How to use KDEConnect over wirguard

Question

How could I use KDEConnect over wireguard, that does no implement broadcasting?

Answer 1

Let's imagine that we have three computers:

• a server that will run the wireguard server, with wireguard ip 10.100.0.1
• a phone that runs KDEConnect for android, with wireguard ip 10.100.0.2
• a laptop with KDE Plasma that runs kdeconnect, with wireguard ip 10.100.0.3

On the server first configure wireguard. I personnally chosed to use nixos to do that, but you should also be able to configure it manually, or with a .conf file. Here is my nix configuration file:

# Source: https://nixos.wiki/wiki/Wireguard
#### Create keys, as root:
# mkdir ~/wireguard-keys
# umask 077 ~/wireguard-keys
# wg genkey > ~/wireguard-keys/private
# wg pubkey < ~/wireguard-keys/private > ~/wireguard-keys/public
{ config, pkgs, lib, ... }:
let
  port = 51820;
in
{
  environment.systemPackages = with pkgs; [ wireguard ];

  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      # Determines the IP address and subnet of the server's end of the tunnel interface.
      ips = [ "10.100.0.1/24" ];

      # The port that Wireguard listens to. Must be accessible by the client.
      listenPort = port;

      # Path to the private key file.
      #
      # Note: The private key can also be included inline via the privateKey option,
      # but this makes the private key world-readable; thus, using privateKeyFile is
      # recommended.
      privateKeyFile = "/root/wireguard-keys/private";

      peers = [
        # List of allowed peers.
        {
          # Android
          publicKey = "myandroidpublickey=";
          # List of IPs assigned to this peer within the tunnel subnet.
          # Used to configure routing.
          allowedIPs = [ "10.100.0.2/32" ];
        }
        {
          # Laptop
          publicKey = "mylaptoppublickey=";
          # List of IPs assigned to this peer within the tunnel subnet.
          # Used to configure routing.
          allowedIPs = [ "10.100.0.3/32" ];
        }
      ];
    };
  };

  # Ensure IP forwarding is enabled.
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  # Add a masquerade rule to iptables so the clients can
  # talk to the internet
  networking.firewall.extraCommands = ''
   iptables -t nat -A POSTROUTING -s 10.100.0.0/24 ! -d 10.100.0.0/24 -j MASQUERADE
  '';
  # Make sure port is open
  networking.firewall = {
    allowedTCPPorts = [ port ];
    allowedUDPPorts = [ port ];
  };


}

The important part is to make sure ip forwarding is enabled, and run the command iptables -t nat -A POSTROUTING -s 10.100.0.0/24 ! -d 10.100.0.0/24 -j MASQUERADE. Indeed, if you don't do masquerade, then you won't be able to access the internet from your phone, and if you forget to ensure that the destination is outside of the network before doing the masquerade, you will not be able to connect to KDEConnect from your phone (I spend lot's of time before realizing that).

Then, configure also wireguard on your laptop, for example by putting in /etc/wireguard/wg0.conf:

# https://wiki.archlinux.fr/Wireguard
# To run, use:
# wg-quick up wg0
# ou systemctl enable --now [email protected]
# Sur le noeud 2, le "client"
[Interface]
# le /24 est important : on définit un réseau (/24) auquel l'interface appartient
Address = 10.100.0.3/24
PrivateKey = computerprivatekey

# On définit qui est le "serveur"
[Peer]
PublicKey = serverpublickey
# le /24 indique ici que tous les noeuds du VPN vont d'abord communiquer avec le serveur,
# qui va nous renvoyer ce qui nous concerne :
# on peut s'attendre à recevoir du trafic de la part d'hypothétiques nouveaux noeuds qui seraient dans 10.X.Y/24
AllowedIPs = 10.100.0.0/24
Endpoint = serverip.com:51820
# En général les clients sont derrière du NAT, et si on veut que le serveur puisse joindre le client à tout moment, il faut :
PersistentKeepalive = 15

On the android phone, install the wireguard app (available on the Play store and FDroid), and create a new interface, generate a new private key, in the interface address chose 10.100.0.2/32. In Peer, add the public key of the server, and put in Allowed IPs 0.0.0.0/0 (actually you can chose a stricter set of ips). Configure the endpoint to myserver.com:51820, and save/enable the configuration/test the network.

Finally, just go on your phone on KDEConnect, go to "Associate a new device", then click the three dots on top right, "Add devices by IP", and then add the IP of the laptop 10.100.0.3. Enjoy!

NB: if you don't want to configure the ip on the phone side, you can also recompile KDEConnect in order to change the address of the broadcast to the ip of your phones... But it's not really practical.