how to enable wireguard service in freebsd14.2?

fff2024g

fff2024g

Dear all :
I know the wg is enabled in freebsd14.2 . but when i create wg2000.conf in /user/local/etc/wireguard/ folder, i want to start wireguard service with "service wireguard start " command in shell. "no wireguard service" output in the shell. how can i enable wg service in freebsd 14.2 ? thanks.

note : i don't install any wireguard pkg. just use the wg command to do anything. thanks.

pkg search wireguard
wireguard-go-0.0.20230223_11,1 WireGuard implementation in Go
wireguard-tools-1.0.20210914_3 Fast, modern and secure VPN Tunnel
wireguard-tools-lite-1.0.20210914_3 Fast, modern and secure VPN Tunnel (lite flavor)

i don't install any wireguard pkg , just use wg command. thanks.
 
Have you got what you need in rc.conf? (I don't use wireguard just searching the internet):

See e.g.

Sparkee

PF Thread 'Wireguard network setup'

I'm working on setting up my first wireguard server on FreeBSD 13.3.

The issue: once I start the wireguard service I can't reach the server anymore, the server still can access the internet but nothing can connect to it. The server is in the cloud.
On the same server I'm running an openvpn server, there are no issues there.
Do you have an idea what should I try? What did I miss?

rc.conf
Code: 
...
wireguard_enable="YES"
wireguard_interfaces="wg0"

wg0.conf
Code: 
[Interface]
Address = 10.9.0.1/32 # address the server will bind to
ListenPort = 51820 # listener port
PrivateKey = ***

[Peer]
AllowedIPs =...
  • Sparkee
  • nat pf conf wireguard pf wireguard server wirguard
  • Replies: 8
  • Forum: Firewalls
 
Last time I checked, there was no service script for wireguard. So you will have to copy it from wireguard-tools-lite.
So if you put this files in /usr/local/etc/rc.d/wireguard
Code: 
#!/bin/sh

# PROVIDE: wireguard
# REQUIRE: NETWORKING
# KEYWORD: shutdown
#
# wireguard_enable (bool):        Set to "YES" to enable wireguard.
#                                 (default: "NO")
#
# wireguard_interfaces (str):     List of interfaces to bring up/down
#                                 on start/stop. (eg: "wg0 wg1")
#                                 (default: "")
# wireguard_confdir (str):        Config directory that contains wg0.conf
#                                 (default: "/usr/local/etc/wireguard")
# wireguard_<iface>_ips (str):    List of IP Addresses for iface
# wireguard_<iface>_routes (str): List of Routes for this iface
# wireguard_<iface>_mtu (str):    MTU for iface (default: "1500")

. /etc/rc.subr

name=wireguard
rcvar=wireguard_enable
extra_commands="reload status"

start_cmd="${name}_start"
stop_cmd="${name}_stop"
reload_cmd="${name}_reload"
status_cmd="${name}_status"

wireguard_start()
{
	for interface in ${wireguard_interfaces}; do
		load_rc_config wireguard_${interface}

		eval wireguard_ips="\${wireguard_${interface}_ips}"
		eval wireguard_routes="\${wireguard_${interface}_routes}"
		eval wireguard_mtu="\${wireguard_${interface}_mtu}"

		ifconfig ${interface} create
		/usr/bin/wg setconf ${interface} ${wireguard_confdir}/${interface}.conf

		for ip in ${wireguard_ips}; do
			if [ "${ip#*:}" != "${ip}" ]; then
				ifconfig ${interface} inet6 ${ip} alias
			else
				ifconfig ${interface} inet ${ip} alias
			fi
		done

		if [ ! -z "${wireguard_mtu}" ]; then
			ifconfig ${interface} mtu ${wireguard_mtu}
		fi

		ifconfig ${interface} up

		for route in ${wireguard_routes}; do
			if [ "${route#*:}" != "${route}" ]; then
				route -q -n add -inet6 ${route} -interface ${interface}
			else
				route -q -n add -inet ${route} -interface ${interface}
			fi
		done
	done
}

wireguard_stop()
{
	for interface in ${wireguard_interfaces}; do
		load_rc_config wireguard_${interface}

		eval wireguard_routes="\${wireguard_${interface}_routes}"

		for route in ${wireguard_routes}; do
			if [ "${route#*:}" != "${route}" ]; then
				route -q -n delete -inet6 ${route} -interface ${interface}
			else
				route -q -n delete -inet ${route} -interface ${interface}
			fi
		done

		ifconfig ${interface} down

		ifconfig ${interface} destroy
	done
}

wireguard_reload()
{
	for interface in ${wireguard_interfaces}; do
		/usr/bin/wg syncconf ${interface} ${wireguard_confdir}/${interface}.conf
	done
}

wireguard_status()
{
	wireguard_status="0"

	for interface in ${wireguard_interfaces}; do
		/usr/bin/wg show ${interface} || wireguard_status="1"
	done

	return ${wireguard_status}
}

load_rc_config $name

: ${wireguard_enable="NO"}
: ${wireguard_interfaces=""}
: ${wireguard_confdir="/usr/local/etc/wireguard"}

run_rc_command "$1"
It should work.
 
monwarez said:
Last time I checked, there was no service script for wireguard. So you will have to copy it from wireguard-tools-lite.
So if you put this files in /usr/local/etc/rc.d/wireguard
Code: 
#!/bin/sh

# PROVIDE: wireguard
# REQUIRE: NETWORKING
# KEYWORD: shutdown
#
# wireguard_enable (bool):        Set to "YES" to enable wireguard.
#                                 (default: "NO")
#
# wireguard_interfaces (str):     List of interfaces to bring up/down
#                                 on start/stop. (eg: "wg0 wg1")
#                                 (default: "")
# wireguard_confdir (str):        Config directory that contains wg0.conf
#                                 (default: "/usr/local/etc/wireguard")
# wireguard_<iface>_ips (str):    List of IP Addresses for iface
# wireguard_<iface>_routes (str): List of Routes for this iface
# wireguard_<iface>_mtu (str):    MTU for iface (default: "1500")

. /etc/rc.subr

name=wireguard
rcvar=wireguard_enable
extra_commands="reload status"

start_cmd="${name}_start"
stop_cmd="${name}_stop"
reload_cmd="${name}_reload"
status_cmd="${name}_status"

wireguard_start()
{
    for interface in ${wireguard_interfaces}; do
        load_rc_config wireguard_${interface}

        eval wireguard_ips="\${wireguard_${interface}_ips}"
        eval wireguard_routes="\${wireguard_${interface}_routes}"
        eval wireguard_mtu="\${wireguard_${interface}_mtu}"

        ifconfig ${interface} create
        /usr/bin/wg setconf ${interface} ${wireguard_confdir}/${interface}.conf

        for ip in ${wireguard_ips}; do
            if [ "${ip#*:}" != "${ip}" ]; then
                ifconfig ${interface} inet6 ${ip} alias
            else
                ifconfig ${interface} inet ${ip} alias
            fi
        done

        if [ ! -z "${wireguard_mtu}" ]; then
            ifconfig ${interface} mtu ${wireguard_mtu}
        fi

        ifconfig ${interface} up

        for route in ${wireguard_routes}; do
            if [ "${route#*:}" != "${route}" ]; then
                route -q -n add -inet6 ${route} -interface ${interface}
            else
                route -q -n add -inet ${route} -interface ${interface}
            fi
        done
    done
}

wireguard_stop()
{
    for interface in ${wireguard_interfaces}; do
        load_rc_config wireguard_${interface}

        eval wireguard_routes="\${wireguard_${interface}_routes}"

        for route in ${wireguard_routes}; do
            if [ "${route#*:}" != "${route}" ]; then
                route -q -n delete -inet6 ${route} -interface ${interface}
            else
                route -q -n delete -inet ${route} -interface ${interface}
            fi
        done

        ifconfig ${interface} down

        ifconfig ${interface} destroy
    done
}

wireguard_reload()
{
    for interface in ${wireguard_interfaces}; do
        /usr/bin/wg syncconf ${interface} ${wireguard_confdir}/${interface}.conf
    done
}

wireguard_status()
{
    wireguard_status="0"

    for interface in ${wireguard_interfaces}; do
        /usr/bin/wg show ${interface} || wireguard_status="1"
    done

    return ${wireguard_status}
}

load_rc_config $name

: ${wireguard_enable="NO"}
: ${wireguard_interfaces=""}
: ${wireguard_confdir="/usr/local/etc/wireguard"}

run_rc_command "$1"
It should work.
Click to expand...
Dear

monwarez

, if i don't want to use this script , just want to enable wg service , what we can do ?
 
richardtoohey2 said:
Have you got what you need in rc.conf? (I don't use wireguard just searching the internet):

See e.g.

Sparkee

PF Thread 'Wireguard network setup'

I'm working on setting up my first wireguard server on FreeBSD 13.3.

The issue: once I start the wireguard service I can't reach the server anymore, the server still can access the internet but nothing can connect to it. The server is in the cloud.
On the same server I'm running an openvpn server, there are no issues there.
Do you have an idea what should I try? What did I miss?

rc.conf
Code: 
...
wireguard_enable="YES"
wireguard_interfaces="wg0"

wg0.conf
Code: 
[Interface]
Address = 10.9.0.1/32 # address the server will bind to
ListenPort = 51820 # listener port
PrivateKey = ***

[Peer]
AllowedIPs =...
  • Sparkee
  • nat pf conf wireguard pf wireguard server wirguard
  • Replies: 8
  • Forum: Firewalls
Click to expand...
DEAr

richardtoohey2

i don't use freebsd13. now i have used freebsd14.2 . this version have wg in the kernel. but i don't know how to active it . thanks.
 
richardtoohey2 said:
So have you got anything in rc.conf? Looks like you ned something in 14.x as well.

E.g.

Click to expand...
Dear richardtoohey2:
i can't open reddit link. our country block most website, so i want to build a vpn server . i want to use wireguard kernel mode to build server. can you show me some step. thanks.

note : if we used wireguard userland mode, we need to add below content.
#enable wireguard interface
wireguard_enable="yes"
wireguard_interfaces="wg2024"

but , if i use wireguard kernel mode, maybe we no need add it . thanks.
 
fff2024g, I use a small — just a few users — wireguard vpn server without any ports/packages. You need something like:
  1. Create wg2024 interface, sysrc cloned_interfaces+=wg2024;
  2. Add ip configuration for the interface, sysrc ifconfig_wg2024="inet vpn.server.ip.address/mask";
  3. Create /usr/local/etc/wireguard/wg2024.conf file;
  4. Create /usr/local/etc/devd/wireguard.conf with the following content:
Code: 
notify 0 {
        match "system"  "IFNET";
        match "type"    "LINK_UP";
        media-type      "unknown";

        action ". /etc/rc.subr
                . /etc/network.subr
                load_rc_config network
                if autoif $subsystem && [ -r /usr/local/etc/wireguard/$subsystem.conf ]
                then
                        /usr/bin/wg setconf $subsystem /usr/local/etc/wireguard/$subsystem.conf
                fi";
};

Should be enough to get started :cool:
 
fff2024g said:
Dear

monwarez

, if i don't want to use this script , just want to enable wg service , what we can do ?
Click to expand...
This script is an rc.d service that run the wireguard service from base.
I am curious, did you remove all script in /etc/rc.d ? Because these are the same kind of script.

In FreeBSD, enabling a service is basically running an rc.d script that setup your service. So I really don't understand what you want here.
 
monwarez said:
In FreeBSD, enabling a service is basically running an rc.d script that setup your service. So I really don't understand what you want here.
Click to expand...
Isn't part of enabling a service also down to the /etc/rc.conf entries (which is the bit I keep asking the OP about)?

The sysrc commands you are recommending will do the /etc/rc.conf parts, won't they?

Not disagreeing with anything you've said, just asking if I'm on the right path re. /etc/rc.conf being part of the equation.

Then an rc.d script will use the settings you have put in /etc/rc.conf (or similar).

Like you, trying to understand a bit more what the OP is asking.
 
You guys, richardtoohey2, monwarez, answered in the begining on this thread how to set it up. There's no rc.d script in base, one needs to have wireguard-tools. I wonder if it's because of its GPL license (my speculation).

fff2024g wg-quick shows you what it does, example:
Code: 
[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.1.1.3/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
...
...

So I guess you could somehow make this into /etc/rc.conf though I'm not sure how you'd execute wg command from that (not without the helper script anyway). On top of it wg-quick calls "route monitor" and keeps it in background -- simple shell logic that keeps an eye on the connection. This you can't do without a script.

Bottom line -- you do need wireguard-tools which are not provided in base yet. Not in 14.2 as of now (Dec 10,2024).
 
richardtoohey2 said:
Isn't part of enabling a service also down to the /etc/rc.conf entries (which is the bit I keep asking the OP about)?

The sysrc commands you are recommending will do the /etc/rc.conf parts, won't they?

Not disagreeing with anything you've said, just asking if I'm on the right path re. /etc/rc.conf being part of the equation.

Then an rc.d script will use the settings you have put in /etc/rc.conf (or similar).

Like you, trying to understand a bit more what the OP is asking.
Click to expand...
Yes enabling a service require editing the /etc/rc.conf entries, but without a corresponding service files it is pointless.

The command in the /etc/rc.conf are only for setting the variables needed for the service files.
The service files itself lives in /etc/rc.d and /usr/local/etc/rc.d.

Since FreeBSD 14.2 does not ship with the rc script for wireguard, one have to write them.
To do so, I suggest taking the easier route, adapting the one from wireguard-tools-lite that does not depends on wg-quick.
The full configuration for rc.conf should looks like this (for a setup not using wg-quick)
Code: 
wireguard_enable="YES"
wireguard_interfaces="wg0"
wireguard_wg0_ips="10.0.0.2/24"

The symptoms described by the OP are
no wireguard service
Click to expand...
Which implies that there is no service files for wireguard, hence the instruction to create this service files using wireguard-tools-lite as a basis that will not require anything outside base.

On a side note, I don't understand why the service files that does not depends on wg-quick was not in base, maybe someone absolutely wanted to have a wg-quick equivalent or nothing ?

PS: maybe I was not clear enough, but the rc.d script that I presented earlier use the wireguard implementation from base.
 
You must log in or register to reply here.
Back
Top