WireGuard (Android) Configuration issues, etc.

WireGuard (Android) Configuration issues, etc.

[Jordan Johnston]

[-- Attachment #1: Type: text/plain, Size: 2359 bytes --]

Hey Jason (and everyone else).

@Jason; we chatted on XDA yesterday, a few PMs back and forth (I'm
nine7nine on XDA).

So just as a recap; My progress with integrating WireGuard with my Kernel
and on the Stock Oreo 8.0 rom (Google Pixel 1);

Kernel support - working.
building the standalone wg-tools - working
wg-tools installation - working

Now, my issue seems to be with actually getting the WireGuard app working
with AzireVPN.... But in the process, I've figured out that wq-quick is NOT
working properly ~ which aside from the possibility that my configuration
for AzireVPM may be incorrect ~ The wg-quick issue is probably why the
android WireGuard app isn't working (as I assume it requires wg-quick)...
My pixel doesn't seem to recognise the wg-quick script being in
/system/xbin (even though it's there);

# wg-quick up wg0
sh: /system/xbin/wg-quick: No such file or directory

the script has;

#!/system/xbin/bash

changing it to not include bash, does allow it to be executed, but then I
get;

sh: /system/xbin/wg-quick: Permission denied

I'm not sure what's up here (but it doesn't matter if I'm root user or not,
same permission problem, I've checked permissions, it's executable, etc)...
***NOTE: If I manually use wg for setup ~ I can get the interface up and
working, following the quick start instructions and running wg for
verification (ref: https://www.wireguard.com/quickstart/) ... So i think
WireGuard is actually working. (kernel support and wg).... That said ~ I'm
going to have a stab at repackaging the user-space components as a standard
android flashable zip (as we talked about on XDA, @Jason), start fresh and
see if I can get it working...

All of that aside; I'm wondering if someone could post a working
config/template for AzireVPN or any other free VPN that supports
WireGuard??? (minus any private information, respectfully). I'd just like
to make sure that I have a working config for WireGuard on Android -> so
that when I try to test, after re-installing wg-tools ~ that might be one
less hiccup... I've never used WireGuard, so all very new to me.

Thanks

Jordan

PS: @Jason - I'm also going to have a look (later on) and see If i can get
the WireGuard android app to not "crash on boot" in Oreo ~ using the
commits for Kernel Aduitor's fixes that I pointed out to you yesterday,
when I brought up the issue. ttyl

[-- Attachment #2: Type: text/html, Size: 2926 bytes --]

Re: WireGuard (Android) Configuration issues, etc.

[Jason A. Donenfeld]

Hi Jordan,

Thanks for getting in touch with your detailed email. Responses are
inline below.

> But in the process, I've figured out that wq-quick is NOT
> working properly The wg-quick issue is probably why the
> android WireGuard app isn't working (as I assume it requires wg-quick)... My
> pixel doesn't seem to recognise the wg-quick script being in /system/xbin
> # wg-quick up wg0
> sh: /system/xbin/wg-quick: No such file or directory
> #!/system/xbin/bash
> sh: /system/xbin/wg-quick: Permission denied

Ahhh. wg-quick indeed requires bash, and from what I gather, there
isn't bash on your ROM. You should be able to build that easily from
the AOSP source `mka bash`. This is one of the reasons I first
launched the Android stuff with the local_manifest.xml hack instead of
the standalone tools. I'll have to think about a more general purpose
solution, but for now, I thing the best thing you can do would be to
just add bash. If you're stuck and need help, I can probably build you
a statically linked musl aarch64 bash that will work mostly
everywhere.

Alternatively, maybe there is bash on that phone, but it isn't where I
was expecting. Could you run the commands:

# find / -name bash -or -name env 2>/dev/null

And send me the output?

> That said ~ I'm
> going to have a stab at repackaging the user-space components as a standard
> android flashable zip (as we talked about on XDA, @Jason), start fresh and
> see if I can get it working...

We might wind up wanting that statically compiled bash for the .zip.
Based on your findings above, we can adjust this plan accordingly.
Having the flashable .zip infra seems like a good idea either way.

> All of that aside; I'm wondering if someone could post a working
> config/template for AzireVPN or any other free VPN that supports
> WireGuard???

We don't use this list for commercial providers -- they have their own
private support emails and contact methods -- but I can help you with
the free non-commericial demo server -- demo.wireguard.com.

> (minus any private information, respectfully). I'd just like to
> make sure that I have a working config for WireGuard on Android -> so that
> when I try to test, after re-installing wg-tools ~ that might be one less
> hiccup... I've never used WireGuard, so all very new to me.

Makes sense. It might make the most sense to just head into #wireguard
on Freenode too, where we can troubleshoot basic how-to things in real
time.
>
> PS: @Jason - I'm also going to have a look (later on) and see If i can get
> the WireGuard android app to not "crash on boot" in Oreo ~ using the commits
> for Kernel Aduitor's fixes that I pointed out to you yesterday, when I
> brought up the issue. ttyl

Oh, wonderful! Don't hesitate to send patches to this list for that stuff.

Talk soon,
Jason

Re: WireGuard (Android) Configuration issues, etc.

[Jason A. Donenfeld]

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

Hey again,

I'll update the demo.wireguard.com scripts in the repo in a bit to
make them slightly more simple and support v6, like the attached, but
thought you might benefit from this now.

zx2c4@thinkpad ~ $ ./client.sh > /etc/wireguard/demo.conf
zx2c4@thinkpad ~ $ wg-quick up demo
[#] ip link add demo type wireguard
[#] wg setconf demo /dev/fd/63
[#] ip address add 192.168.4.178/32 dev demo
[#] ip link set mtu 1420 dev demo
[#] ip link set demo up
[#] resolvconf -a tun.demo -m 0 -x
[#] wg set x fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev demo table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
zx2c4@thinkpad ~ $ curl -4 zx2c4.com/ip
163.172.161.0
demo.wireguard.com
curl/7.56.1

Please don't run the script more than once or twice or thrice.

Jason

[-- Attachment #2: client.sh --]
[-- Type: application/x-sh, Size: 414 bytes --]

Re: WireGuard (Android) Configuration issues, etc.

[Jordan Johnston]

[-- Attachment #1: Type: text/plain, Size: 3404 bytes --]

Hey Jason,

Ahhh. wg-quick indeed requires bash, and from what I gather, there
> isn't bash on your ROM. You should be able to build that easily from
> the AOSP source `mka bash`. This is one of the reasons I first
> launched the Android stuff with the local_manifest.xml hack instead of
> the standalone tools. I'll have to think about a more general purpose
> solution, but for now, I thing the best thing you can do would be to
> just add bash. If you're stuck and need help, I can probably build you
> a statically linked musl aarch64 bash that will work mostly
> everywhere.
>

you got it, sir! Bash does not ship on the Pixel stock rom! (This is
probably true of many Stock Roms).

I'd like to have a stab at building Bash. But I don't have AOSP on my
Archlinux box (I only build the kernel, plus apps in android studio).
So that may be an issue, but I can have a look at how AOSP builds bash (so
far, I can't even find the source code for AOSP/bash online though).

however, I do like your idea; you could save me a step and provide me with
bash, if it's not too much trouble for you. Although, shouldn't bash be
built against bionic libc not musl?

Alternatively, if someone is running an Oreo rom for arm64-v8a and/or the
Pixel ~ they could post a bash binary - that might work for me.


> We might wind up wanting that statically compiled bash for the .zip.
> Based on your findings above, we can adjust this plan accordingly.
> Having the flashable .zip infra seems like a good idea either way.


Shipping a statically compiled version of bash would be the best solution,
for sure. That would cover everybody.

We don't use this list for commercial providers -- they have their own
> private support emails and contact methods -- but I can help you with
> the free non-commericial demo server -- demo.wireguard.com.
>

I never tried connecting to your server, but next time that is what I will
do, first.


> Makes sense. It might make the most sense to just head into #wireguard
> on Freenode too, where we can troubleshoot basic how-to things in real
> time.
>

Will do, but I'll need to sort out bash, first.

Oh, wonderful! Don't hesitate to send patches to this list for that stuff.
>

Yeah, I've found the WireGuard android app repository and downloaded the
sources. So I will take a look and see if I can't make it play nice with
Oreo on boot. If i can get that working okay, I will send patches for sure.

I'll update the demo.wireguard.com scripts in the repo in a bit to
> make them slightly more simple and support v6, like the attached, but
> thought you might benefit from this now.
>
> zx2c4@thinkpad ~ $ ./client.sh > /etc/wireguard/demo.conf
> zx2c4@thinkpad ~ $ wg-quick up demo
> [#] ip link add demo type wireguard
> [#] wg setconf demo /dev/fd/63
> [#] ip address add 192.168.4.178/32 dev demo
> [#] ip link set mtu 1420 dev demo
> [#] ip link set demo up
> [#] resolvconf -a tun.demo -m 0 -x
> [#] wg set x fwmark 51820
> [#] ip -4 route add 0.0.0.0/0 dev demo table 51820
> [#] ip -4 rule add not fwmark 51820 table 51820
> [#] ip -4 rule add table main suppress_prefixlength 0
> zx2c4@thinkpad ~ $ curl -4 zx2c4.com/ip
> 163.172.161.0
> demo.wireguard.com
> curl/7.56.1
>
> Please don't run the script more than once or twice or thrice.
>

Sounds good, Jason. thanks!

I may not get to this until tomorrow, I'll be away from my computer + no
bash on my end yet.

Jordan

[-- Attachment #2: Type: text/html, Size: 5612 bytes --]

Re: WireGuard (Android) Configuration issues, etc.

[Jason A. Donenfeld]

On Sat, Dec 2, 2017 at 1:00 AM, Jordan Johnston
<johnstonljordan@gmail.com> wrote:
> I'd like to have a stab at building Bash. But I don't have AOSP on my
> Archlinux box (I only build the kernel, plus apps in android studio).
> So that may be an issue, but I can have a look at how AOSP builds bash (so
> far, I can't even find the source code for AOSP/bash online though).
>
> however, I do like your idea; you could save me a step and provide me with
> bash, if it's not too much trouble for you. Although, shouldn't bash be
> built against bionic libc not musl?

Beware of accepting strange binaries from strange people on strange
mailing lists of strange projects, but here's a statically compiled
bash 4.4.12 for aarch64:

https://data.zx2c4.com/bash-4.4.12-aarch64-static-musl-1.1.16.tar.xz