After upgrading the hardware for the network-attached storage (NAS) on my home network, it made sense to move to version 6.0 of openmediavault. As before in version 5.6 of omv, I wanted to install WireGuard, the virtual private network implementation by Jason A. Donenfeld (zx2c4).
To make a short story very short, the installation procedure for omv 5.6 as described in the previous post works just as well in omv 6.0. There is no point in going over the same ground, refer to that post for details about the procedure to install and configure WireGuard in the current version of omv.
What follows are just notes and observations for the curious.
While omv 5.6.1 was based on Debian 10.8 with a 5.10.0 Linux kernel, omv 6.0.24 is based on Debian 11 (bullseye) with a 5.16.0 Linux kernel.
Contrary to recent Armbian distributions (built on Debian 11 with a slightly older Linux kernel), WireGuard is not included in the distribution provided by omv.
As before, a WireGuard plugin could not be found in the list of official omv plugins and in the third party list at omv-extras.org. However, the
wireguard package is available in the system repository.
As expected, a simple # apt install wireguard will quickly take care of the installation of the needed packages. Complications arrise when configuring the virtual tunnel. Experience with Raspberry Pi OS, lead me to check if
nftables takes care of defining the rules for IP packet filtering in the Linux kernel.
Both? That's a bit surprising. However, the
nftables.service is not activated.
iptables is not installed as such.
In other words,
iptables is a symbolic link to
iptables-nft. Phil Sutter provides a short history on the development of "recent" additions of
iptables-nft in Using iptables-nft: a hybrid Linux firewall (July 25, 2019). The opening paragraph of the Implementation Details section was most illuminating.
From a high level view, iptables-nft parses the iptables syntax on command line, creates appropriate nftables commands, packs them into netlink messages and submits them to kernel. Like nft itself, it uses libnftnl so it implements a full nftables client, not just a (textual) syntax converter.
Reading that convinced me that installing WireGuard as if
iptables was present should work. And it did, as stated previously. Of course, that got me wondering about just how packet routing was done in omv 5. As it turns out,
iptables was a symbolic link to
iptables-nft in omv 5, but
nftables was not installed. So this is not too surprising, as the netfilter package provides packet filtering for the Linux kernel since version 2.4.x and the replacement for
nftables, was released at the start of 2014 in versino 3.13 of the kernel. Given that eight years have elapsed, why not do as the Raspberry Pi OS team has done and eject
iptables and other transitional legacy packages and move entirely to the new tools? The brave tempted to do that may want to consult a post on the subject: nftables does not read its conf file by frpatte dated January 10, 2021.