You are not logged in.
- Topics: Active | Unanswered
#1 2020-05-26 08:57:22
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,986
- Website
[SOLVED] systemd-networkd: WireGuard interface without peers
I have a use case in which I want to use WireGuard on a server as VPN server and connect several (~1000) clients to it.
The server uses systemd-networkd for network configuration of its ethernet interface as well as another WireGuard network with a smaller, static amount of peers.
I am now trying to set up a WireGuard interface for the former WireGuard network, also using systemd-networkd, but without any peers statically configured.
The actual peers will be added (and removed) dynamically using the wg utility.
This, however, results in a non-configured WireGuard interface:
$ cat /etc/systemd/network/terminals.netdev
[NetDev]
Name = terminals
Kind = wireguard
Description = terminals network
[WireGuard]
ListenPort = 51820
PrivateKey = REDACTEDStatus after reboot:
interface: terminals
listening port: 37845As you can see, without peers configured, the netdev configuration seems to be skipped entirely.
Neither the port is correct, nor is a public key being derived from the set private key.
If I add a dummy peer, this issue goes away:
$ cat /etc/systemd/network/terminals.netdev
[NetDev]
Name = terminals
Kind = wireguard
Description = terminals network
[WireGuard]
ListenPort = 51820
PrivateKey = REDACTED
[WireGuardPeer]
PublicKey = XZAicNiHxLTcHpZC8ABWW6nxq4E9Am+Le8K8SmKSbDc=And after a reboot:
interface: terminals
public key: iDL6YJGyFBMIsOT7U0vCbGC98l1YpIpzTJ1knihEZjo=
private key: (hidden)
listening port: 51820I do not understand as to why WireGuard systemd won't let me configure an interface without initial peers.
Other options I considered:
1) Not using systemd-network, but using e.g. the wg-quick stuff has proven to be unreliable and a bitch and a half to configure. Since my corresponding *.network file uses some systemd-network magic, I'd like to let systemd-netoworkd to configure the entire interface.
2) Just working with the dummy peer feels like a dirty hack. Amongst the vast amount of peers to be added, having a dummy client amongst them, is prone to cause confusion in the future.
So, how can I setup a WireGuard interface using systemd-networkd which is having no initial peers?
Last edited by schard (2020-05-26 09:57:14)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#2 2020-05-26 09:37:02
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,193
Re: [SOLVED] systemd-networkd: WireGuard interface without peers
It is impossible for now, that would need changes in systemd-networkd. For a reason I do not understand the creation of the wireguard interface is inside a loop that only runs when peers are configured.
Edit: That loop may be there to allow splitting up large amounts of peers into multiple netlink packages.
https://github.com/systemd/systemd/blob … ard.c#L243
Related bug report: https://github.com/systemd/systemd/issues/15786
Last edited by progandy (2020-05-26 09:47:13)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2020-05-26 09:57:02
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,986
- Website
Re: [SOLVED] systemd-networkd: WireGuard interface without peers
Thanks. I actually searched the systemd issues tracker but must have overlooked this.
I'll go for the dummy peer solution for the time being then.
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline