has been unhealthy for 11s: restarting OpenVPN,
2021/09/12 10:10:47 INFO vpn: stopping,
2021/09/12 10:10:47 ERROR vpn: Failed to read packet from TUN device: read /dev/net/tun: not pollable,
2021/09/12 10:10:47 INFO vpn: starting

[qdm12]

@Akirainblack can you pull the :wireguard-test image and try again?

Referring to https://github.com/golang/go/issues/38618, I added 19bf62c21f460fa9dec8f4949c80e51036fd2435 which might solve your TUN device issue.

[TheNexter]

(Edit by qdm12) See #617

[qdm12]

@TheNexter that's a different issue, I created https://github.com/qdm12/gluetun/issues/617 for you with an additional question, please continue the discussion here, thanks! I'll remove your comment above.

[Akirainblack]

Wireguard comes up but still fails to download updates, version info or check IP.

[Sn0wCrack]

@qdm12 I noticed in the main post on the issue you were looking for a Mullvad API, unsure if you're still looking but there's something mention in their docs about this:

Getting an IP to use with Mullvad

While connected to the router using ssh:

First install curl: opkg update && opkg install curl

curl https://api.mullvad.net/wg/ -d account=YOURMULLVADACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY

The IP address to use with Mullvad will be returned.

The endpoint https://api.mullvad.net/wg/ them returns a comma-separated list of IP ranges that are applicable to the provided public key. On my end, it returned an IPv4 range (/32) and an IPv6 range (/128)

There's also an API endpoint for pushing wireguard keys I found in the source code of the Mullvad application foundation code base here: https://github.com/mullvad/mullvadvpn-app/blob/584a4f31cb64a4b02f81a2bade1fa99eeb4d98ca/mullvad-rpc/src/lib.rs#L394 (there's also some in the iOS swift code as well that implement this same API)

It looks like it hits an endpoint at: https://api.mullvad.net/v1/wireguard-keys (or at least I believe) with a POST request with a format that might be:

{
    "pubkey": "public_key_content"
}

There's also a replace, get and remove endpoint, if we're looking to rotate a key, maybe the https://api.mullvad.net/v1/replace-wireguard-key might be a good one to use.

It looks like it takes in a request body similar to this:

{
    "old": "public_key_to_remove"
    "new": "public_key_to_add"
}

Pretty much all of this seems to be encapsulated under the mullvad-rpc crate they have in the main application repository, but it doesn't seem to contain any documentation I can find on how to use this API, but it looks like an auth token is set on the Authorization header as "Authorization: Token xxxxx", but I can't seem to get any of the endpoints to respond correctly, it looks like it might require public key pinning to access without it 404ing.

Alternatively, there's the website API which is accessible under: https://api.mullvad.net/www

You can create a session using: GET https://api.mullvad.net/www/accounts/{account_number}

In this the response returns an auth_token variable that you set on your Authorization header when performing other actions, it all looks to return information about your configured wireguard keys and their associated IP addresses.

It also looks like there's a "https://api.mullvad.net/www/wg-pubkeys/add/" POST endpoint you can send a request like the following:

{
    "pubkey": "public_key"
}

And it should return a response with the ipv4 and ipv6 range associated with that public key.

Then there's "https://api.mullvad.net/www/wg-pubkeys/revoke/" POST endpoint which can remove a public key, it has the same body as the above.

All of these seem to work fine when querying them using cURL, so they should work fine programmatically, albeit could be unstable since they're undocumented and not open-sourced.

It might also be worth reaching out to Mullvad and seeing if they can't provide some documentation for their REST API they use in their app.

[qdm12]

@Akirainblack can you please create another issue with logs when running with -e LOG_LEVEL=debug -e HEALTH_VPN_DURATION_INITIAL=100s please?

@Sn0wCrack that's awesome work 💯! I linked it in the main issue body. I will set it up in Gluetun using their www api such that it's optional to generate keys and communicate with their API to rotate keys. That way if it's unstable / they break the API on their end, it's still fine and you can use a private key you set manually as we do now.

[Akirainblack]

Pulled latest wireguard-test and added those 2 env variables:

2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - UAPI: Adding allowedip,
2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - Routine: sequential receiver - started,
2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - Routine: sequential sender - started,
2021/09/13 19:47:45 DEBUG wireguard: Interface up requested,
2021/09/13 19:47:45 INFO wireguard: Wireguard is up,
2021/09/13 19:47:45 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/13 19:47:50 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:47:45 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:47:55 INFO dns over tls: attempting restart in 10s,
2021/09/13 19:47:55 WARN dns over tls: cannot update files,
2021/09/13 19:47:55 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:48:05 INFO dns over tls: downloading DNS over TLS cryptographic files,
2021/09/13 19:48:00 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation,
2021/09/13 19:48:05 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": dial tcp: lookup api.github.com on 1.1.1.1:53: read udp 10.13.64.61:50124->1.1.1.1:53: i/o timeout,
2021/09/13 19:48:05 ERROR ip getter: Get "https://ipinfo.io/ip": dial tcp: lookup ipinfo.io on 1.1.1.1:53: read udp 10.13.64.61:46584->1.1.1.1:53: i/o timeout,
2021/09/13 19:48:05 INFO ip getter: retrying in 5s,
2021/09/13 19:48:06 DEBUG wireguard: peer(XYkH…krGs) - Handshake did not complete after 5 seconds, retrying (try 2),
2021/09/13 19:48:06 DEBUG wireguard: peer(XYkH…krGs) - Sending handshake initiation

[qdm12]

@Akirainblack please create another issue as I mentioned above to avoid spamming here (your comment is hidden as off topic).

Torguard, VPN Unlimited and WeVPN users, https://github.com/qdm12/gluetun/commit/8645d978ba84b68a012356a0e5d40a770d487803 adds support to run with:

docker run -it --rm --cap-add=NET_ADMIN -e VPNSP=custom -e VPN_TYPE=wireguard \
-e WIREGUARD_ENDPOINT_IP=86.106.143.67 -e WIREGUARD_PORT=51820 \
-e WIREGUARD_PUBLIC_KEY="5FXy0/tMXj/TYKVj9PHJ42lCpbWP4qLAOpLZa6FnsRw="  \
-e WIREGUARD_ADDRESS="11.48.216.37/32" \
-e WIREGUARD_PRIVATE_KEY="OFf8G73HKurisHXAUmrXxU5C0VD50EMn3N9KAbut/1k=" \
qmcgaw/gluetun

I tested it with Mullvad and it works. If yours doesn't work, it's another problem so please create another issue NOT HERE.

NordVPN, Cyberghost and Surfshark for now you'll have to extract the Wireguard config yourself using their application, if you want to plug it in Gluetun, and it should work (assuming the protocol is still the actual Wireguard protocol). I'll eventually develop some Docker images to extract it more easily later down the line.

[Jonathan34]

@qdm12 I hope the ip, private key and public key above have been deleted or are fake, otherwise, I suggest you generate a new ones.

[qdm12]

They are not fake, but generated just for the comment 🤓 Except the public key because it's public hehe

[qdm12]

@blckwhtx and @nearcatch can you please comment on #617 if Windscribe+wireguard still works for you with the latest image please? Thanks!!

[qdm12]

Ran some speedtests (finally duh) to compare Wireguard and OpenVPN: https://github.com/qdm12/gluetun/wiki/Wireguard#performance

TLDR; Wireguard doesn't really increase bandwidth performance 😢

Does anyone uses a Raspberry Pi (or other Linux low power device) and could do a speedtest with that command mentioned in the Wiki to a nearby server? I need Docker on my phone, now that I'm thinking about it 😄

[bozzfozz]

@blckwhtx and @nearcatch can you please comment on #617 if Windscribe+wireguard still works for you with the latest image please? Thanks!!

it's been working all the time

[bozzfozz]

@blckwhtx and @nearcatch can you please comment on #617 if Windscribe+wireguard still works for you with the latest image please? Thanks!!

it's been working all the time

it works for me on both systems (synology / ubuntu)

[ksurl]

I tested on vpnunliimited and this is what I needed to use in docker-compose file to get it to start, but it keeps failing to get public ip so it bootloops

environment:
  - VPNSP=vpn unlimited
  - VPN_TYPE=wireguard
  - WIREGUARD_ENDPOINT_IP=$ENDPOINT_IP
  - WIREGUARD_PORT=51820
  - "WIREGUARD_PUBLIC_KEY=$PUBLIC_KEY"
  - WIREGUARD_ADDRESS=$IP
  - "WIREGUARD_PRESHARED_KEY=$PRESHARED_KEY"
  - "WIREGUARD_PRIVATE_KEY=$PRIVATE_KEY"

log

  2021/09/22 19:22:28 INFO routing: default route found: interface eth0, gateway 172.17.0.1,
  2021/09/22 19:22:28 INFO routing: local ethernet link found: eth0,
  2021/09/22 19:22:28 INFO routing: local ipnet found: 172.17.0.0/16,
  2021/09/22 19:22:28 INFO routing: default route found: interface eth0, gateway 172.17.0.1,
  2021/09/22 19:22:28 INFO routing: adding route for 0.0.0.0/0,
  2021/09/22 19:22:28 INFO firewall: firewall disabled, only updating allowed subnets internal list,
  2021/09/22 19:22:28 INFO routing: default route found: interface eth0, gateway 172.17.0.1,
  2021/09/22 19:22:28 INFO firewall: enabling...,
  2021/09/22 19:22:28 INFO firewall: enabled successfully,
  2021/09/22 19:22:28 INFO dns over tls: using plaintext DNS at address 1.1.1.1,
  2021/09/22 19:22:28 INFO firewall: setting VPN connection through firewall...,
  2021/09/22 19:22:28 INFO http server: listening on :8000,
  2021/09/22 19:22:28 INFO healthcheck: listening on 127.0.0.1:9999,
  2021/09/22 19:22:28 INFO wireguard: Wireguard is up,
  2021/09/22 19:22:28 INFO dns over tls: downloading DNS over TLS cryptographic files,
  2021/09/22 19:22:43 WARN dns over tls: cannot update files,
  2021/09/22 19:22:43 INFO dns over tls: attempting restart in 10s,
  2021/09/22 19:22:49 INFO healthcheck: program has been unhealthy for 6s: restarting VPN,
  2021/09/22 19:22:49 INFO vpn: stopping,
  2021/09/22 19:22:49 ERROR vpn: cannot get version information: Get "https://api.github.com/repos/qdm12/gluetun/releases": context canceled,
  2021/09/22 19:22:49 INFO vpn: starting,
  2021/09/22 19:22:49 INFO firewall: setting VPN connection through firewall...,
  2021/09/22 19:22:49 INFO wireguard: Wireguard is up,
  2021/09/22 19:22:53 INFO dns over tls: downloading DNS over TLS cryptographic files,
  2021/09/22 19:22:58 ERROR ip getter: Get "https://api.ipify.org": context deadline exceeded (Client.Timeout exceeded while awaiting headers),
  2021/09/22 19:22:58 INFO ip getter: retrying in 5s,
  2021/09/22 19:23:08 WARN dns over tls: cannot update files,
  2021/09/22 19:23:08 INFO dns over tls: attempting restart in 20s,
  2021/09/22 19:23:09 INFO healthcheck: program has been unhealthy for 11s: restarting VPN,
  2021/09/22 19:23:09 INFO vpn: stopping,
  2021/09/22 19:23:09 INFO vpn: starting,
  ...

[cardimajs]

Hi, i'm using surfshark, they not provide manual config, but after sniffing their app i can get it working manualy.

1. Login to Surfshark API

   • url: https://api.surfshark.com/v1/auth/login
   • method: POST
   • body: {username: "[email protected]", password: "yourPassword"}
   • response: {token: "eyJ0e...", renewToken: "eyJ..."}

2. Send your public key to the Surfshark API

   • url: https://api.surfshark.com/v1/account/users/public-keys
   • method: POST
   • body: {pubKey: "your public key" }
   • headers: {Authorization: "Bearer RESPONSE TOKEN OF LOGIN"}

3. Use config file

   [Interface]
   Address=10.14.0.2/8
   PrivateKey=GAJb1kd/y6vPJsM11yKBI/NPvsUzKaST4+G2xHUWaFh=
   ListenPort=51820
   
   [Peer]
   PublicKey=IFTVXxhLEqVgZI/JGOPRtmrNUQW1DNljeBe8Ys7v90A=
   Endpoint=br-sao.prod.surfshark.com:51820
   AllowedIPs=0.0.0.0/0
   PersistentKeepAlive=25
   

You can get your server public key from their API, each server has a different public key

{
    "country": "Brazil",
    "countryCode": "BR",
    "region": "The Americas",
    "regionCode": "AM",
    "load": 27,
    "id": "e1ff80e5-11b8-41ec-9fc8-82205776114c",
    "coordinates": { "longitude": -46.616667, "latitude": -23.533333 },
    "info": [
      {
        "id": "cfe8477c-36af-4049-a148-2e0f2a7874bf",
        "entry": { "value": "U2FsdGVkX19pQ594n1+SQVF66uDvJFnU7y/4+4t3x0k=" }
      }
    ],
    "type": "generic",
    "location": "Sao Paulo",
    "connectionName": "br-sao.prod.surfshark.com",
    "pubKey": "IFTVXxhLEqVgZI/JGOPRtmrNUQW1DNljeBe8Ys7v90A=",
    "tags": ["physical"],
    "transitCluster": null,
    "flagUrl": "https://cdn.ss-cdn.com/assets/flags/BR.png"
},

EDIT by qdm12: Formatting

[frepke]

Hello @cardimajs,

Can you point me in the right direction for 2. , 1.'s token I already retrieved

EDIT by qdm12: Formatting

[qdm12]

@ksurl Please create a discussion for this, I'll hide your comment for now (and unhide if it's actually a bug). It might be a configuration problem.

@cardimajs that's awesome 🎉 I'll get back to it (on #587)! So I guess it's also fine to generate a Wireguard keypair on each connection right? Or would you see a point in persisting the token and refresh token to keep the same keypair across container restarts (harder to implement for me)?

You can get your server public key from their API

@frepke indeed, their API has their public key. You can check on my Surfshark wireguard branch the servers.json (and ctrl+f to find surfshark).

[frepke]

And where to find the private key?

[qdm12]

@pundoo You do need to generate a Wireguard keypair to register the public key of that keypair you generated through their API right? That's how I understood it 🤔 And what does expire in 7 days? The token or the registration of your public key?

[qdm12]

I have a few questions on top for @pundoo and/or @cardimajs

1. Where do you get your [Interface]'s Address value (10.14.0.2/8 in this case)?
2. Where do you get your [Interface]'s PrivateKey value (GAJb1kd/y6vPJsM11yKBI/NPvsUzKaST4+G2xHUWaFh= in this case)? This is clearly not the same as the server public key IFTVXxhLEqVgZI/JGOPRtmrNUQW1DNljeBe8Ys7v90A= 🤔 And if they actually do use the public key of their server as the client private key, this is a major security problem.

Maybe commenting with an example response (only keeping the first 2-3 and last 2-3 chars of keys if possible) from https://api.surfshark.com/v1/account/users/public-keys would help.