Skip to content

WireGuard VPN

Tim Flaman edited this page Jan 15, 2023 · 1 revision

Using WireGuard VPN

UnofficialOS supports WireGuard VPN, which connects securely to your local network from any place in the world. As game streaming becomes more popular, it enables AAA games, streamed over the internet from your home computer, to be played on your console while traveling.

Configuring WireGuard VPN in UnofficialOS

Typically the configuration involves copying your WireGuard VPN config file over to your UnofficialOS device and then enabling WireGuard VPN in Emulation Station Network Settings menu.

WireGuard Config

UnofficialOS uses standard WireGuard config file format. The file is typically provided by your VPN provider. If you want to host your own VPN Server on your local network, there are plenty of tutorials available online.

Currently only the single connection is supported. The WireGuard config file must be placed in the following location - /storage/.config/wireguard/wg0.conf. Please use SSH or Samba to create the file there.

Don't forget to restart Emulation Station to pick up the changes.

Sample wg0.conf file

[Interface]
PrivateKey = <your private key>
Address = 10.111.10.2/24

[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server>:<port>

Note: "DNS" option is not yet supported in the config. Please remove line starting with "DNS" from your config file.

Enabling WireGuard connection

Emulation Station now has a new menu item toggle to enable or disable WireGuard VPN connection. Use it turn the connection on or off.

Note: make sure that WireGuard config file is present on the device, see the Configuring WireGuard VPN in UnofficialOS section above. The menu option is only available when the config file is present.

Connect to configured VPN server

  • Press "start" button to go into Emulation Station Main Menu
  • Select Network Settings submenu
  • Select "Wireguard VPN" and turn it on
  • Select "Back" button to exit setting dialog
  • WireGuard VPN should be connected

Disconnect from configured VPN server

  • Press "start" button to go into Emulation Station Main Menu
  • Select Network Settings submenu
  • Select "Wireguard VPN" and turn it off
  • Select "Back" button to exit setting dialog
  • WireGuard VPN should be disconnected

Server Configuration (for advanced users)

The local PC can be setup to be a WireGuard server. This allows accessing that PC (and a local network if SNAT is enabled) from the remote location using the device.

The configuration is the following:

  • Generate pair of configuration files
  • Install WireGuard on your local PC and import server config
  • Setup Port Forwarding for WireGuard port from your local router to your local PC
  • Enable WireGuard on your device

Config Pair generation

The device have a helper script which can generate a pair of configuration files for the device and for the local PC with WireGuard server.

The script should be executed from SSH terminal.

# Generate config file
wg-genconfig

The script will generate wg0.conf and wg0.conf.server files.

wg0.conf.server server config
[Interface]
PrivateKey = <server private key>
# PublicKey = <server public key>
Address = 10.111.10.1/24
ListenPort = 51820

# If you want to access other devices on the same network,
# you need to enable SNAT, the lines below.
# Make sure that eth0 matches your main network interface.
#PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -s 10.111.10.0/24 -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -s 10.111.10.0/24 -o eth0 -j MASQUERADE

[Peer]
PublicKey = <device public key>
AllowedIPs = 10.111.10.2/32

If you want you device to access your local network, you need to enable SNAT, allow your local PC forward network packets to other devices on your local network. That is done by uncommenting PostUp/PostDown commands in the config.

Install WireGuard on your local PC

  • Download the client for your OS from here.
  • Import wg0.conf.server and enable the tunnel.

Troubleshooting

Diagnostics

Sometimes the tunnel doesn't establish successfully. The following commands can useful to diagnose issues.

The commands below should be executed on the device using SSH shell access.

# Check the status of active tunnels.
# You should see the connection statistics.
wg show
# Check my public ip address
curl ifconfig.co -4
# Bring tunnel up
wg-quick up /storage/.config/wireguard/wg0.conf
# Bring tunnel down
wg-quick down /storage/.config/wireguard/wg0.conf

Links

  • WireGuard homepage link
  • WireGuard is also supported in ConnMan VPN plugin using ssh command line link