You are not logged in.

#1 2020-01-11 14:08:24

jonnybarnes
Member
From: Manchester, UK
Registered: 2011-05-11
Posts: 129
Website

WireGuard using systemd-networkd issues

I have a server running arch linux, and I’m trying to get my iPhone setup and it doesn’t work. The iPhone seems to think its connected to a vpn succesfully, but it can’t actually connect to any websites, which makes me suspect I’m running into a DNS issue.

However, here’s me setup:

/etc/systemd/network/wireguard.netdev:

[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard VPN

[WireGuard]
PrivateKeyFile=/etc/wireguard/server-privatekey
ListenPort=51820

[WireGuardPeer]
PublicKey=rNDlI...=
AllowedIPs=10.10.10.2/24
PersistentKeepalive=25
/etc/systemd/network/wireguard.network:

[Match]
Name=wg0

[Network]
Address=10.10.10.1/24

And here’s my mobile config that I copied to my iOS device’s wireguard app by way of a qa code:

[Interface]
PrivateKey=eNWIEVSEAMkuJfJ5Qlz283OUHBXF3Q1m7+w7ETtkvUM=
Address=10.10.10.2/24

[Peer]
PublicKey=uiUQtQ6TTwdYMl+LQZQApMTzOv0GpBrih2te8pUGhXY=
Endpoint=51.15.8.12:51820
AllowedIPs=0.0.0.0/0

Anyone any ideas how to get this working?

Offline

#2 2020-01-11 15:22:22

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: WireGuard using systemd-networkd issues

So...I hope someone comes along and proves me wrong but here's what I _think_ I discovered when trying to get a Wireguard VPN 'server' setup.

In order to create the iptables masquerading rules in the server config that allow your client to browse the internet from the server (and not just tunnel address) you have to set IPMasquerade=true in your systemd-networkd files. However, when setting this, I was still unable to browse regular addresses because the correct iptables rules/routes were still not being set. I found this systemd bug that seems to be the culprit if I understand it correctly. Like you, I also thought initially it was a DNS problem and beat me head against it for a couple of weeks.

Ultimately I just setup the /etc/wireguard/wg0.conf file per the wiki with the added iptables PostUp and PostDown rules and enabled the tunnel using wg-quick@wg0.service.

If someone has a working systemd-networkd wireguard VPN server setup without manually adding the correct iptables rules, I'd love to hear about!!

Offline

#3 2020-01-11 15:33:53

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: WireGuard using systemd-networkd issues

I too am using the service file per the wiki rather than systemd-networkd's native functions.  Recommend OP tries that to rule out systemd config issues.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#4 2020-01-11 17:17:10

jonnybarnes
Member
From: Manchester, UK
Registered: 2011-05-11
Posts: 129
Website

Re: WireGuard using systemd-networkd issues

I knew there was something I forgot to add, I’m using nftables, with this table:

table ip router {
	chain prerouting {
		type nat hook prerouting priority filter; policy accept;
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "enp0s20" ip saddr 10.10.10.0/24 masquerade
	}
}

Offline

#5 2020-01-11 17:35:19

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: WireGuard using systemd-networkd issues

It wasn't just the masquerade setting, but how the routes were setup, if I recall. Look at the difference in routing tables between setup using wg0.conf and setup using systemd-networkd.

Offline

#6 2020-01-11 17:56:07

jonnybarnes
Member
From: Manchester, UK
Registered: 2011-05-11
Posts: 129
Website

Re: WireGuard using systemd-networkd issues

This is the routing I have with the current setup:

$ ip -4 route
default via 51.15.8.1 dev enp0s20 proto static
10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.1
51.15.8.0/24 dev enp0s20 proto kernel scope link src 51.15.8.12

Do you think it’ll be different doing it the other way?

Offline

#7 2020-01-11 18:18:35

firecat53
Member
From: Lake Stevens, WA, USA
Registered: 2007-05-14
Posts: 1,542
Website

Re: WireGuard using systemd-networkd issues

Considering it's not working for you, I think it's worth a try! Like I said, I may be way off base. I'm going from memory cause I didn't document adequately as I was trying different things...

Last edited by firecat53 (2020-01-11 18:18:56)

Offline

Board footer

Powered by FluxBB