• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

WireGuard Kernel/ROM Integration

Search This thread

gee one

Senior Member
Jul 29, 2010
1,979
865
linux command line
I'm working on that now.. I ran into the curl not being allowed issue described here:



and am attempting the steps outlined here to get it to build, supplementing my own board of course, not the sdm845.

This is what worked for me on los 17.1 for sargo.

clone this repo somewhere, but not in your lineage tree
https://git.zx2c4.com/wireguard-linux-compat/tree/

cd into the kernel source in your lineage tree. For bonito it is
Code:
cd <some path/kernel/google/msm-4.9/

then use the kernel scripts to add it to your kernel sauce...
Code:
<path to wiregaurd repo that you cloned above>/kernel-tree-scripts/jury-rig.sh .  # <- there is a dot after the the script- this is passing the current directory as an argument since you cd'ed into the directory, right?

git status should show some changes...

you can now use git add/git commit to add the changes to your kernel tree. To update, use git pull in the wireguard directory since the kernel sauce just has a simlink to the wiregaurd directory.

build your rom and inline kernel, per lineage directions. It should also work if you are building just the kernel.

Code:
diff --git a/net/Kconfig b/net/Kconfig
index 78694c42f631..90fe76daf80c 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -83,6 +83,7 @@ config INET
          Short answer: say Y.
 
 if INET
+source "net/wireguard/Kconfig"
 source "net/ipv4/Kconfig"
 source "net/ipv6/Kconfig"
 source "net/netlabel/Kconfig"
diff --git a/net/Makefile b/net/Makefile
index c84a3470ad8d..44db52951612 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -14,6 +14,7 @@ obj-$(CONFIG_NET)             += $(tmp-y)
 obj-$(CONFIG_LLC)              += llc/
 obj-$(CONFIG_NET)              += ethernet/ 802/ sched/ netlink/
 obj-$(CONFIG_NETFILTER)                += netfilter/
+obj-$(CONFIG_WIREGUARD) += wireguard/
 obj-$(CONFIG_INET)             += ipv4/
 obj-$(CONFIG_XFRM)             += xfrm/
 obj-$(CONFIG_UNIX)             += unix/
diff --git a/net/wireguard b/net/wireguard
new file mode 120000
index 000000000000..8f019b568ac5
--- /dev/null
+++ b/net/wireguard
@@ -0,0 +1 @@
+/opt/wireguard-linux-compat/src
\ No newline at end of file
 
Question from beginner with Android 10: is it possible to activate the kernel module in an unrooted linage rom with flashed custom kernel with wireguard mod?
When copying wireguard apk to /system/priv-app the button "activate kernel module" shows up but the app crashes and restarts when hitting it.
 

gee one

Senior Member
Jul 29, 2010
1,979
865
linux command line
Question from beginner with Android 10: is it possible to activate the kernel module in an unrooted linage rom with flashed custom kernel with wireguard mod?
When copying wireguard apk to /system/priv-app the button "activate kernel module" shows up but the app crashes and restarts when hitting it.
I think the app is set up to use root and/or magisk. I think it does check for su/root before loading the kernel module, instead of having the proper permissions like a native system app.
 

dhacke

Senior Member
Nov 4, 2018
737
310
Hi,

a while ago i started to build the privacy-focused Custom Rom GrapheneOS for the pixel 4 XL on my Linux machine.
This worked so i tried to integrated wireguard into the kernel then based on the OP of this thread.

But sadly it doesn't work until now due of the following error message:

Code:
PLATFORM_VERSION_CODENAME=REL
PLATFORM_VERSION=10
TARGET_PRODUCT=aosp_coral
TARGET_BUILD_VARIANT=user
TARGET_BUILD_TYPE=release
TARGET_ARCH=arm64
TARGET_ARCH_VARIANT=armv8-a
TARGET_CPU_VARIANT=generic
TARGET_2ND_ARCH=arm
TARGET_2ND_ARCH_VARIANT=armv8-a
TARGET_2ND_CPU_VARIANT=generic
HOST_ARCH=x86_64
HOST_2ND_ARCH=x86
HOST_OS=linux
HOST_OS_EXTRA=Linux-5.6.0-trunk-amd64-x86_64-Debian-GNU/Linux-10-(buster)
HOST_CROSS_OS=windows
HOST_CROSS_ARCH=x86
HOST_CROSS_2ND_ARCH=x86_64
HOST_BUILD_TYPE=release
BUILD_ID=QQ3A.200805.001
OUT_DIR=out
PRODUCT_SOONG_NAMESPACES=hardware/google/av hardware/google/interfaces hardware/google/pixel device/google/coral hardware/qcom/sm8150 hardware/qcom/sm8150/display vendor/google/airbrush/floral vendor/google/biometrics/face vendor/google/camera vendor/google/darwinn vendor/qcom/sm8150 vendor/qcom/sm8150/codeaurora/telephony/ims vendor/qcom/sm8150/proprietary/data/permissions vendor/qcom/sm8150/proprietary/qcril-data-hal/qdp vendor/qcom/sm8150/proprietary/qcril-data-hal/util vendor/qcom/sm8150/proprietary/qcril-data-hal/datamodule vendor/qcom/sm8150/proprietary/qcril-hal vendor/google/interfaces
============================================
[ 99% 588/589] finishing build rules ...
platform_testing/build/tasks/tests/instrumentation_test_list.mk: warning: continuous_instrumentation_tests: Unknown installed file for module 'NexusLauncherOutOfProcTests' 
platform_testing/build/tasks/tests/instrumentation_test_list.mk: warning: continuous_instrumentation_tests: Unknown installed file for module 'NexusLauncherDebug' 
platform_testing/build/tasks/tests/instrumentation_test_list.mk: warning: continuous_instrumentation_tests: Unknown installed file for module 'NexusLauncherTests' 
platform_testing/build/tasks/tests/platform_test_list.mk: warning: platform_tests: Unknown installed file for module 'LauncherRotationStressTest' 
platform_testing/build/tasks/tests/platform_test_list.mk: warning: platform_tests: Unknown installed file for module 'PlatformScenarioTests' 
[100% 589/589] writing build rules ...
FAILED: 
android_kernel_wireguard/Android.mk:7: error: writing to readonly directory: "TARGET_KERNEL_BINARIES"
15:01:51 ckati failed with: exit status 1

#### failed to build some targets (01:46 (mm:ss)) ####

The error message is clear to me but i can't find the problematic directory to make it rw. Mayby it's too obvious and i'm only too blind...
So my hope is that somebody of you have experience regarding building roms on the Pixel devices and know that error & know how i can fix it easy.
Thx in advance.
 

gee one

Senior Member
Jul 29, 2010
1,979
865
linux command line
Hi,

a while ago i started to build the privacy-focused Custom Rom GrapheneOS for the pixel 4 XL on my Linux machine.
This worked so i tried to integrated wireguard into the kernel then based on the OP of this thread.

But sadly it doesn't work until now due of the following error message:



The error message is clear to me but i can't find the problematic directory to make it rw. Mayby it's too obvious and i'm only too blind...
So my hope is that somebody of you have experience regarding building roms on the Pixel devices and know that error & know how i can fix it easy.
Thx in advance.
Use the jury rig script, not the kernel patch script. The jury rig one creates a symlink to the source code, so you have to update it regularly.

The kernel patch script tries to download things at build time which is now forbidden on newer builds. It breaks reproducibility or something.
 

dhacke

Senior Member
Nov 4, 2018
737
310
Use the jury rig script, not the kernel patch script. The jury rig one creates a symlink to the source code, so you have to update it regularly.

The kernel patch script tries to download things at build time which is now forbidden on newer builds. It breaks reproducibility or something.

First thx for your answer.
Can you tell me how i must use the jury rig script (and from where i can get it)?
I never heard from it so a guide or something in that direction would be great.
 
Hi folks,

The top post -- https://forum.xda-developers.com/t/wireguard-kernel-rom-integration.3711635/post-74667364 -- has updated instructions to simplify the source patching and to take into account Google's recent merge of WireGuard into 4.19.

Jason
Thank you for simplifying things like that. At the end of the process (applying to current lineage-17.1 branch LineageOS kernel for OnePlus 6/6T - https://github.com/lineageos/android_kernel_oneplus_sdm845), it comes up with "[+] Success! Remember to enable CONFIG_WIREGUARD=y (not =m or =n) in your kernel config"
Cool.
So does that go as a line in one of the BoardConfig.mk makefiles, or the architecture-appropriate ($KernelTree)/arch/arm64/configs/somethingsomething_defconfig file or somewhere else?

UPDATE: looks like it goes in the kernel defconfig, and I know you can't just magically guess how every ROM decides to name their stuff. But a little more of a hint (because I'm new to this and really really appreciate such things) would be helpful for the inexperienced like me. Thanks!

UPDATE 2:
Doesn't actually boot after using updated installer script on fresh clone of lineage-17.1 branch of lineageos/android_kernel_oneplus_sdm845. Sits there pondering life at "bootloader unlocked and we can't guarantee the security of our ability to commit surveillance capitalism against you without your consent" warning for extra long then reboots to recovery. Reverting the wireguard commits and rebuilding to confirm that it boots fine without it.
 
Last edited:

cowgaR

Senior Member
Oct 25, 2010
288
86
Londinium
By "it" I assume you meant the app? I assume the issue is that seccomp denies necessary access to /proc to tell whether the module is loaded? Is it really essential to check that the module is loaded? I feel that it would be better to allow users to enable use of the module in the app (perhaps with a warning) without the explicit check to see whether it's loaded rather than require root. You could even have a couple of basic sanity checks, eg:

- Disable the option to enable use of the module in the app settings if the module.ko isn't found in the expected paths (or /sys/module if built-in), neither of which should require root
- Catch failure to initialise connection using kernel module config and offer user error asking them to ensure module is loaded and / or fallback to non-kernel module configuration
I suspect it's more than just checking availability. When you (or the app) execute wg to enable a tunnel (or take one down) you're calling iptables to establish iptables rules, as well as issuing ndc interface/network/resolver commands to create and enable the necessary interfaces. These are commands that all require root.

Has there been any progress by using kernel space implementation without a need for a root? Say by making the WireGuard application backed into the rom as system one?

Sorry if I am missing the point, in which case we all need to wait for Android 12 support.

Thank you.
 

Neurotical

Senior Member
Feb 7, 2011
137
162
I am attempting to compile Linux kernel 4.9.275 with Wireguard patch installed per instructions here: https://forum.xda-developers.com/t/wireguard-kernel-rom-integration.3711635/

Patch application is successful, but compile results in error:
Capture.PNG

Here is a link to my kernel source code and error line 139 in socket.c
https://github.com/Geoknyda/android...b60e21f53d21ee3ac/net/wireguard/socket.c#L139

Any help or guidance would be greatly appreciated :)
 
Last edited:

murtzsch

Member
May 10, 2014
36
20
I am attempting to compile Linux kernel 4.9.275 with Wireguard patch installed per instructions here: https://forum.xda-developers.com/t/wireguard-kernel-rom-integration.3711635/

Patch application is successful, but compile results in error:
View attachment 5366511
Here is a link to my kernel source code and error line 139 in socket.c
https://github.com/Geoknyda/android...b60e21f53d21ee3ac/net/wireguard/socket.c#L139

Any help or guidance would be greatly appreciated :)
It's about changing some conditions in compat.h
for instance I've used:
Diff:
diff --git a/net/wireguard/compat/compat.h b/net/wireguard/compat/compat.h
index 91d4388824ea..9710908880d3 100644
--- a/net/wireguard/compat/compat.h
+++ b/net/wireguard/compat/compat.h
@@ -91,7 +91,7 @@
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(3, 17, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(3, 16, 83)
 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup_flow(b, c, d)
-#elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 5) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 3, 18) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0) && !defined(ISUBUNTU1904)) || (!defined(ISRHEL8) && !defined(ISDEBIAN) && !defined(ISUBUNTU1804) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 119) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 181) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 224) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 224) && !defined(ISUBUNTU1604) && !defined(ISRHEL7))
+#elif (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 5) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 4, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 3, 18) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0) && !defined(ISUBUNTU1904)) || (!defined(ISRHEL8) && !defined(ISDEBIAN) && !defined(ISUBUNTU1804) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 119) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 181) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 999) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 4, 224) && !defined(ISUBUNTU1604) && !defined(ISRHEL7))
 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst
 #endif
 
@@ -932,7 +932,7 @@ static inline int skb_ensure_writable(struct sk_buff *skb, int write_len)
 }
 #endif
 
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 102) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 178) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 223) && LINUX_VERSION_CODE > KERNEL_VERSION(4, 10, 0)) || LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 259) || defined(ISRHEL8) || defined(ISUBUNTU1804)
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 102) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 178) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 223) && LINUX_VERSION_CODE > KERNEL_VERSION(4, 10, 0)) || LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 999) || defined(ISRHEL8) || defined(ISUBUNTU1804)
 #include <linux/icmpv6.h>
 #include <net/icmp.h>
 #if IS_ENABLED(CONFIG_NF_NAT)
 

MeowDotEXE

Member
Oct 17, 2016
30
6
I'm not quite sure that this is the right place for my issue, but I'm having problems with getting the kernel backend to work.

Enabling the tunnel through the regular app gives the vague error of "Error bringing up tunnel: Unable to configure tunnel (wg-quick returned error 64)". If I go into a root shell and try to do it manually, it gives me a more descriptive error:
Code:
:/data/data/com.wireguard.android/files # wg-quick up lucas-phone.conf
[#] ip link add lucas-phone type wireguard
[#] wg setconf lucas-phone /proc/self/fd/0
[#] ip link set up dev lucas-phone
[#] ip link set down dev lucas-phone
[#] wg set lucas-phone fwmark 0x20000
[#] iptables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment "wireguard rule lucas-phone"
[#] ip6tables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment "wireguard rule lucas-phone"
[#] iptables -I INPUT 1 -p udp --dport 38892 -j ACCEPT -m comment --comment "wireguard rule lucas-phone"
[#] ip6tables -I INPUT 1 -p udp --dport 38892 -j DROP -m comment --comment "wireguard rule lucas-phone"
[#] ip link set up dev lucas-phone
[#] ndc network create 24188 vpn 1 1
Error: 500 0 Unknown trailing argument(s)

[#] ip link del lucas-phone
[#] iptables -D INPUT -p udp -m udp --dport 38892 -m comment --comment "wireguard rule lucas-phone" -j ACCEPT
[#] iptables -D OUTPUT -m mark --mark 0x20000 -m comment --comment "wireguard rule lucas-phone" -j ACCEPT
[#] ip6tables -D INPUT -p udp -m udp --dport 38892 -m comment --comment "wireguard rule lucas-phone" -j DROP
[#] ip6tables -D OUTPUT -m mark --mark 0x20000 -m comment --comment "wireguard rule lucas-phone" -j ACCEPT
64|:/data/data/com.wireguard.android/files #

Obligatory device information:
Phone: Pixel 3a XL (bonito)
Android version: 12 Beta 4 (SPB4.210715.011)
Kernel version: 4.9.270-ElementalX-P3a-4.04
Wireguard app version: v1.0.20210506
Kernel module backend version: 1.0.20210606
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 191

    WireGuard
    is a next generation secure VPN tunnel for the Linux kernel, with modern yet conservative cryptography and simple design principles. It is meant as a replacement for OpenVPN and for IPsec, and generally has better performance and security characteristics than both. It also is much easier to use. The whitepaper was peer reviewed for NDSS17 and the protocol itself has been formally verified. Since it lives in the kernel, it not only is very fast, but it is able to integrate in clever ways that are quite nice for battery life and overall smoothness. There are already commercial VPN providers offering services using WireGuard, and it is very easy to run your own WireGuard servers as well.

    Not only is it free software, but WireGuard also comes with free stickers. Send me a DM with how many you want and to where I should send them, and I’ll drop an envelope in the box. (Do not request stickers on the mailing list.)

    But WireGuard being awesome is old news. The new news is that now there’s an easy way to integrate it into Android kernels.

    WireGuard runs on ordinary Android devices, but ones that have the special WireGuard kernel module will have numerous advantages. That is the topic of this thread. The main interest here in XDA Land is in making the kernelspace version readily available to kernel/ROM devs, which has the best possible performance, battery life, integration, and stability.

    Adding to Kernel Trees

    If you maintain your own kernel, you may easily patch your kernel tree to support WireGuard with the following commands:

    Code:
    $ curl https://data.zx2c4.com/wireguard-android-kernel-patcher.tar.xz | tar -xJf -
    $ wireguard-android-kernel-patcher/doit.bash path/to/kerneltree

    This will patch your kernel and create a commit or a series of commits for you.


    Everybody: Download the App

    The Android GUI app will opportunistically use the kernel component if it's available (patched in using either one of the two methods above), and will then fall back to the userspace implementation otherwise.


    Getting Support

    Ask or help on IRC in #wireguard on Freenode. DO NOT ASK FOR USER SUPPORT IN THIS THREAD. Devs only, please. User help is on the IRC channel.



    XDA:DevDB Information
    WireGuard, Kernel for all devices (see above for details)

    Contributors
    zx2c4
    Source Code: https://www.wireguard.com/

    Kernel Special Features: WireGuard kernel module integration

    Version Information
    Status:
    Release

    Created 2017-11-28
    Last Updated 2020-12-05
    74
    This post formerly had a list of an incredible amount of ROMs and kernels with WireGuard baked in. But by now, so many kernels have WireGuard that it became impossible to keep track of.

    You can check if your current kernel has WireGuard by downloading the WireGuard app and looking at the settings panel. If it says "kernel backend", you have WireGuard in your kernel. If it says "userspace backend", you do not have WireGuard in your kernel.
    20
    Large App Update

    The application has now been updated with many important changes that should increase speed, reliability, a lot of bugs, quick tile behavior, and importantly adds support for Android 8.
    14
    Tools Bundled with APK

    Hey guys,

    Small update that might interest you. The app now comes with its own bundled wg and wg-quick tools, which means it's no longer necessary to provide the standalone tools flashable zip. It also makes the ROM manifest integration method and the kernel integration method equal in terms of usefulness.

    Hope this helps!

    Jason
    13