This is great news! Best part it’s a userspace implementation, which means broader device support. If the kernel is compiled with wireguard, the kernel implementation is used.
F-Droid Gitlab merge request for reference and checkout wireguard’s Todo.
I’ve managed to check it out last night, and it appears to be working as advertised.
Key generation is super awesome, built in QRcode reader to transfer configuration/public-keys between a desktop would be a great feature for semi-automated setups.
The error reporting is still a little bit weird, for example I can’t configure 10.0.0.1/24 as Allowed IPs for a Peer with the error message: “Bad address”. 10.0.0.0/24 works though, so maybe just a user error.
With the Wireguard(WG) Android connectivity I can/could now:
Stream music to my phone from my mpd-server with httpd/lame as output configured (MPDroid), or just configuring my mpd-server at home (works already)
Accessing my phone via. Termux/sshd (works already), sshfs via LTE works unexpectedly well OR adb via. VPN.
Do backups with Syncopoli and rsync:// instead of ssh (Keyfile management in Syncopoli is confusing)
Sync with radicale calendar server (probably contacts/notes too?)
Report back the location of my phone (couldn’t find a tool for that yet, Termux API examples can report the location, though - might be done with a python script then)
None of this requires root, I’m using CopperheadOS, which has root-access disabled.
I need to figure out how to properly protect random apps to access those services. rsync:// supports secret-based-authentication, so that might be good enough.
Basically I’d like to avoid having each service to do it’s own authentication/key management, but to have one ‘global instance’ (WG) to do deal with encryption instead.
I’ve seen Orbot supports setting tunneling per app basis, so might be possible to implement for WG too.
I’m still not sure if this all makes sense, but it feels rewarding to setup, so I’m trying to push forward what is possible. Especially backups are a huge painpoint in Android, I hope I’ll solve that for myself soon.
Everything could be replaced by $VPN-technology, but WG, besides tor, is the first tool that kept me exited for long enough.
I’ve found OwnTracks works well for this use case. Reports back location and battery info. Downside is that MQTT brokers are a bit fiddly to configure and use.
Key generation is super awesome, built in QRcode reader to transfer configuration/public-keys between a desktop would be a great feature for semi-automated setups.
The TODO list actually has this on it. Hopefully we’ll get that implemented soon. You’re welcome to contribute too, if you’re into Android development.
The error reporting is still a little bit weird, for example I can’t configure 10.0.0.1/24 as Allowed IPs for a Peer with the error message: “Bad address”. 10.0.0.0/24 works though, so maybe just a user error.
The error reporting is very sub-par right now indeed. We probably should have more informative error messages, rather than just bubbling up the exception message text.
That “bad address” is coming from Android’s VPN API – 10.0.0.1/24 is not “reduced” as a route; you might have meant to type 10.0.0.1/32. Probably the app could reduce this for you, I suppose. But observe that normal Linux command line tools also don’t like unreduced routes:
thinkpad ~ # ip r a 10.0.0.1/24 dev wlan0
Error: Invalid prefix for given prefix length.
thinkpad ~ # ip r a 10.0.0.0/24 dev wlan0
thinkpad ~ # ip r a 10.0.0.1/32 dev wlan0
I’ve managed to check it out last night, and it appears to be working as advertised.
Key generation is super awesome, built in QRcode reader to transfer configuration/public-keys between a desktop would be a great feature for semi-automated setups.
The error reporting is still a little bit weird, for example I can’t configure
10.0.0.1/24as Allowed IPs for a Peer with the error message: “Bad address”.10.0.0.0/24works though, so maybe just a user error.With the Wireguard(WG) Android connectivity I can/could now:
adbvia. VPN.rsync://instead of ssh (Keyfile management in Syncopoli is confusing)None of this requires root, I’m using CopperheadOS, which has root-access disabled.
I need to figure out how to properly protect random apps to access those services.
rsync://supports secret-based-authentication, so that might be good enough.Basically I’d like to avoid having each service to do it’s own authentication/key management, but to have one ‘global instance’ (WG) to do deal with encryption instead.
I’ve seen Orbot supports setting tunneling per app basis, so might be possible to implement for WG too.
I’m still not sure if this all makes sense, but it feels rewarding to setup, so I’m trying to push forward what is possible. Especially backups are a huge painpoint in Android, I hope I’ll solve that for myself soon.
Everything could be replaced by $VPN-technology, but WG, besides tor, is the first tool that kept me exited for long enough.
I’ve found OwnTracks works well for this use case. Reports back location and battery info. Downside is that MQTT brokers are a bit fiddly to configure and use.
Thank you for the pointer, unfortunately they won’t provide a Google services free version (ticket.
That’s certainly a bummer. Skimming the thread, seems to be a result of there being no free replacements for the geofencing APIs.
The TODO list actually has this on it. Hopefully we’ll get that implemented soon. You’re welcome to contribute too, if you’re into Android development.
The error reporting is very sub-par right now indeed. We probably should have more informative error messages, rather than just bubbling up the exception message text.
That “bad address” is coming from Android’s VPN API – 10.0.0.1/24 is not “reduced” as a route; you might have meant to type 10.0.0.1/32. Probably the app could reduce this for you, I suppose. But observe that normal Linux command line tools also don’t like unreduced routes: