2022-08-03
md
Installing WireGuard on openmediavault 6.0.24 (August 2022)
<-Installing WireGuard on openmediavault 5.6.1 (March 2021)
<-Installing and Configuring WireGuard on a Raspberry Pi

After upgrading the hardware for the network-attached storage (NAS) on my home network, it made sense to move to version 6.0 of openmediavault. As before in version 5.6 of omv, I wanted to install WireGuard, the virtual private network implementation by Jason A. Donenfeld (zx2c4).

To make a short story very short, the installation procedure for omv 5.6 as described in the previous post works just as well in omv 6.0. There is no point in going over the same ground, refer to that post for details about the procedure to install and configure WireGuard in the current version of omv.

What follows are just notes and observations for the curious.

While omv 5.6.1 was based on Debian 10.8 with a 5.10.0 Linux kernel, omv 6.0.24 is based on Debian 11 (bullseye) with a 5.16.0 Linux kernel.

root@vault:~# cat /etc/*release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" root@vault:~# uname -a Linux voute 5.16.0-0.bpo.4-amd64 #1 SMP PREEMPT Debian 5.16.12-1~bpo11+1 (2022-03-08) x86_64 GNU/Linux

Contrary to recent Armbian distributions (built on Debian 11 with a slightly older Linux kernel), WireGuard is not included in the distribution provided by omv.

root@vault:~# which wg root@vault:~#

As before, a WireGuard plugin could not be found in the list of official omv plugins and in the third party list at omv-extras.org. However, the wireguard package is available in the system repository.

root@vault:~# apt-cache policy wireguard wireguard: Installed: (none) Candidate: 1.0.20210223-1 Version table: 1.0.20210223-1 500 500 http://deb.debian.org/debian bullseye/main amd64 Packages

As expected, a simple # apt install wireguard will quickly take care of the installation of the needed packages. Complications arrise when configuring the virtual tunnel. Experience with Raspberry Pi OS, lead me to check if iptables or nftables takes care of defining the rules for IP packet filtering in the Linux kernel.

root@vault:~# apt-cache policy iptables nftables iptables: Installed: 1.8.7-1 Candidate: 1.8.7-1 Version table: *** 1.8.7-1 500 500 http://deb.debian.org/debian bullseye/main amd64 Packages 100 /var/lib/dpkg/status nftables: Installed: 0.9.8-3.1 Candidate: 0.9.8-3.1 Version table: *** 0.9.8-3.1 500 500 http://deb.debian.org/debian bullseye/main amd64 Packages 100 /var/lib/dpkg/status

Both? That's a bit surprising. However, the nftables.service is not activated.

root@vault:~# systemctl status nftables ● nftables.service - nftables Loaded: loaded (/lib/systemd/system/nftables.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:nft(8) http://wiki.nftables.org root@vault:~# nft list ruleset root@vault:~# nft list tables ip root@vault:~#

Furthermore, iptables is not installed as such.

root@vault:~# which iptables /usr/sbin/iptables root@vault:~# ls -l /usr/sbin/iptables lrwxrwxrwx 1 root root 26 Jul 13 02:42 /usr/sbin/iptables -> /etc/alternatives/iptables root@vault:~# ls -l /etc/alternatives/iptables lrwxrwxrwx 1 root root 22 Jul 13 02:42 /etc/alternatives/iptables -> /usr/sbin/iptables-nft

In other words, iptables is a symbolic link to iptables-nft. Phil Sutter provides a short history on the development of "recent" additions of iptables, xtables and iptables-nft in Using iptables-nft: a hybrid Linux firewall (July 25, 2019). The opening paragraph of the Implementation Details section was most illuminating.

From a high level view, iptables-nft parses the iptables syntax on command line, creates appropriate nftables commands, packs them into netlink messages and submits them to kernel. Like nft itself, it uses libnftnl so it implements a full nftables client, not just a (textual) syntax converter.

Reading that convinced me that installing WireGuard as if iptables was present should work. And it did, as stated previously. Of course, that got me wondering about just how packet routing was done in omv 5. As it turns out, iptables was a symbolic link to iptables-nft in omv 5, but nftables was not installed. So this is not too surprising, as the netfilter package provides packet filtering for the Linux kernel since version 2.4.x and the replacement for iptables, nftables, was released at the start of 2014 in versino 3.13 of the kernel. Given that eight years have elapsed, why not do as the Raspberry Pi OS team has done and eject iptables and other transitional legacy packages and move entirely to the new tools? The brave tempted to do that may want to consult a post on the subject: nftables does not read its conf file by frpatte dated January 10, 2021.

<-Installing WireGuard on openmediavault 5.6.1 (March 2021)
<-Installing and Configuring WireGuard on a Raspberry Pi