Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DietPi-Software | WireGuard: Lightweight modern in-kernel VPN #2052

Closed
MichaIng opened this issue Sep 1, 2018 · 33 comments

Comments

Projects
None yet
8 participants
@MichaIng
Copy link
Owner

commented Sep 1, 2018

Creating a software request:

Vote for it on FeatHub: https://feathub.com/MichaIng/DietPi/+14

Give us some formal software information:

Are there similar/alternative software titles available with DietPi-Software?

  • 97 OpenVPN: vpn server
  • 117 PiVPN: openvpn installer & management tool

What makes your requested software better than the above solutions, if available?

  • Seems to be faster and more lightweight than OpenVPN, as it runs in kernel.
  • But some testing makes sense.

Can you provide the installation steps that you would suggest DietPi-Software to do?

  1. Add Debian Sid repo: https://packages.debian.org/sid/wireguard
  2. Set priority of unstable/sid repo low enough to prevent any automated install.
  3. G_AGI wireguard -t sid
@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Sep 3, 2018

A problem is, that the Raspbian repo does not have a sid/unstable repo, so no branch where wireguard is available: http://raspbian.raspberrypi.org/raspbian/dists/

Debian armhf usually works on Raspbian/RPi systems, so we can add Debian sid there as well and test, but all this makes it even more experimental 😜.

@thaihugo

This comment has been minimized.

Copy link

commented Sep 4, 2018

I have a fonctionning wireguard setup on my DietPi using this setup:
https://www.tnhh.net/posts/wireguard-router-firewalled-computer-raspberry-pi.html

It even updates itself nicely with new DietPi-updates with kernel updates

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Sep 5, 2018

@thaihugo
Many thanks for this.

armel, not armhf - the Raspberry Pi's CPU doesn't have some of the features of the armhf arch in Debian, if you download and install the armhf package, it will crash

So just adding the Debian/sid repo would have not worked then. Needs to be checked on all RPi models, as they might behave differently?

But still, all this looks very hacky to me, in combination with wireguard considering itself as experimental and not even reaching testing repo.

Warning: WireGuard is currently under development, and therefore any installation steps here should be considered as experimental. We are rapidly working toward mainline inclusion, at which point we will consider this codebase non-experimental.

If we add it on the current stage to DietPi, it should be clearly marked for our users as experimental too. Hope it reaches Raspbian+Debian testing repo soon, which would also assure a well working version for RPi.


Issue on Rock64, needs investigation: https://dietpi.com/phpbb/viewtopic.php?f=11&t=4579

@thaihugo

This comment has been minimized.

Copy link

commented Sep 5, 2018

It is basically using the right binary with a wrong info for the packager. It is more complicated to force the armel armhf thing with a dpgk —force-architecture as it will block something down the line. I know it’s hackish but at least the solution is correctly integrated with apt and kernel updates.
As for the wireguard « unstable » status, You are the juge of this, but for my tests it feels more like a way to « underpromise, overdeliver »

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Sep 5, 2018

Jep, the solution is great. We could use this for some other software titles as well, possibly. If I am not wrong, we add i386 repo arch to all x86_64 images, just for 1 or 2 software titles that have no x64 package. But adjusting the packages instead of adding the arch to all devices sounds cleaner to me. Also it reduces the time and data transfer for APT updates significantly.

So for now your solution indeed seem the best one can do. I am just not sure, if we should add WireGuard as long as it simple needs this hackish steps and considers itself as experimental. On the other hand, it seems to be very beneficial over OpenVPN in many ways, worth to push. If we then can help testing/debugging it for the devs and allow faster Beta/Release, even better 😃.

Let's wait for @Fourdee opinion here. He's a bid busy currently, so perhaps we need to be more patient compared to usual response time 😉.

@HiDef888

This comment has been minimized.

Copy link

commented Sep 7, 2018

Thanks @thaihugo Got mine setup on my VM with no issues with those instructions! Obviously with less trouble using the amd64 binaries. Im a little curious if those extra steps are even necessary with a RPi 3 or not! Apparently anytihng over armv7 is good to go with the armhf packages from what i gather.

@MichaIng MichaIng changed the title WireGuard | Lightweight modern in-kernel VPN server DietPi-Software | WireGuard: Lightweight modern in-kernel VPN server Oct 14, 2018

@MichaIng MichaIng added this to the Planned for implementation milestone Oct 15, 2018

@Micha-Btz

This comment has been minimized.

Copy link

commented Nov 13, 2018

On my Raspi 3b+ I can use the debian armhf package directly without modifying it.

@slim0287

This comment has been minimized.

Copy link

commented Nov 18, 2018

I'm looking forward to Wireguard in Dietpi as well. Currently I run an OpenVPN server on Dietpi, however from what I have read Wireguard will be a better implementation for my use case.

@Fourdee Fourdee modified the milestones: v6.19, v6.20 Dec 4, 2018

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Dec 26, 2018

Added to FeatHub, feel free to vote for it: https://feathub.com/MichaIng/DietPi/+14

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Jan 6, 2019

Install test on VM Stretch:

echo 'deb https://deb.debian.org/debian/ sid main' > /etc/apt/sources.d/dietpi-wireguard.list
echo -e 'Package: *\nPin: release n=sid\nPin-Priority: 99' > /etc/apt/preferences.d/dietpi-wireguard
G_AGI wireguard
...
Need to get 22.7 MB of archives.
After this operation, 96.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://cdn-aws.deb.debian.org/debian stretch/main amd64 binutils amd64 2.28-5 [3,770 kB]
Get:2 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libisl15 amd64 0.18-1 [564 kB]
Get:3 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libmpfr4 amd64 3.1.5-1 [556 kB]
Get:4 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libmpc3 amd64 1.0.3-1+b2 [39.9 kB]
Get:5 https://cdn-aws.deb.debian.org/debian stretch/main amd64 cpp-6 amd64 6.3.0-18+deb9u1 [6,584 kB]
Get:6 https://cdn-aws.deb.debian.org/debian stretch/main amd64 cpp amd64 4:6.3.0-4 [18.7 kB]
Get:7 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libcc1-0 amd64 6.3.0-18+deb9u1 [30.6 kB]
Get:8 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libgomp1 amd64 6.3.0-18+deb9u1 [73.3 kB]
Get:9 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libitm1 amd64 6.3.0-18+deb9u1 [27.3 kB]
Get:10 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libatomic1 amd64 6.3.0-18+deb9u1 [8,966 B]
Get:11 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libasan3 amd64 6.3.0-18+deb9u1 [311 kB]
Get:12 https://cdn-aws.deb.debian.org/debian stretch/main amd64 liblsan0 amd64 6.3.0-18+deb9u1 [115 kB]
Get:13 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libtsan0 amd64 6.3.0-18+deb9u1 [257 kB]
Get:14 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libubsan0 amd64 6.3.0-18+deb9u1 [107 kB]
Get:15 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libcilkrts5 amd64 6.3.0-18+deb9u1 [40.5 kB]
Get:16 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libmpx2 amd64 6.3.0-18+deb9u1 [11.2 kB]
Get:17 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libquadmath0 amd64 6.3.0-18+deb9u1 [131 kB]
Get:18 https://cdn-aws.deb.debian.org/debian stretch/main amd64 libgcc-6-dev amd64 6.3.0-18+deb9u1 [2,296 kB]
Get:19 https://cdn-aws.deb.debian.org/debian stretch/main amd64 gcc-6 amd64 6.3.0-18+deb9u1 [6,900 kB]
Get:20 https://cdn-aws.deb.debian.org/debian stretch/main amd64 gcc amd64 4:6.3.0-4 [5,196 B]
Get:21 https://cdn-aws.deb.debian.org/debian stretch/main amd64 make amd64 4.1-9.1 [302 kB]
Get:22 https://cdn-aws.deb.debian.org/debian stretch/main amd64 patch amd64 2.7.5-1+deb9u1 [112 kB]
Get:23 https://cdn-aws.deb.debian.org/debian stretch/main amd64 dkms all 2.3-2 [74.8 kB]
Get:24 https://cdn-aws.deb.debian.org/debian sid/main amd64 wireguard-dkms all 0.0.20181218-1 [263 kB]
Get:25 https://cdn-aws.deb.debian.org/debian sid/main amd64 wireguard-tools amd64 0.0.20181218-1 [94.5 kB]
Get:26 https://cdn-aws.deb.debian.org/debian sid/main amd64 wireguard all 0.0.20181218-1 [20.3 kB]

🈯️ Only wireguard* packages are pulled from sid repo, which is what we want. Priority 100 however should allow APT upgrades of those.

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Jan 6, 2019

Linux headers are required for wireguard-dkms to build it's kernel module.

/etc/network/interfaces could be used to setup the VPN interface via ifupdown/networking service. But wireguard comes with it's own systemd unit wg-quick@.service which allows the VPN to be handled more independent from the network in general, so we an e.g. handle it via dietpi-services, while the remaining networking service is completely untouched by this.

To forward all traffic from the VPN clients to the servers internet interface, iptables works well. I am not too experienced and didn't manage to achieve this via route tables iproute2/ip r add... command... This would be actually the cleaner solution at first, to avoid the need to install iptables.

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Jan 6, 2019

PR up: #2398

Fourdee pushed a commit that referenced this issue Jan 11, 2019

Daniel Knight
v6.20
+ WG install tweaks: #2052

Fourdee pushed a commit that referenced this issue Jan 11, 2019

Daniel Knight
v6.20
+ Uninstall tweak: #2052
@Fourdee

This comment has been minimized.

Copy link
Collaborator

commented Jan 11, 2019

Install tests:

  • 🈯️ RPi stock + install
  • RPi with rpi-update testing kernel + install | #2052 (comment)
  • 🈯️ VM stock + install + reinstall + uinstall
@Fourdee

This comment has been minimized.

Copy link
Collaborator

commented Jan 11, 2019

To do (WEB):

Misc:

  • Add support for other devices? Odroids should be fine thanks to meverics kernel header packages?
@Fourdee

This comment has been minimized.

Copy link
Collaborator

commented Jan 11, 2019

🈯️ Drop official support for use of rpi-update in DietPi.
🈯️ Not keen on having rpi-update checks throughout our code, will simply add patch for end users.

Fourdee pushed a commit that referenced this issue Jan 11, 2019

Daniel Knight
v6.20
+ Dietpi-config remove rpi-update option
+ Patch for APT kernel install
#2052

Fourdee pushed a commit that referenced this issue Jan 11, 2019

Daniel Knight
v6.20
+ Odroid's: #2052
@Fourdee

This comment has been minimized.

Copy link
Collaborator

commented Jan 11, 2019

Tests:

  • Odroid C1/N1 | unable to test, lack boards.
  • 🈯️ C2 | Package version mismatch
linux-headers-arm64-odroid-c2 is already the newest version (3.16.61-1).
linux-image-arm64-odroid-c2 is already the newest version (3.16.57-1).
  • 🈯️ XU4 | Package version mismatch
linux-headers-4.14-armhf-odroid-xu4 is already the newest version (4.14.87-1).
linux-image-4.14-armhf-odroid-xu4 is already the newest version (4.14.66-1).

Seems we need to reinstall these to ensure updates, this works:

 G_AGP linux-image-arm64-odroid-c2; G_AGI linux-image-arm64-odroid-c2

--reinstall has no effect, we need to purge + install again to update.

Fourdee pushed a commit that referenced this issue Jan 12, 2019

Daniel Knight
v6.20
+ fix for #2052 (comment)

Fourdee pushed a commit that referenced this issue Jan 12, 2019

Daniel Knight
v6.20
+ Reboot required.

EG: in case of Odroid headers do not match active kernel, thus fails to active module.

#2052 (comment)
@Fourdee

This comment has been minimized.

Copy link
Collaborator

commented Jan 13, 2019

Rock headers + kernel included in package linux-rock64

Although we need to reinstall headers as we remove /usr/src during PREP.
linux-rock64 linux-headers*; G_AGA; G_AGI linux-rock64

Hmm, still fails:

Unpacking wireguard-dkms (0.0.20181218-1) over (0.0.20181218-1) ...
Setting up qrencode (3.4.4-1+b2) ...
Setting up wireguard-dkms (0.0.20181218-1) ...
Loading new wireguard-0.0.20181218 DKMS files...
Building for 4.4.132-1075-rockchip-ayufan-ga83beded8524
Building initial module for 4.4.132-1075-rockchip-ayufan-ga83beded8524
Error! Bad return status for module build on kernel: 4.4.132-1075-rockchip-ayufan-ga83beded8524 (aarch64)
Consult /var/lib/dkms/wireguard/0.0.20181218/build/make.log for more information

root@DietPi:~# cat /var/lib/dkms/wireguard/0.0.20181218/build/make.log
DKMS make.log for wireguard-0.0.20181218 for kernel 4.4.132-1075-rockchip-ayu-ga83beded8524 (aarch64)
Sun 13 Jan 03:52:59 GMT 2019
make: Entering directory '/usr/src/linux-headers-4.4.132-1075-rockchip-ayufan83beded8524'
/usr/bin/env: ‘python’: No such file or directory
  LD      /var/lib/dkms/wireguard/0.0.20181218/build/built-in.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20181218/build/main.o
/usr/bin/env: ‘python’: No such file or directory
  CC [M]  /var/lib/dkms/wireguard/0.0.20181218/build/noise.o
scripts/Makefile.build:277: recipe for target '/var/lib/dkms/wireguard/0.0.20218/build/main.o' failed
make[1]: *** [/var/lib/dkms/wireguard/0.0.20181218/build/main.o] Error 127
make[1]: *** Waiting for unfinished jobs....
/usr/bin/env: ‘python’: No such file or directory
scripts/Makefile.build:277: recipe for target '/var/lib/dkms/wireguard/0.0.20218/build/noise.o' failed
  CC [M]  /var/lib/dkms/wireguard/0.0.20181218/build/device.o
make[1]: *** [/var/lib/dkms/wireguard/0.0.20181218/build/noise.o] Error 127
/usr/bin/env: ‘python’: No such file or directory
scripts/Makefile.build:277: recipe for target '/var/lib/dkms/wireguard/0.0.20218/build/device.o' failed
make[1]: *** [/var/lib/dkms/wireguard/0.0.20181218/build/device.o] Error 127
Makefile:1471: recipe for target '_module_/var/lib/dkms/wireguard/0.0.2018121uild' failed
make: *** [_module_/var/lib/dkms/wireguard/0.0.20181218/build] Error 2
make: Leaving directory '/usr/src/linux-headers-4.4.132-1075-rockchip-ayufan-3beded8524'

🈯️ G_AGI python, requires python, why? lol

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Jan 18, 2019

Further tuning: #2420

@MichaIng MichaIng pinned this issue Jan 18, 2019

@MichaIng MichaIng changed the title DietPi-Software | WireGuard: Lightweight modern in-kernel VPN server DietPi-Software | WireGuard: Lightweight modern in-kernel VPN Jan 21, 2019

@Fourdee

This comment has been minimized.

Copy link
Collaborator

commented Jan 26, 2019

  • 🈴 RockPro64 | Kernel panic after image PREP. Unstable board? Occurs on non-dietpi images.
  • 🈴 Rock64 | Updated to ARMbian image (available after v6.20 release).
root@DietPi:~# dpkg-reconfigure wireguard-dkms

------------------------------
Deleting module version: 0.0.20181218
completely from the DKMS tree.
------------------------------
Done.
Loading new wireguard-0.0.20181218 DKMS files...
Building for 4.4.167-rockchip64
Building initial module for 4.4.167-rockchip64
Error! Bad return status for module build on kernel: 4.4.167-rockchip64 (aarch64)
Consult /var/lib/dkms/wireguard/0.0.20181218/build/make.log for more information.

root@DietPi:~# uname -r
4.4.167-rockchip64

root@DietPi:~# dpkg --get-selections | grep headers
linux-headers-rockchip64 

/usr/bin/env: /usr/bin/env: ‘python’‘python’: No such file or directory: No such file or directory

root@DietPi:~# /usr/bin/env
LC_ALL=en_GB.UTF-8
SSH_CONNECTION=192.168.0.5 61508 192.168.0.24 22
LANG=en_GB.UTF-8
USER=root
PWD=/root
HOME=/root
SSH_CLIENT=192.168.0.5 61508 22
SSH_TTY=/dev/pts/0
TERM=xterm
SHELL=/bin/bash
SHLVL=1
LOGNAME=root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env

Still fails with python build-essential installed:

https://forum.armbian.com/topic/5883-wireguard-on-a20/

Done.
Loading new wireguard-0.0.20181218 DKMS files...
Building for 4.4.167-rockchip64
Building initial module for 4.4.167-rockchip64
Error! Bad return status for module build on kernel: 4.4.167-rockchip64 (aarch64)
Consult /var/lib/dkms/wireguard/0.0.20181218/build/make.log for more information.
root@DietPi:~# cat /var/lib/dkms/wireguard/0.0.20181218/build/make.log
DKMS make.log for wireguard-0.0.20181218 for kernel 4.4.167-rockchip64 (aarch64)
Sat 26 Jan 09:13:12 GMT 2019
make: Entering directory '/usr/src/linux-headers-4.4.167-rockchip64'
  CC [M]  /var/lib/dkms/wireguard/0.0.20181218/build/main.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20181218/build/noise.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20181218/build/device.o
  LD      /var/lib/dkms/wireguard/0.0.20181218/build/built-in.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20181218/build/peer.o
/bin/sh: 1: ./scripts/recordmcount: not found
scripts/Makefile.build:277: recipe for target '/var/lib/dkms/wireguard/0.0.20181218/build/main.o' failed
make[1]: *** [/var/lib/dkms/wireguard/0.0.20181218/build/main.o] Error 127
make[1]: *** Deleting file '/var/lib/dkms/wireguard/0.0.20181218/build/main.o'
make[1]: *** Waiting for unfinished jobs....
/bin/sh: 1: ./scripts/recordmcount: not found
scripts/Makefile.build:277: recipe for target '/var/lib/dkms/wireguard/0.0.20181218/build/peer.o' failed
make[1]: *** [/var/lib/dkms/wireguard/0.0.20181218/build/peer.o] Error 127
make[1]: *** Deleting file '/var/lib/dkms/wireguard/0.0.20181218/build/peer.o'
/bin/sh: 1: ./scripts/recordmcount: not found
scripts/Makefile.build:277: recipe for target '/var/lib/dkms/wireguard/0.0.20181218/build/device.o' failed
make[1]: *** [/var/lib/dkms/wireguard/0.0.20181218/build/device.o] Error 127
make[1]: *** Deleting file '/var/lib/dkms/wireguard/0.0.20181218/build/device.o'
/bin/sh: 1: ./scripts/recordmcount: not found
scripts/Makefile.build:277: recipe for target '/var/lib/dkms/wireguard/0.0.20181218/build/noise.o' failed
make[1]: *** [/var/lib/dkms/wireguard/0.0.20181218/build/noise.o] Error 127
make[1]: *** Deleting file '/var/lib/dkms/wireguard/0.0.20181218/build/noise.o'
Makefile:1493: recipe for target '_module_/var/lib/dkms/wireguard/0.0.20181218/build' failed
make: *** [_module_/var/lib/dkms/wireguard/0.0.20181218/build] Error 2
make: Leaving directory '/usr/src/linux-headers-4.4.167-rockchip64'

Fourdee pushed a commit that referenced this issue Jan 26, 2019

Daniel Knight
v6.20
+ Revert rock64 enable: #2052 (comment)
@Fourdee

This comment has been minimized.

Copy link
Collaborator

commented Jan 28, 2019

@MichaIng

Great work on this 👍

I believe we can now mark this as completed?

If interest peaks for additional SBC install support of WG, we can investigate at that time. For now, I believe RPi + x86_64 should cover >60% of our users.

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Jan 28, 2019

@Fourdee
Jep and Odoids C1/C2/XU4 are already enabled as well. Other devices on demand and when we find reliable kernel + header packages.

I am currently writing the dietpi.com docs for WireGuard, so this can be closed.

@MichaIng MichaIng closed this Jan 28, 2019

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Jan 28, 2019

@Fourdee
Online docs done, please review for wording and such: https://dietpi.com/phpbb/viewtopic.php?p=16308#p16308

  • The image is made for white background, subtitle has no optimal contrast. However it looks somehow elegant like this 😄.

Will quickly add the link to dietpi-software array: 42d60da

  • NordVPN was missing too 😉.
@1activegeek

This comment has been minimized.

Copy link

commented Mar 10, 2019

Hey guys, I've been following this for a bit then got sidetracked. Thankfully made a note to check back in. Looks like this went live in 6.20? I'm running 6.21.1 on Rock64 (aarch64) - but I'm not finding this package in the dietpi-software search.

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2019

@1activegeek
It is not yet enabled for Rock64 since we need to install the kernel headers and build the WireGuard kernel module based on it.

But do a start, could you:

  • Check whether kernel headers are already installed: ls -Al /lib/modules/$(uname -r)/
  • Check the installed APT packages that might be kernel related: dpkg -l | grep -E '(^linux|rock64)'
@1activegeek

This comment has been minimized.

Copy link

commented Mar 11, 2019

Ahh, ok. I thought I had understood something I read that it was already supported for Rock64. My bad, I think I confused something. Happy to help if it can lead toward it being supported!!

Command output pasted below. It would seem for some reason, the name -r output does not match the modules path. In any case, let me know what else I may be able to help with. If it's of any use, I may be able to fire up my Pine64 as well.

root@rock64:~# ls -Al /lib/modules/$(uname -r)/
ls: cannot access '/lib/modules/4.4.172-rockchip64/': No such file or directory
root@rock64:~# ls -Al /lib/modules/4.4.174-rockchip64/
total 1344
drwxr-xr-x 10 root root   4096 Feb 18 13:19 kernel
-rw-r--r--  1 root root 405442 Feb 10 04:44 modules.alias
-rw-r--r--  1 root root 426465 Feb 10 04:44 modules.alias.bin
-rw-r--r--  1 root root  23781 Feb 10 04:44 modules.builtin
-rw-r--r--  1 root root  25409 Feb 10 04:44 modules.builtin.bin
-rw-r--r--  1 root root  74250 Feb 10 04:44 modules.dep
-rw-r--r--  1 root root 119335 Feb 10 04:44 modules.dep.bin
-rw-r--r--  1 root root    191 Feb 10 04:44 modules.devname
-rw-r--r--  1 root root  39388 Feb 10 04:44 modules.order
-rw-r--r--  1 root root     55 Feb 10 04:44 modules.softdep
-rw-r--r--  1 root root 101712 Feb 10 04:44 modules.symbols
-rw-r--r--  1 root root 129721 Feb 10 04:44 modules.symbols.bin
root@rock64:~# dpkg -l | grep -E '(^linux|rock64)'
ii  linux-stretch-root-rock64     5.73                              arm64        Armbian tweaks for stretch on rock64 (default branch)
ii  linux-u-boot-rock64-default   5.75                              arm64        Uboot loader 2017.09
@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Mar 11, 2019

@1activegeek
Ah your kernel has been updated recently (4.4.172 => 4.4.174) and the new one will be active after reboot.

Kernel headers are not present on your systems, but I found the related header package:
apt install linux-headers-rockchip64

I also found linux-image-rockchip64 for the kernel itself. That is most likely installed on your system and I used the wrong syntax abive to list it. It should have been:
dpkg -l | grep -E '(linux-|rock64)'

If you want to, we could go through the WireGuard install steps now. If it works, we can add it to DietPi-Software.

@1activegeek

This comment has been minimized.

Copy link

commented Mar 11, 2019

That makes sense, I do remember doing some updates recently but not having restarted since. Perhaps I'll do that tonight/tomorrow just to be fresh.

You are correct, that output provided what I believe is the expected linux-image-rockchip64.

root@rock64# dpkg -l | grep -E '(linux-|rock64)'
ii  linux-base                    4.5                               all          Linux image base package
ii  linux-dtb-rockchip64          5.75                              arm64        Linux DTB, version 4.4.174-rockchip64
ii  linux-image-rockchip64        5.75                              arm64        Linux kernel, version 4.4.174-rockchip64
ii  linux-libc-dev:arm64          4.9.144-3.1                       arm64        Linux support headers for userspace development
ii  linux-stretch-root-rock64     5.73                              arm64        Armbian tweaks for stretch on rock64 (default branch)
ii  linux-u-boot-rock64-default   5.75                              arm64        Uboot loader 2017.09

If you want to drop the steps I can walk through them, sure thing. I'm likely not going to get to doing this though until another day this week. Headed out in the AM to TX for the week.

I'm assuming it should be something along the lines of apt install linux-headers-rockchip64, restart to be sure they've applied, then apt update, and apt install wireguard?

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Mar 11, 2019

@1activegeek
Ah I totally missed that Fourdee already tested it on Rock64 an failed: #2052 (comment)
However meanwhile the ARMbian Rock64 kernel as well as WireGuard had updates, so we could retry.

Steps:

# Install kernel headers
G_AGI linux-headers-rockchip64
# Add Debian Sid repo to APT sources
echo 'deb https://deb.debian.org/debian/ sid main' > /etc/apt/sources.list.d/dietpi-wireguard.list
# Block installs from Sid for all packages besides WireGuard
echo -e 'Package: *\nPin: release n=sid\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=sid\nPin-Priority: 100' > /etc/apt/preferences.d/dietpi-wireguard
# Update APT lists
G_AGUP
# Install Python as pre-requirement
G_AGI python
# Install WireGuard
apt install wireguard
  • As of above the last step might fail. It looks like a general issue when building kernel modules for rock chip since it failed with the Ayufan kernel (further above) as well. I will do some investigation.

Notes to self:

@1activegeek

This comment has been minimized.

Copy link

commented Apr 8, 2019

Just following up. I attempted just to see if some packages had actually been built yet that I could install via APT - which I'm sure you expected there are not at this point.

Unfortunately I'm not going to test the kernel level changes just to be sure I don't jack my current running config. Just become inundated with work lately, and can't afford the time right now to backup, run test, then restore - as this system runs my home automation right now. With my luck, something is bound to break. Sorry guys, but I'll stay tuned if there becomes some less risky testing that can be done. 😃

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Apr 9, 2019

@1activegeek

Just following up. I attempted just to see if some packages had actually been built yet that I could install via APT - which I'm sure you expected there are not at this point.

We are installing WireGuard as APT package, as well as Rock64 kernel + headers, or what you mean? The problem is building the kernel module (which is done by the APT package install). Since WireGuard is an in-kernel VPN it requires a kernel module. This is build by the APT package via DKMS, which requires the kernel headers. The kernel headers define how generally kernel modules need to be build, which method, compiler (version) etc. It is basically a set of cascaded scripts/functions with a shared entry API that can be used by the modules make file.

On Rock64 kernel module builds require Python, which is already IMO quite a pain since Python is no usual system core component like C. And the kernel header APT package does not include that as dependency it seems + possible other requirements. E.g. on x86 when installing the kernel headers package, the exact required gcc (GNU C Compiler) version is pulled as dependency: https://packages.debian.org/stretch/linux-headers-4.9.0-8-amd64
So you never need something else to build kernel modules. But yeah on ARM this is usually not that easy, especially on non-RPi...

But aside from that, you can't really break your system, aside that with Python and kernel headers quite some data is installed. But all of it are APT packages, so you can easily remove and when the WireGuard modules fails to build this does not affect the kernel itself. It is a dedicated module and if it fails, WireGuard does not work but all other kernel/modules are not affected.

@1activegeek

This comment has been minimized.

Copy link

commented Apr 10, 2019

I understand the logic - unfortunately in the past I've had other dependency differences break things. It suddenly decides to use a slightly newer version of something, or something isn't marked properly and it alters to a different build of sorts for an app. I'm just hesitant since I don't have time in case something was to go wrong. Somehow I have the luck that ends with something unexpected when it comes to my Rock64 - thus has been its life since inception in my house. 🙄

If I get more bandwidth, I'll certainly circle back and go through the efforts to backup, test it out, revert or report as needed. I just can't at this time.

@khorsmann

This comment has been minimized.

Copy link

commented Apr 11, 2019

Hi, i have the same issue with rock64 and wireguard dkms kernel module breaks on build. I follow the instructions from @MichaIng but no luck.
Works wireguard with the "vanilla" install-kernel from the dietpi installation? I would then reinstall dietpi again.

@MichaIng

This comment has been minimized.

Copy link
Owner Author

commented Apr 14, 2019

@khorsmann
Many thanks for testing and yeah sad that it indeed is still an issue.

We leave the kernel from ARMbian base image untouched which again is based on the official Pine64 Ayufan-maintained kernel. There is no other reliable kernel out there currently, so all have the same issue. First we need to find out/verify how the in general build kernel modules with this kernel (for Rock64), so which libraries (+versions) are required etc and then which possibly additional steps are required to build the WireGuard module in particular. I am not too experienced with DKMS vs non-DKMS but perhaps there is a general issue using DKMS here and the module instead needs to be build manually. Would be a pain indeed, especially since the rebuild needs to be done manually with each kernel upgrade then. Nothing I am keen to ship for now 🤔.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.