Are there step-by-step instructions for Wireguard and using a mobile device to connect to the Freedombox/Pioneer?
Mainly, getting the information that the app is asking for to create a tunnel.
How do I generate the file that WireGuard app is asking to import.
OR
How do I generate a QR code? All the freedombox has is some syntax to enter in the terminal, but there aren’t any instructions on how. Is it in Cockpit? Should I ssh into the Pioneer? Will I need to install something on my windows laptop for it to work?
If those are not feasible options, where can I find the information that is needed to enter it manually into the WireGuard app?
Have you tried the FreedomBox manual? I’m not sure whether that is complete and current, but start there and let us know if that is sufficient.
Go to the Apps link, click the Wireguard tile, and there is a link which says, “learn more” or something similar. It will be above the gear menu on the right.
I think the FreedomBox manual needs additional detail on this, @Jaw. You will want to be set up with FreedomBox Dynamic DNS and Let’s Encrypt before you begin unless you have a static IP address from your ISP.
This was frustrating for me and I hope I have everything you need here to breeze through it. I’d expect a bit of a struggle before you get it, and then it will work beautifully all at once. Don’t share any of your keys if you need to come back for assistance.
The trick is getting the keys exchanged between your mobile device and FreedomBox. You need to go to FreedomBox from your mobile so you can copy and paste phone public key to FreedomBox and the FreedomBox public key to your phone. You’ll have to switch between your browser and the Wireguard app on your phone to do this. I’m using WG Tunnel on Android for my client.
Log into FreedomBox from your phone browser.
Go apps and then Wireguard.
Open the Wireguard client on your phone and create a new tunnel…
Name the tunnel
Generate the private key
Copy the public key to the clipboard
Switch to the browser on the Wireguard page and click configure
Paste the WG client public key into the public key field and add client
Then the FreedomBox page gives you the other information to put into your client:
IP address for client goes into the address field
Skip the listen port
DNS server will be FreedomBox internal IP (192.168.1.1 or something)
Don’t change MTU
Copy the server public key from FreedomBox and paste into peer public key
skip pre-shared key
you can skip keep-alive for now. Get it working and then try 20 which may save some battery.
endpoint will be your FreedomBox DNS name (or static IP) with port 51820 (myfreedombox.freedombox.rocks:51820)
Allowed IPs - this depends, but start with 0.0.0.0/0, ::/0 to tunnel everything.
Excellent step-by-step. Some basic explanations are missing in the FreedomBox manual. I would like to contribute to its Spanish version. But I am not yet able to translate correctly from English nor do I have enough knowledge about each application.
I have configured my Android making a more specific tunnel so that it doesn’t waste energy and because I want to tunnel only the connection to FreedomBox.
Regarding Allowed IPs: in the ‘peer’ section of WireGuard client, instead of 0.0.0.0.0/0, ::/0, I put something like this: 10.0.0.0/24. While in the ‘client’ section this: 10.0.0.0/32. It is counter-intuitive that ‘/24’ sets a range of addresses and ‘/32’ sets a unique address of 10.0.0.0.0.
Regarding Persistent Keepalive: the WireGuard server from Plinth registers the connection only when I set it to 30 seconds (approx.) in the client. The WireGuard client does not recommend activating this (I think because it is only necessary in some cases where the connection can be closed).
Regardin DNS servers: I chose Quad9 (9.9.9.9.9) just because apparently it is more secure and does not store personal data. And because I want to bypass anything related to Google DNS (8.8.8.8.8) or Cloudflare DNS (1.1.1.1.1). I don’t know what the relationship is here between DNS and VPN.
I don’t know if my statements here are correct and if I have established a correct link between both devices. WireGuard seems very easy to configure once some concepts are understood. Much more affordable and perhaps more versatile than OpenVPN.
Allowed IP: indica los redes o direcciones aprobados en forma CIDR. Los valores ::0 y 0.0.0.0/0 indican que todos redes y direcciones pueden pasar la ruta RPV.
I need to work on my subjunctivo. You may read about CIDR notation for explanation of the /24 /32 question. /32 specified the entire address, /24 indicates a class C network.
FreedomBox may be your DNS server if you specify the internal address. 10.84.0.1 does not work for me. If you specify Quad 9 for FreedomBox and use FreedomBox internal as DNS then you get the Q9 dns answer from FreedomBox. you lose the ability to resolve an internal hostname if you have a DNS zone in your local network if you put 9.9.9.9 in the DNS field but it will work for external host names.
Here a site, although somewhat outdated, that adds interesting documentation to the official one available (to understand parameters and notions of WireGuard on any device): Some Unofficial WireGuard Documentation - HedgeDoc
Here is a screenshot of the peers with the apps labeled. On my phone, the both show connected and the logs didn’t have any errors, but webpages will not load.
The client DNS server is the internal address of the Pioneer/freedombox. (Is this correct?)
For the allowed IPs
0.0.0.0, ::/0
Except to the keys, I entered the same information in the fields for both apps.
On the WireGuard Tunnel app, when it is on, it shows the IP address of my endpoint as the public IP address of the Pioneer/Freedombox.
DNS sounds right, but I don’t think you can get to it yet.
Try this, and leave out IPv6 for now…
Change your Address to 10.84.0.2/24
That /24 indicates a network instead of a single host. I think this is the issue. You can read up on netmasks and CIDR notation if you want to understand all this.
Here is mine, and it sounds like yours is similar.
Let’s recap where you are. Tell me if all this is correct:
You can connect your VPN and you see a successful handshake and some number of bytes are sent and received over the link.
Your DNS Servers address is the FreedomBox internal IP address
You have Allowed IPs of
10.84.0.0/24
192.168.xxx.0/24
0.0.0.0/0
If that’s correct let’s confirm next that your FreedomBox has internet. From your FreedomBox do traceroute 8.8.8.8. There should be quite a few lines of output from this ending with something like this… 11 dns.google (8.8.8.8) 30.896 ms 30.974 ms 31.338 ms
If that is good, try it again from your VPN client. You should be able to find a traceroute utility from your favorite app store.
If that also looks good then do traceroute dns.google.com
That will tell us if the problem is routing or DNS.
This is excellent. Traceroute tells you that you have internet using your VPN. So I think the only part we are missing is a functional DNS lookup from your VPN client on 10.84.0.2.
Let’s have a closer look at your FreedomBox next. If you go to the Setup / Network page down at the bottom…
what is your FreedomBox Inetnet Connectivity setting?
what is your Internet Connection Type setting?
Then go into your primary network interface and look at the Privacy setting. Which option are you using there?
I’m not sure if FreedomBox will serve DNS in your configuration. Rather than try to troubleshoot this, what if you set your VPN client DNS address to an external DNS provider such as 9.9.9.9? That may get you over the hump of not being able to load a web page.
