💾 Archived View for axionfield.space › gemlog › 20220830-librem5-wireguard-and-mms.gmi captured on 2023-09-08 at 15:51:49. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

Librem 5, WireGuard and MMS

I have a Librem 5 phone, running PureOS. It's always connected to my home VPN

using Wireguard. Everything works smooth and dandy but there's a problem. I

route all the traffic to my VPN and uses my own DNS server.

In that configuration, it is impossible to receive an MMS from T-Mobile because

the needed servers are on a private subnet that is only accessible through the

mobile interface. Also they have moving IPs and can only be resolved from that

interface.

So I went on finding a solution to work around this problem. Wireguard uses a

firewall mark and a special routing table to handle the "redirect all traffic"

feature. The trick is to make certain part of the traffic directly use the main

routing table.

The solution can be reduced to basically:

- Find the needed servers;

- Write a script to modfy the hostfile and the routing policy;

- Plug this in NetworkManager so it can call it based on the WireGuard status;

Find the needed servers

This is the tedious part. In order to get all of them, I first disconnected from

the VPN, then asked someone to send me some MMS. Reading the mmsd-tng daemon

logs (journalctl --user -fu mmsd-tng), I was able to find the following needed

servers:

10.177.0.34 (DNS)

mms.msg.eng.t-mobile.com (mms gateway)

mp.t-mobile.com (?)

me.t-mobile.com (?)

mt.t-mobile.com (?)

Once you have confirmed the used servers and you confirmed you can receive MMS,

time to script something up.

Write a tool to prepare the network

In order to be sure I would not use outdated IPs, I wrote a little script to

do all the work.

Let's create that file in /usr/local/bin/wgmms.sh:

#!/bin/bash

DNS=10.177.0.34
HOSTS=(
	mms.msg.eng.t-mobile.com
	mp.t-mobile.com
	me.t-mobile.com
	mt.t-mobile.com
)

function resolve() {
	dig $1 @$DNS +short | grep --line-buffered -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | grep --line-buffered -v "$DNS"
}

function remove_host() {
	hname=$1
	if [ -n "$(grep $hname /etc/hosts)" ]; then
		sed -i".bak" "/$hname/d" /etc/hosts
	fi
}

function add_host() {
	ip=$1; hname=$2
	if [ -z "$(grep $hname /etc/hosts)" ]; then
		echo "$ip $hname" >> /etc/hosts
	fi
}

for host in ${HOSTS[@]}; do
	remove_host $host
done

ip rule del pref 30
while [ $? -eq 0]; do
	ip rule del pref 30
done

[[ $1 == "clean" ]] && exit 0

ip rule add from all to $DNS lookup main pref 30
for host in ${HOSTS[@]}; do
	ip=$(resolve $host)
	add_host $ip $host
	ip rule add from all to $ip lookup main pref 30
done

Now change the owner and mode:

chmod 755 /usr/local/bin/wgmms.sh
chown root:root /usr/local/bin/wgmms.sh
It's important that this file is owned by root for security reasons as it will
get called by NetworkManager and you don't want a random account to be able to
change it.

Plug that in NetworkManager

Last thing to do is to make NetworkManager use this script when the wireguard

interface gets activated or deactivated.

To do so, just add a script in /etc/NetworkManager/dispatcher.d/99-wgmms:

#!/bin/bash

iface=$1
event=$2

[[ $iface != "wg0" ]] && exit 0

case $event in
        up) /usr/local/bin/wgmms.sh ;;
        down) /usr/local/bin/wgmms.sh clean ;;
esac

Change owner and mode:

chmod 755 /etc/NetworkManager/dispatcher.d/99-wgmms
chown root:root /etc/NetworkManager/dispatcher.d/99-wgmms
Again, this is very important to chown to root. NetworkManager will simply
ignore the script if it's not owned by root.

Check that everything is fine

Activate your wireguard connection and then check the host file:

$ cat /etc/hosts
127.0.0.1       librem-5   localhost
10.168.127.18 mms.msg.eng.t-mobile.com
10.175.198.137 mp.t-mobile.com
10.168.121.87 me.t-mobile.com

And check the rules:

$ ip rule list
0:      from all lookup local
30:     from all to 10.177.0.34 lookup main
30:     from all to 10.168.127.18 lookup main
30:     from all to 10.175.198.137 lookup main
30:     from all to 10.168.121.87 lookup main
31296:  from all lookup main suppress_prefixlength 0
31297:  not from all fwmark 0xcbb8 lookup 52152
32766:  from all lookup main
32767:  from all lookup default

MMS should work. If you disable the wireguard interface, everything should be

cleaned up.

Enjoy.