-
Notifications
You must be signed in to change notification settings - Fork 13
WireGuard VPN
UnofficialOS supports WireGuard VPN, which connects securely to your local network from any place in the world. As game streaming becomes more popular, it enables AAA games, streamed over the internet from your home computer, to be played on your console while traveling.
Typically the configuration involves copying your WireGuard VPN config file over to your UnofficialOS device and then enabling WireGuard VPN in Emulation Station Network Settings menu.
UnofficialOS uses standard WireGuard config file format. The file is typically provided by your VPN provider. If you want to host your own VPN Server on your local network, there are plenty of tutorials available online.
Currently only the single connection is supported. The WireGuard config file must be placed in the following location - /storage/.config/wireguard/wg0.conf
. Please use SSH or Samba to create the file there.
Don't forget to restart Emulation Station to pick up the changes.
Sample wg0.conf
file
[Interface]
PrivateKey = <your private key>
Address = 10.111.10.2/24
[Peer]
PublicKey = <server public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server>:<port>
Note: "DNS" option is not yet supported in the config. Please remove line starting with "DNS" from your config file.
Emulation Station now has a new menu item toggle to enable or disable WireGuard VPN connection. Use it turn the connection on or off.
Note: make sure that WireGuard config file is present on the device, see the Configuring WireGuard VPN in UnofficialOS section above. The menu option is only available when the config file is present.
Connect to configured VPN server
- Press "start" button to go into Emulation Station Main Menu
- Select Network Settings submenu
- Select "Wireguard VPN" and turn it on
- Select "Back" button to exit setting dialog
- WireGuard VPN should be connected
Disconnect from configured VPN server
- Press "start" button to go into Emulation Station Main Menu
- Select Network Settings submenu
- Select "Wireguard VPN" and turn it off
- Select "Back" button to exit setting dialog
- WireGuard VPN should be disconnected
The local PC can be setup to be a WireGuard server. This allows accessing that PC (and a local network if SNAT is enabled) from the remote location using the device.
The configuration is the following:
- Generate pair of configuration files
- Install WireGuard on your local PC and import server config
- Setup Port Forwarding for WireGuard port from your local router to your local PC
- Enable WireGuard on your device
The device have a helper script which can generate a pair of configuration files for the device and for the local PC with WireGuard server.
The script should be executed from SSH terminal.
# Generate config file
wg-genconfig
The script will generate wg0.conf
and wg0.conf.server
files.
[Interface]
PrivateKey = <server private key>
# PublicKey = <server public key>
Address = 10.111.10.1/24
ListenPort = 51820
# If you want to access other devices on the same network,
# you need to enable SNAT, the lines below.
# Make sure that eth0 matches your main network interface.
#PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -s 10.111.10.0/24 -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -s 10.111.10.0/24 -o eth0 -j MASQUERADE
[Peer]
PublicKey = <device public key>
AllowedIPs = 10.111.10.2/32
If you want you device to access your local network, you need to enable SNAT, allow your local PC forward network packets to other devices on your local network. That is done by uncommenting PostUp/PostDown commands in the config.
- Download the client for your OS from here.
- Import wg0.conf.server and enable the tunnel.
Sometimes the tunnel doesn't establish successfully. The following commands can useful to diagnose issues.
The commands below should be executed on the device using SSH shell access.
# Check the status of active tunnels.
# You should see the connection statistics.
wg show
# Check my public ip address
curl ifconfig.co -4
# Bring tunnel up
wg-quick up /storage/.config/wireguard/wg0.conf
# Bring tunnel down
wg-quick down /storage/.config/wireguard/wg0.conf