Using WireGuard over xfinitywifi

2024-11-08T00:00:00+00:00

If you are a Comcast Xfinity customer, you hopefully know that you can log into WiFi hotspots wherever other Xfinity customers have them enabled, all using the SSID xfinitywifi. You may have also figured out by now that WireGuard doesn’t seem to work over this WiFi service without additional tweaking.

Well, I have tweaked a WireGuard configuration until it seems to work.

I searched the Web for quite a while to find a good solution, and there seemed to be a general feeling that the MTU needed to be adjusted. Lots of people offered various solutions.

Through some experimentation, I discovered that on the client-side WireGuard configuration, the maximum transmission unit (MTU) needed to be set to 1280. Apparently this is a significant number because it’s the lowest possible MTU for an IPv6 network. Setting the MTU so low will impact performance, but if you are going through a WireGuard VPN, performance probably isn’t your biggest concern.

In the end, your client-side WireGuard configuration, which is located in /etc/wireguard/wg0.conf if you are on Linux, should look like the example below. Note in particular the MTU and AllowedIPs line.

[Interface]
PrivateKey = <your private key>
Address = <your ip address and netmask>
DNS = <your DNS server>
# This MTU line is the important one!
MTU = 1280

[Peer]
PublicKey = <your public key>
PresharedKey = <your pre-shared key>
Endpoint = <your endpoint>:51820
# This is important for client-side routing!
AllowedIPs = 0.0.0.0/0, ::0/0
PersistentKeepalive = 25

This became important to me because I’ve been shifting over to using a secure travel router when I am out and about. The router I chose to go with is the GL.iNet GL-SFT1200 Opal, and it has built-in WireGuard support that you can enable with a switch on the side. It is very cute and effective. This allows me to use WireGuard to create a VPN tunnel back to my home network, which gives me the ability to use my dual pi-hole setup from anywhere in the world!

If you have been struggling with that pesky xfinitywifi network and its weird settings, I hope this helps. It took me too long to find the right solution!

A Poor-Man's Dynamic DNS with Ansible and Amazon Route53

2016-07-21T16:33:45+00:00

I wanted to be able to configure a DNS hostname dynamically, but couldn’t find an easy-to-use dynamic DNS client that suited my needs. Using Ansible and Amazon Route53, I put together a quick, effective solution.

Requirements

First, you need an AWS account with a Route53 DNS zone. I followed these directions to create a subdomain.

Next, you need a remote host that accessible via SSH. On that host, install Python and the Boto library. Make sure that Boto is configured with sufficient AWS credentials to access and change your Route53 zone.

Ansible Configuration

This section was updated on 2016-11-29 to reflect improvements I’ve made in the Ansible playbook.

Ansible made this task simple. In fact, the playbook below is mostly based on example recipes from the Ansible Route53 module documentation. The YAML playbook should look like the example below. Replace YOUR-ROUTE53-ZONE with the zone you configured in Route53. Replace YOUR-FULL-DYNAMIC-HOSTNAME with the fully-qualified domain name that you’ll use for dynamic DNS.

Note that this uses the ipify_facts Ansible module. You can use the default value or pass api_url like I’m doing in this example.

---
- name: Update Dynamic IP
  hosts: localhost
  vars:
    dyn_zone: YOUR-ROUTE53-ZONE
    dyn_hostname: YOUR-FULL-DYNAMIC-HOSTNAME
  tasks:
    - name: Get public IP
      ipify_facts: api_url=https://arnesonium.com/api/yourip.php
      connection: local
    - name: Get existing host information
      register: dynip
      route53:
        command: get
        zone: ""
        record: ""
        type: A
    - name: Delete existing host information
      when: ipify_public_ip != dynip.set.value
      route53:
        command: delete
        zone: ""
        record: ""
        ttl: ""
        type: ""
        value: ""
    - name: Create new host record
      when: ipify_public_ip != dynip.set.value
      route53:
        command: create
        zone: ""
        record: ""
        type: A
        ttl: 600
        value: ""

Running Your Playbook

I named my playbook dyndns.yml, so I run it with this shell command:

ansible-playbook -vv dyndns.yml

The -vv increases the verbosity so you can see what’s going on.

The Next Step

Next, I need to convince this script to run every time my laptop’s network comes back online. I’m sure there’s a good way to do that, but I haven’t spent much time looking into it.