Power & Source of Big Ideas

Wireguard install...

Moderators: chensy, FATechsupport

I'm wanting to install Wireguard on the NanoPC-T3 and the difficulty is finding the build directory for for the installed kernel. It appears from

# uname -a
Linux matrix 4.4.49-s5p6818 #1 SMP PREEMPT Fri Mar 23 15:29:14 HKT 2018 aarch64 aarch64 aarch64 GNU/Linux

that I'm running the 4.4.49 kernel. There is a link in /lib/modules/4.4.49-s5p6818 that points build to /opt/FriendlyARM/nanopi3/linux-4.4.y but the link is dangling and there points at nothing. My question is where to download that build directory, or at least the part of the build directory needed to build the Wireguard kernel module.

The error from Wireguard is

$ make
make[1]: *** /lib/modules/4.4.49-s5p6818/build: No such file or directory. Stop.
Makefile:25: recipe for target 'module' failed
make: *** [module] Error 2

Note that I've successfully build Wireguard on x86 PCs running Artix linux and successfully on the Raspberry Pi 4 running Raspbian as well as Gentoo. The only difficulty with the T3 is that I'm missing the build directory that is needed to build out-of-tree kernel modules.

Before I try to rebuild the entire kernel over from scratch, is there someplace I can download the necessary directory for the vendor supplied kernel I already have installed?

Sorry, it seems I put this in the wrong forum. Could you please move to the T3?
ejolson wrote:
Note that I've successfully build Wireguard on x86 PCs running Artix linux and successfully on the Raspberry Pi 4 running Raspbian as well as Gentoo


- best 8812AU driver
- wireguard
- dkms
- kernel headers

= Armbian
igorp wrote:
ejolson wrote:
Note that I've successfully build Wireguard on x86 PCs running Artix linux and successfully on the Raspberry Pi 4 running Raspbian as well as Gentoo


- best 8812AU driver
- wireguard
- dkms
- kernel headers

= Armbian

Thanks for the quick reply. I've been running the 64-bit FriendlyCore distribution from FriendlyArm from the built-in eMMC flash. Is it possible and how do I install the Armbian Buster minimal distribution to eMMC? I see the download link here

https://www.armbian.com/nanopc-t3/
ejolson wrote:
Is it possible and how do I install the Armbian Buster minimal distribution to eMMC? I see the download link here

https://www.armbian.com/nanopc-t3/


Ofc its possible.
https://docs.armbian.com/User-Guide_Get ... d-sata-usb

If you have eMMC model with 2G memory, you need to choose this board:
https://www.armbian.com/nanopc-t3-plus/

Or it wont't work.
igorp wrote:
ejolson wrote:
Is it possible and how do I install the Armbian Buster minimal distribution to eMMC? I see the download link here

https://www.armbian.com/nanopc-t3/


Ofc its possible.
https://docs.armbian.com/User-Guide_Get ... d-sata-usb

If you have eMMC model with 2G memory, you need to choose this board:
https://www.armbian.com/nanopc-t3-plus/

Or it wont't work.

Thanks! I've got Armbian installed on my NanoPC T3 now and WireGuard installed without any difficulties. Unfortunately, it would appear the Armbian kernel is not compiled with full iSCSI support, so I get something like

Code: Select all

Mar 15 03:07:13 matrix iscsid[2207]: iSCSI logger with pid=2208 started!
Mar 15 03:07:13 matrix systemd[1]: iscsid.service: Failed to parse PID from file /run/iscsid.pid: Invalid argument
Mar 15 03:07:13 matrix iscsid[2208]: iSCSI daemon with pid=2209 started!
Mar 15 03:07:13 matrix iscsid[2208]: can not create NETLINK_ISCSI socket
Mar 15 03:08:43 matrix systemd[1]: iscsid.service: Start operation timed out. Terminating.
Mar 15 03:08:43 matrix systemd[1]: iscsid.service: Failed with result 'timeout'.

a 90 second delay when booting and, of course, no iSCSI either.

I'm not looking forward to building my own kernel. If I had wanted to do that, I would have stuck with the original FriendlyARM distribution. Any thoughts what to do next?
ejolson wrote:
igorp wrote:
ejolson wrote:
Is it possible and how do I install the Armbian Buster minimal distribution to eMMC? I see the download link here

https://www.armbian.com/nanopc-t3/


Ofc its possible.
https://docs.armbian.com/User-Guide_Get ... d-sata-usb

If you have eMMC model with 2G memory, you need to choose this board:
https://www.armbian.com/nanopc-t3-plus/

Or it wont't work.

Thanks! I've got Armbian installed on my NanoPC T3 now and WireGuard installed without any difficulties. Unfortunately, it would appear the Armbian kernel is not compiled with full iSCSI support, so I get something like

Code: Select all

Mar 15 03:07:13 matrix iscsid[2207]: iSCSI logger with pid=2208 started!
Mar 15 03:07:13 matrix systemd[1]: iscsid.service: Failed to parse PID from file /run/iscsid.pid: Invalid argument
Mar 15 03:07:13 matrix iscsid[2208]: iSCSI daemon with pid=2209 started!
Mar 15 03:07:13 matrix iscsid[2208]: can not create NETLINK_ISCSI socket
Mar 15 03:08:43 matrix systemd[1]: iscsid.service: Start operation timed out. Terminating.
Mar 15 03:08:43 matrix systemd[1]: iscsid.service: Failed with result 'timeout'.

a 90 second delay when booting and, of course, no iSCSI either.

I'm not looking forward to building my own kernel. If I had wanted to do that, I would have stuck with the original FriendlyARM distribution. Any thoughts what to do next?


Build system for creating your own Armbian kernel https://github.com/armbian/build is so simple that my mother could do that. You need a PC with Linux.

You can modify https://github.com/armbian/build/blob/m ... acy.config config (I would enable things but don't know exactly what you miss) and ask someone to build the kernel for you ... or wait for next release. Or download .deb build artefacts from Jenkins (if works) when making a PR.

Sticking to outdated FA distro is not what you want.

And this is possible only if you help https://www.armbian.com/donate/
igorp wrote:
ejolson wrote:
igorp wrote:
Build system for creating your own Armbian kernel https://github.com/armbian/build is so simple that my mother could do that. You need a PC with Linux.

You can modify https://github.com/armbian/build/blob/m ... acy.config config (I would enable things but don't know exactly what you miss) and ask someone to build the kernel for you ... or wait for next release. Or download .deb build artefacts from Jenkins (if works) when making a PR.

Sticking to outdated FA distro is not what you want.

And this is possible only if you help https://www.armbian.com/donate/

I wonder if your mother has a computer science degree. Mine does, but even so, I'm pretty sure in her retirement she has not kept up with docker and other virtualized environments on Linux. Though not retired, neither have I. Will access to QEMU through a remote ssh session be sufficient?

While I understand the FriendlyARM distro is based off an earlier Ubuntu distribution, my only difficulty was lack of kernel headers for the default kernel. Obviously, building my own kernel would have solved that.

My understanding is that

CONFIG_INET=y
CONFIG_BLK_DEV_SD=y
CONFIG_SCSI_LOWLEVEL=y
CONFIG_ISCSI_TCP=M
CONFIG_SCSI_ISCSI_ATTRS=M

are needed for iSCSI support. See, for example,

https://wiki.gentoo.org/wiki/ISCSI/Initiator

Many of the Armbian kernels already have the iSCSI drivers built as modules and it is surprising the NanoPC T3 kernel does not. Note again that I somehow accidentally started this thread in the RK3399 forum rather than the S5P6818 section, so we are, in fact, talking about the 4.14.171-s5p6818 kernel here.

If you were able to change the above flags so the next automatic kernel build for the NanoPC T3 includes iSCSI support, I would greatly appreciate this. Unfortunately, I have never and don't know how to set up a forked GitHub repository and then issue a pull command for the needed changes.
ejolson wrote:
igorp wrote:
ejolson wrote:

I wonder if your mother has a computer science degree. Mine does, but even so, I'm pretty sure in her retirement she has not kept up with docker and other virtualized environments on Linux. Though not retired, neither have I. Will access to QEMU through a remote ssh session be sufficient?

While I understand the FriendlyARM distro is based off an earlier Ubuntu distribution, my only difficulty was lack of kernel headers for the default kernel. Obviously, building my own kernel would have solved that.

My understanding is that

CONFIG_INET=y
CONFIG_BLK_DEV_SD=y
CONFIG_SCSI_LOWLEVEL=y
CONFIG_ISCSI_TCP=M
CONFIG_SCSI_ISCSI_ATTRS=M

are needed for iSCSI support. See, for example,

https://wiki.gentoo.org/wiki/ISCSI/Initiator

Many of the Armbian kernels already have the iSCSI drivers built as modules and it is surprising the NanoPC T3 kernel does not. Note again that I somehow accidentally started this thread in the RK3399 forum rather than the S5P6818 section, so we are, in fact, talking about the 4.14.171-s5p6818 kernel here.

If you were able to change the above flags so the next automatic kernel build for the NanoPC T3 includes iSCSI support, I would greatly appreciate this. Unfortunately, I have never and don't know how to set up a forked GitHub repository and then issue a pull command for the needed changes.


It seems we have double postings. Please continue rather here
https://forum.armbian.com/topic/13347-n ... ment-97083
where I explained little more how things are. We have absolutely no resources to support you. Especially not in real time.

There are several thousands people already on the list with their small favour ... and we have a huge https://forum.armbian.com/forum/38-feature-requests/
I see threads popping up here from time to time asking for an easy to follow guide on how to install WireGuard on a Raspberry Pi. There are a couple of guides out there on how to do this, but I couldn’t find one that covered everything from A-Z. So, I wanted to make one on how to get it installed on your Pi and have it use Pi-Hole as DNS. While it’s easier to install this with a few clicks on Diet Pi, the Pi is meant to be a learning tool for cheap, so I encourage you to do this manually instead. I will divide this guide into 6 parts so hopefully it's easy for you to follow (Part 5 can be skipped if you prefer to do that bit manually, more info near the end of the post):

PART 1: SETUP WIREGUARD

sudo su

# ↑ IMPORTANT: You need Root privilege for the installation process!

apt install raspberrypi-kernel-headers libelf-dev libmnl-dev build-essential git

# ↑ Some of these dependencies are already installed on your Pi but run the whole command anyway just to be sure (as it varies between models)
There are two ways to proceed from here, pick whichever method you prefer:

(IMPORTANT: Method B will NOT work for these models: Pi 1, 2 (except v1.2), Zero & Zero W. If you're using one of these your only choice is Method A. The CPUs for these models lack some of the features of ARMv7 architecture. If you download using Method B on these models you'll get a “Segmentation fault” error.)

Method A (Manual compilation):

git clone https://git.zx2c4.com/WireGuard

cd WireGuard/

cd src/

make

# ↑ If you get an error here that says "No such file or dir" you're probably on an older kernel. Fix it by running 'sudo BRANCH=stable rpi-update' (refer to “Troubleshooting” at the end to update it manually)

make install
(The “make” command may take a few minutes to finish.)

Method B (Apt repo, If you install using this method you can keep WireGuard up-to-date using 'apt update'):

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list

printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable

# ↑ These commands may change in the future, when this post gets old go to this link and check before running them (check the section for Debian): https://www.wireguard.com/install/

apt update

# ↑ Ignore the error

apt install dirmngr

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC

apt update

apt install wireguard
Once WireGuard is done installing using either method we're gonna enable IP Forwarding then reboot the Pi:

perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf

reboot
After rebooting, verify that IP Forwarding was enabled before proceeding to the next part. To do that enter the following, your output will be 1:

sysctl net.ipv4.ip_forward
PART 2: GENERATE PRIVATE AND PUBLIC KEYS FOR SERVER AND CLIENT

sudo su

cd /etc/wireguard

umask 077

wg genkey | tee peer1_privatekey | wg pubkey > peer1_publickey

wg genkey | tee server_privatekey | wg pubkey > server_publickey

ls

# ↑ Verify the keys got generated

peer1_privatekey peer1_publickey server_privatekey server_publickey
You can view your keys using the cat command like so:

cat server_publickey

cat server_privatekey

cat peer1_publickey

cat peer1_privatekey
(We’re gonna need these keys in the next 2 parts)

PART 3: CONFIGURE WIREGUARD SERVER

Make a wg0.conf file in ‘/etc/wireguard/’ :

nano /etc/wireguard/wg0.conf
Copy and paste the following template and make changes as needed. Make sure to enter the right key in the right line. Again, DOUBLE CHECK THE KEYS WHEN ENTERING THEM:

[Interface]
Address = 10.9.0.1/24
ListenPort = xxxxx
DNS = 192.168.x.xx
PrivateKey = server_privatekey

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#Peer-1
PublicKey = peer1_publickey
AllowedIPs = 10.9.0.2/32
#PersistentkeepAlive = 60
(‘Ctrl + x’ then ‘y’ to exit and save the changes.)

Lines you need to modify:

ListenPort: The port you're gonna forward on your router

DNS: Pi-Hole’s IP

PrivateKey: Enter the key you get from 'cat server_privatekey'

PostUp & PostDown: Change 'eth0' to 'wlan0' in both lines if you're connected via Wi-Fi. If your network interface has a different name find it using 'ifconfig' then use that name instead.

PublicKey: Enter the key you get from 'cat peer1_publickey'

PersistentkeepAlive: Uncomment this line (remove the #) if you are behind a NAT and want the connection to stay alive.

PART 4: CONFIGURE WIREGUARD CLIENT

Make a peer1.conf file in ‘/etc/wireguard/’ :

nano /etc/wireguard/peer1.conf

Who is online

In total there are 5 users online :: 0 registered, 0 hidden and 5 guests (based on users active over the past 5 minutes)
Most users ever online was 5185 on Wed Jan 22, 2020 1:44 pm

Users browsing this forum: No registered users and 5 guests