Homelab, Linux, JS & ABAP (~˘▾˘)~
 

[Wireguard] Configuring Wireguard in LXC

Update 11.05.2020: I recommend using the PiVPN script (especially when using an unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

I followed these three guides: 1, 2 and 3
First set folder permissions and genereate the first key pair inside your lxc.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then create the config file. Mine is called wg0.conf.
As address you can take whatever IP you want. I also added NAT to get internet access with the client through my container.
For the client you have to create on the client side a key pair and enter the public key in the server wg0.conf as peer. Now your config should have an interface and a peer part.

[Interface]
Address = 192.168.1.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <private_server_key>

[Peer]
#1. Peer Phone
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.2/32

[Peer]
#2. Peer Notebook
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.3/32

Then create the config on the client side. Mine is called client.conf. As peer we now enter our public server key.

[Interface]
PrivateKey = <private_client_key>
Address = 192.168.1.2/24
#this is my local pi-hole
DNS = 192.168.1.102                

[Peer]
PublicKey = <public_server_key>
AllowedIPs = 0.0.0.0/0
Endpoint = my.domain.org:51820
PersistentKeepalive = 25

That’s all we need. Now start the interface in your container, after that on the client.

wg-quick up wg0

To check the connection status just run:

wg show

I testet my connection with IP-Leak and ifconfig.me.

To stop the interface run:

wg-quick down wg0

To set up the VPN interface to be persistent across reboots, enable it as service:

sudo systemctl enable wg-quick@wg0.service

[WordPress] Remove Google Fonts in Theme Fluida

I usually try to avoid Google products, especially when it comes to web tracking, although I’m a big fan of what they do in other technologies.
Today I was testing another WordPress Theme called Fluida, a free theme from Cryout Creations. It’s clean and simple, the only thing that bothers me, is the usage of the Google Fonts API. Even if you don’t enter a Google Font in the settings, it’s connecting to the API.

Google Fonts has advantages as well as disadvantages. Read more about it here.

There are a few WordPress plugins to remove Google Fonts (e.g. Autoptimize), but I tried to avoid another plugin and wanted to do it manually. After a short search through the theme I found “includes/styles.php”. There you just had to comment out the following lines and it’s done.

	// Google fonts
        $gfonts = array();
	$roots = array();
	foreach ( $cryout_theme_structure['google-font-enabled-fields'] as $item ) {
		$itemg = $item . 'google';
		$itemw = $item . 'weight';
		// custom font names
		if ( ! empty( $options[$itemg] ) && ! preg_match( '/custom\sfont/i', $options[$item] ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $options[$itemg] );
		}
		// preset google fonts
		if ( preg_match('/^(.*)\/gfont$/i', $options[$item], $bits ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $bits[1], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $bits[1], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $bits[1] );
		}
	}; 

[Wireguard] Preparing Proxmox Host for Wireguard in LXC

I followed this guide for using Wireguard inside LXC on Proxmox. (Also helpfull)

echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard

But as i ran “modprobe wireguard” I just got:

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So I ran “dkms autoinstall”… but no success.

Error! Your kernel headers for kernel 5.0.15-1-pve cannot be found.
Please install the linux-headers-5.0.15-1-pve package,
or use the --kernelsourcedir option to tell DKMS where it's located

As I run “apt install pve-headers” it installed new pve-headers but for a different kernel:

pve-headers pve-headers-5.0 pve-headers-5.0.21-1-pve

As expected, “modprobe wireguard” still returned

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So i checked my current kernel with “uname –kernel-release” and since my last reboot was about two weeks ago, it was running on 5.0.15-1-pve. So I did a reboot, checked the kernel again and now it was on 5.0.21-1-pve. So I did “dkms autoinstall” again, now with success:

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
make -j4 KERNELRELEASE=5.0.21-1-pve -C /lib/modules/5.0.21-1-pve/build M=/var/lib/dkms/wireguard/0.0.20190702/build..........
cleaning build area...

DKMS: build completed.

wireguard.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.0.21-1-pve/updates/dkms/

depmod....

DKMS: install completed.

“modprobe wireguard” now returned no error. I continued the guide with:

echo "wireguard" >> /etc/modules-load.d/modules.conf

Entered my already created Debian 10 container and followed the guide:

echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt-get install --no-install-recommends wireguard-tools
ip link add wg0 type wireguard

Edit: To get Wireguard working, I also had to add the TUN device to the containers config, like I did for OpenVPN as well.
You’ll find the config here: /etc/pve/lxc/container_name.conf

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

[OpenVPN] Installing OpenVPN in LXC

Append the following two lines to the lxc config file on your Proxmox host.
You’ll find the config here: /etc/pve/lxc/container_name.conf
Got this info from here and it works fine.

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

There is just one line necessary for the openVPN installation.

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

If you want to add another profile, just run the installer again:

bash openvpn-install.sh

[Proxmox] Mount dataset into LXC

Open LXC config file in your favorite editor. In this case the container name is 101:

nano /etc/pve/lxc/101.conf

Append a single line for each mountpoint you want to add. The first mountpoint is “mp0”, the second “mp1” and so on.

mp0: /data/music,mp=/mnt/nfs/music

First the source (my zpool “data”, folowing the dataset name “music”), after that the destination inside the container beginning “mp=”.