logo
Jiff Slater
🤔 About
✍️ Contact
📚Knowledge
03 Dec 2020
 

Configuring Wireguard on the Pinebook Pro in Manjaro Linux
1 February 2020

I recently (Twitter) ordered and received a Pinebook Pro and wanted to share how I got Wireguard working. Wireguard is a VPN that uses modern cryptography while still being easy to configure for various environments.  Unfortunately, even though the kernel module has been merged upstream Manjaro Linux still requires a custom module to be built.  Because the kernel sources aren’t included with the distribution as of now, installing the wireguard-dkms package will fail.  This post shows how I got the userspace wireguard-go program to work in lieu of the kernel module.

Before I continue, if you’re using the default Debian install that came with the device, you should be able to follow this tutorial which uses Cloudflare’s boringtun Rust implementation.  I couldn’t get this tutorial to work so here is an alternative that uses the official Wireguard Go language reference implementation.

Installing the compiler

The Go compiler should be available in all distributions so install it before continuing.  On Manjaro Linux you can do so by typing `sudo pamac install go`.

Cloning the repository

You’ll need to clone to source code from the Wireguard repo: `git clone https://git.zx2c4.com/wireguard-go`.

Building the tool

Once cloning has completed, enter the directory and issue `make`.  After it completes, you should have ./wireguard-go executable in the same directory.

Launching the tool

Open two terminal windows.  In the first, issue sudo LOG_LEVEL=debug ./wireguard-go -f wg0.  This will launch the userspace implementation and create an interface called wg0 which you can see by typing `ip a`.

Configuring and bringing up the Wireguard interface

Bringing up the interface is almost as simple as presented in the docs but because we’re running Manjaro Linux we’ll need to make sure it works well with NetworkManager.  The first step is mark the interface along with any similarly named interfaces as unmanaged.  Create the following file and restart NetworkManager.

/etc/NetworkManager/conf.d/wireguard-unmanaged.conf

[keyfile]
unmanaged-devices=interface-name:wg*

# systemctl restart NetworkManager

In a new terminal window, issue the following commands, taking into account your configuration.  Before continuing you’ll also need to have a valid /etc/wireguard/wg0.conf that uses `wg` syntax not wg-quick syntax.  Check the manpage for wg to confirm.  Note that CLIENT_IP_ADDRESS and PEER_IP_ADDRESS_OR_RANGE refers to the address Wireguard interface address space.

# ip address add dev wg0 CLIENT_IP_ADDRESS peer PEER_IP_ADDRESS_OR_RANGE
# wg setconf wg0 /etc/wireguard/wg0.conf
# ip link set mtu 1420 up dev wg0
# ip route add PEER_IP_ADDRESS_OR_RANGE dev wg0

Finally, as per Thaller’s post on the GNOME blogs, if you don’t issue the last command we’ll need to let NetworkManager know about the new route.  List your current connections with nmcli conn show and copy the UUID for your current connection below.  Replace GATEWAY and WIREGUARD_ENDPOINT with the actual IP addressses.

nmcli connection modify UUID +ipv4.routes "WIREGUARD_ENDPOINT/32 GATEWAY"

This should be sufficient to set up the VPN.  You’ll see the handshake initiated and completed in the other terminal window.

Let me know if this worked for you.  DNS resolution is still problematic because NetworkManager doesn’t adjust resolvconf to accomodate the new route.  If you manage to get that working correctly, please let me know on Twitter.

VLAN Primer
21 February 2019

I recently picked up a simple TP-Link switch that supports 802.11q, also known as Virtual LANs.

Here’s a quick primer I wrote to guide myself when configuring my network. All diagrams were created with Graphviz.

Consider the simplest home network possible. You have a combination router/modem that connects your LAN to the WAN. We’ll hide the modem in this diagram as it acts on a lower layer than the router.

graph network {
node [shape=box, style=filled];

a [label="WAN"]
b [label="Router"]
c [label="LAN"]

a -- b -- c

}

Let’s add some more details. The router gets a mostly static IP address from the ISP and also provides DHCP services to the clients in the LAN.

graph network {
node [shape=box, style=filled];
a [label="WAN"]
b [shape=record, label="{ Firewall | { Router } | Switch } }"]
c [label="LAN"]

a -- b [headlabel="42.52.11.44"]
b -- c [taillabel="192.168.1.1/24"]

}

Now, we’ll flesh out the LAN to show some clients. Dotted lines show wireless clients. TODO FIX GRAPH

graph network {
node [shape=box, style=filled];

a [label="WAN"]
b [shape=record, label="{ 42.52.11.44\nFirewall | { Router } | Switch \n 192.168.1.1/24 } }"]
c [label="192.168.1.2\nPlaystation"]
d [label="192.168.1.3\nKindle Fire"]
e [label="192.168.1.4\niPhone"]
f [label="192.168.1.5\nNintendo Switch"]
g [label="192.168.1.6\nPC"]

a -- b
b -- {d, e, f} [style=dotted]
b -- {c, g}
}

This is a typical home network. Now let’s introduce a VLAN into the network. It operates at layer 2 and creates the appearance of network traffic that is operating on a single network. Because most home modem/routers don’t support VLANs, we introduce another device that sits between the modem and LAN and serves as the router.

In this VLAN, we want wireless traffic to be segmented from wired traffic. Usually this could be easily configured by issuing separate subnets for the wired and wireless clients but we want to have total isolation between the two. Each VLAN has its own broadcast domain.

Here, we introduce a separate wireless switch and tag traffic coming from the switches. In this configuration the router acts as the default gateway for both subnets and can see all VLAN traffic.

graph network {
node [shape=box, style=filled];

a [label="WAN"]
h [label="Modem"]
b [shape=record, label="{ 42.52.11.44\nFirewall | { Router } }"]
c [label="192.168.1.2\nPlaystation"]
d [label="192.168.2.2\nKindle Fire"]
e [label="192.168.2.3\niPhone"]
f [label="192.168.2.4\nNintendo Switch"]
g [label="192.168.1.3\nPC"]
i [label="Switch (wired)"]
j [label="Switch (wireless)"]


a -- h
h -- b
b -- i [label="192.168.1.1/24\nVLAN 10"]
b -- j [label="192.168.2.1/24\nVLAN 20"]
i -- {c, g}
j -- {d, e, f} [style=dotted]

}

All images generated with thanks from https://dreampuf.github.io/GraphvizOnline

Demoscene
1 April 2018
I’ve been wanting to play around with some graphics work for a while now and while I’ve used Blender for a few renders, I’ve never sat down and set up a programming environment on my computer. What follows is a short tutorial on how to get started in OpenGL on Windows — but still using the Linux conventions that I’m familiar with.

The demoscene is something that’s fascinated me for years. If you haven’t heard of it, it’s the art of making a computer program (usually size constrained) that produces outstanding visual effects synced with music. There’s a wide variety of target platforms including Windows, Linux, MS-DOS, and even the old Amiga!

I’m surprised to see that there are still regular competitions being held around the world.

Here are some of my favourites:

  • fr-041: debris (YouTube): Very impressive city scape
  • luma – mercury (YouTube): Stunning light effects
  • H – Immersion – Ctrl-Alt-Test (YouTube): Very believable underwater adventure
Built with Wordpress and Vim
© 2008 to 2020 Antony Jepson