Christoph Fritsch

FFL-2536: WireGuard - fix typo

FFL-2536: WireGuard - automatically open all WireGuard UDP ports in firewall

new optional config variable introduced: WIREGUARD_DEFAULT_OPEN_PORT,

defaults to "YES". If not changed to "NO", all ports given in any of the

WIREGUARD_x_LISTEN_PORT configs will be opened

FFL-2536: WireGuard - extend documentation, add usage of wg-tool

FFL-2536: WireGuard - remove spare info from peer config files

FFL-2536: WireGuard - ignore no-qrcode-dummy.xcf for packaging

FFL-2536: WireGuard - remove two dummy files wrongly commited with previous


FFL-2536: WireGuard - show QR-Code in web interface only if peer's private

key is known

Android and iOS WireGuard Apps will accept the QR code only if private key

is embedded, otherwise fail without error. To avoid confusion of the user,

only valid QR codes are now shown.

FFL-2536: WireGuard - fix warn message for WIREGUARD_x_PEER_x_PRESHARED_KEY

FFL-2536: WireGuard - wg-tool now exists and is more simple and powerfull.

Thus we do no longer need the /var/run/wgX.scripts initially created

FFL-2536: WireGuard - adding helper tool wg-tool to more easily manage wg


supported tasks right now

- wg-tool wgX up

- wg-tool wgX down

- wg-tool wgX reresolve peerXName

reresolve will be useful if a peer DNS entry cannot be solved at boot time

and is thus omitted in the config. It reresolves the peer's (dynamic DNS

name and tries to reconnect. This can be used in cron jobs

If connection is already established, resetting the peer enpoint is

harmless, so no additional checks required

    • -0
    • +172
FFL-2536: WireGuard - add possibility to download server config via


This will mainly be useful if server key is auto-generated at boot time

(WIREGUARD_x_PRIVATE_KEY='auto') and needs to be transfered to static config

in vpn.txt

FFL-2536: WireGuard - allow NET_PREFIXes in LOCAL_IPs

FFL-2536: WireGuard - suppress nslookup error output in bootlog

FFL-2536: WireGuard - allow wgx interfaces also in ipv6 firewall rules

FFL-2536: WireGuard - fix issue that WireGuard does not bring up the entire

interface if endpoint of one of the peers does not resolve via DNS

Issue is know but no good solution yet

We now simply ignore the peer endpoint in the config file if it does not

resolve and wait for the peer to connect. Connection will thus still be


We could think of an additional cron job to check peers that do not resolve

during boot time but this will make things more complicated.

For now it works

FFL-2536: WireGuard - fix traffic bar in webinterface in case total rx or tx

is > 2^32 bytes

FFL-2536: Wireguard - slightly extend documentation

Security trade-off of keeping peers' private keys

FFL-2536: Wireguard - adding doc/deutsch/tex/vpn/vpn_main_wireguard.tex to

src/packages/vpn/files.txt so that that it gets built and packaged

FFL-2536: WireGuard - provide updated documented config

FFL-2536: WireGuard - restore __FLI4LVER__ in check/vpn.txt. It got lost

with a recent commit

FFL-2536: WireGuard - add documentation *.tex

FFL-2536: Wireguard - fix indention in check/vpn.txt

    • -19
    • +19
FFL-2536: WireGuard - change type of WIREGUARD_x_PEER_x_PRIVATE_KEY

FFL-2536: WireGuard - WIREGUARD_x_LISTEN_PORT is mandatory so we do not need

a default value here

FFL-2536: WireGuard - use log_error if an error occurs

FFL-2536: WireGuard - allow to defined DNS server that is given to the

client via QR-Code oder config file in web interface

Note: WireGuard does not allow to push config parameters when the connection

is initiated. All relevant parameters are given in configuration and need to

be reloaded manually to take effect in case of change

FFL-2536: WireGuard - fix errors regarding routed networks and WireGuard

allowed IPs in client and server configurations.

In the previous version both have not been proberly separated with previous

config parameters



This version replaces thses config options to allow for proper configuration

of networks behind some peers and allowed IPs to accept from peers. New

parameters introduced for configuration across all peers are



For peer-specific configuration two new parameters are introduced



and existing parameters renamed to make it more clear



    • -11
    • +11
FFL-2536: WireGuard - check if interface already exists prior to creating it

FFL-2536: WireGuard - more cleanup

FFL-2536: WireGuard - fix overwrite of $idx somewhere unnoticed between the

calls to create_config_file and setup_wg_interface

In some test scenarios $idx=1 when calling create_config_file but 2 when

calling setup_wg_interface