Setting up WireGuard between Linux and iOS

WireGuard is a modern VPN that’s designed to be easy to configure, performant, and secure. The ease-of-configuration is really important. If you’ve ever set up IPsec, you know what I mean. OpenVPN isn’t awful, but it isn’t good, either. WireGuard has both a Linux kernel implementation as well as a Go-based portable implementation that works on Mac and iOS. Official Windows support doesn’t exist yet, but is on the way.

I couldn’t find any information on configuring WireGuard to work with iOS. Here’s what I did to get it working.

On Linux:

Designated a /24 subnet in the RFC1918 space and set up wg0 according to the Wireguard quick start documentation. I actually configured it in /etc/network/interfaces like so:

auto wg0
     iface wg0 inet static
     address 10.108.45.1
     netmask 255.255.255.0
     pre-up ip link add $IFACE type wireguard
     pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
     post-down ip link del $IFACE

Created /etc/wireguard/wg0.conf:

[Interface]
PrivateKey = my-private-key-goes-here
ListenPort = port-goes-here

# iPhone
[Peer]
PublicKey = public-key-goes-here
AllowedIPs = client-ip-address-goes-here/32

AllowedIPs is a bit of a misnomer. It’s not just an ACL for incoming packets; It’s also used to determine what traffic to route to each peer. The important thing here is to use /32 addresses in the AllowedIPs of the peers. If you use the entire /24 subnet, only the first peer using that subnet will work.

The iOS client side is where I had the most trouble. Part of the trouble is that the iOS app doesn’t show the state of the client. The other part is that since WireGuard is connection-less, even a bogus config will show up as active when you enable it.

Here’s what worked for me on iOS:

I created a key pair using the iOS app and put the public key in my Linux wg0.conf and restarted that interface.

Assign an address to the client from the /24 subnet. This needs to match the AllowedIPs line on the server. I used a /24 netmask on the iOS device, but /32 should work, too. I set the Listen port to 5555 to make it easy to verify incoming traffic using Wireshark, but that’s optional. A DNS server should be specified, because the existing one probably won’t be reachable with the VPN up. (Enabling Exclude Private IPs might fix that depending on the network you’re on.)

On the iOS peer config, enter the public key of the server and set the endpoint IP:port. For Allowed IPs, use 0.0.0.0/0. This will cause all traffic to be routed through the VPN endpoint while it’s active.

That’s it. Now activate the VPN and send some traffic through it. The ‘wg’ command on the Linux peer should show a handshake and data transferred in and out. To make Internet access work from the iOS device, you’ll probably want to set up NAT on the Linux peer.

Note that WireGuard is silent on the wire by default, so you won’t see a handshake unless you force traffic through it. The easiest way to do that is to use Safari to try to connect to the Linux peer’s IP address. (It doesn’t matter if it doesn’t have a web server running.) Using 0.0.0.0/0 for Allowed IPs on the client essentially forces a connection handshake because the iOS device will start sending traffic to the world through it on its own.

WireGuard roams peers between IPs effortlessly. Obviously one endpoint must have a fixed IP:port, but a peer roaming between Wi-Fi networks and LTE works beautifully.

Closing a Yahoo account

I terminated my Yahoo account on June 24. It was only used for Flickr. Flickr has been in a sad state for years, and is unlikely to improve under Verizon ownership.

Yahoo sent the following as a confirmation:

It’s strange that the final date is approximate. The 40 days concluded yesterday, August 3.

I’ve received several emails recently of spambots liking photos on Flickr, including one this morning (August 4):

Awesome photos, huh? Not so much.

I never received these notifications before asking Yahoo to terminate the account. It’s unclear why the Flickr content is still visible at all. In hindsight, I should have deleted the photos prior to terminating the account.

I could pessimistically conclude that this is a trick designed to get users to log back into their account and abort the termination process. I’m actually worried that my data will never get expunged.

For now, I’ve decided the best action is no action. Hopefully this all works out.

Disabling Wi-Fi on an LG Smart Refrigerator

Our LG LFXS30766S refrigerator is broadcasting an open Wi-Fi access point. I’m sure it’s doing that so LG’s Android app can connect to it and deliver pairing instructions for another AP. Sadly, there doesn’t seem to be any way to disable this feature. LG: If you’re listening, nobody asked for this garbage. Making the door shelves adjustable would be pretty great, though. A $2,300 fridge should have adjustable shelves.

I also see LG recently posted a firmware update for this fridge to their website. There are no release notes; You need proprietary hardware to install it, and it requires fridge disassembly. Seriously? I hope it’s not needed to close a gaping security hole in that open Wi-Fi access point… No, that would be silly. They’re never going to fix those security holes.

I may end up looking for a service manual so I can try to physically disable the Wi-Fi.

Welcome to the shitty future.

May 5, 2016 Update:

Forum discussion on refrigerator Wi-Fi
Video showing how to disable Wi-Fi on a Samsung refrigerator

Replacing Dropbox with BitTorrent Sync

[Edit 12/2015 – Since BitTorrent Sync hit 2.x, I’m no longer using it and I can no longer recommend it.]

Too many times, you’ve heard a cloud storage/sync product described as “like Dropbox.” There’s Box, OneDrive, Google Drive, iCloud Drive, Bitcasa, SpiderOak, Wuala, Transporter, and I’ve missed a bunch. It doesn’t matter because they’re all pretty bad, and nearly all have the same problem, which is that any data you upload can be decrypted by the provider. In the event of a bug or a breach, anyone could have access to your files.

BitTorrent Sync draws the inevitable comparison, but it’s different and better. It lets you sync folders between multiple machines, and it supports every major computing platform, but it works without a cloud component. It’s peer-to-peer, encrypted, and fast. Sync is in beta, but I replaced Dropbox with Sync over five months ago, and it’s been great. The most recent version even handles syncing OS X extended attributes with an intermediate Linux peer.

I’ve been using Sync to publish files to the web, replicate a Minecraft server, sync personal documents between my computers, access files on the go with my iPhone, automatically upload security camera footage offsite, and even back up my iPhone’s camera roll to a home computer. It works.

Sync makes ad-hoc sharing easy, with expiring and optionally read-only links. It’s one of the easiest and fastest ways to share large files.

The most intriguing feature of BitTorrent Sync is its ability to include peers that can sync without having a decryption key. I’ve taken advantage of that feature to keep a copy of my documents synchronized with my own cloud server. On that server, the file contents, names, and metadata are encrypted and I feel reasonably secure knowing that if someone hacked the server, my tax returns and security camera footage would remain private.

Sync is hard to get right, and BitTorrent Sync is impressive. On my wishlist: Hosted plans for folks who need the always-on aspect of cloud storage and can’t roll their own, and a Dropbox-compatible SDK for mobile app developers.