WireGuard
LibreELEC can be configured as a WireGuard VPN client allowing you to accessing media in a remote location or tunnel traffic to avoid local inspection of network activity. This guide assumes configuration of a single WireGuard tunnel that is persistent, i.e. activated on device boot so that Kodi network traffic is routed through the WireGuard VPN tunnel.
WireGuard tunnels are managed by a ConnMan VPN plugin (connman-vpn.service) that acts as a companion to the network connection manager daemon (connman.service). The VPN plugin watches /storage/.config/wireguard/*.config
and defines ConnMan services from auto-discovered configuration files. Once a valid WireGuard .config has been imported it can be connected manually using connmanctl
from the SSH console or scripted from a systemd service that runs on boot. Connections can also be managed using the network 'Connections' tab in the LibreELEC settings add-on which controls ConnMan via d-bus.
Sample Config
ConnMan uses its own configuration file format (see below) so you cannot import/use the files exported from WireGuard server tools and third-party VPN services - the format is different. Those files will contain everything you need, but you must manually transpose the information into the ConnMan format:
Name = AnythingYouLike Host = IP of the WireGuard server WireGuard.Address = The internal IP of the client node, e.g. a /24 address WireGuard.ListenPort = The client listen port (optional) WireGuard.PrivateKey = The client private key WireGuard.PublicKey = The server public key WireGuard.PresharedKey = The server pre-shared key (optional) WireGuard.DNS = Nameserver to be used with the connection (optional) WireGuard.AllowedIPs = Subnets accessed via the tunnel, 0.0.0.0/0 is "route all traffic" WireGuard.EndpointPort = The server ListenPort WireGuard.PersistentKeepalive = Periodic keepalive in seconds (optional)
Note: Using WireGuard.PresharedKey is optional, but if your WireGuard configuration omits this you must remove the line from the config. If you leave it blank, e.g. WireGuard.PresharedKey =
it will be active with a null value, causing connections to fail.
Creating Keys
If you need to create some, run wg-keygen
from the SSH console and /storage/.cache/wireguard
will contain new publickey, privatekey, and preshared files with keys inside. Most users will not need to generate WireGuard keys as they will be in the configuration file provided by a VPN service provider.
Testing Connections
Once you have saved a configuration file, check it is valid:
In the above example vpn_185_210_30_121
was created (vpn_host) as the ConnMan service name. Test the service will connect using:
ConnMan will create a new network interface, so ifconfig
will show wg0
or sometimes a higher number like wg1
or wg2
:
You should be able to ping
the remote (server) side of the WireGuard VPN tunnel. In our example this is 10.2.0.1:
The routing table will show normal traffic routed to the wg0 interface:
To disconnect the ConnMan service:
Check ifconfig
again and the WireGuard interface will be gone.
Configuring Systemd
Create a systemd wireguard.service file to start the connection automatically on boot, after the network starts, and before Kodi is launched. The sample wireguard.service file looks like:
Copy the sample wireguard.service file to /storage/.config/system.d/wireguard.service
Replace vpn_service_name_goes_here with your service name, e.g. vpn_185_210_30_121
using nano. Use ctrl+o
to save changes and ctrl+x
to exit nano:
Now we can enable and start the service:
Check the WireGuard tunnel is active using "ifconfig" and "ping" and if all is good, reboot to test the WireGuard tunnel comes up automatically on boot.
Known Issues
ConnMan makes wg0 route all traffic over the WireGuard tunnel by default, no matter what WireGuard.AllowedIPs
configuration you set. To route only specific networks via the tunnel the ConnMan service order (which influences routing order) must be changed.
Note thesleep
and connmanctl move-after
and route add
commands used in the following tweaked systemd service file:
The following forum thread has tips and examples: https://forum.libreelec.tv/thread/21906-wireguard-changes-the-default-route-although-not-configured/
Thanks
Big thanks! to ConnMan maintainer Daniel Wagner (wagi) who worked with LibreELEC staff to implement WireGuard support in ConnMan (he wrote the code, we abused tested it).
Last updated