[SOLVED] systemd-networkd: WireGuard interface without peers

schard · 2020-05-26 08:57:22

I have a use case in which I want to use WireGuard on a server as VPN server and connect several (~1000) clients to it.
The server uses systemd-networkd for network configuration of its ethernet interface as well as another WireGuard network with a smaller, static amount of peers.

I am now trying to set up a WireGuard interface for the former WireGuard network, also using systemd-networkd, but without any peers statically configured.
The actual peers will be added (and removed) dynamically using the wg utility.
This, however, results in a non-configured WireGuard interface:

$ cat /etc/systemd/network/terminals.netdev 
[NetDev]
Name = terminals
Kind = wireguard
Description = terminals network

[WireGuard]
ListenPort = 51820
PrivateKey = REDACTED

Status after reboot:

interface: terminals
  listening port: 37845

As you can see, without peers configured, the netdev configuration seems to be skipped entirely.
Neither the port is correct, nor is a public key being derived from the set private key.

If I add a dummy peer, this issue goes away:

$ cat /etc/systemd/network/terminals.netdev 
[NetDev]
Name = terminals
Kind = wireguard
Description = terminals network

[WireGuard]
ListenPort = 51820
PrivateKey = REDACTED

[WireGuardPeer]
PublicKey = XZAicNiHxLTcHpZC8ABWW6nxq4E9Am+Le8K8SmKSbDc=

And after a reboot:

interface: terminals
  public key: iDL6YJGyFBMIsOT7U0vCbGC98l1YpIpzTJ1knihEZjo=
  private key: (hidden)
  listening port: 51820

I do not understand as to why WireGuard systemd won't let me configure an interface without initial peers.

Other options I considered:

1) Not using systemd-network, but using e.g. the wg-quick stuff has proven to be unreliable and a bitch and a half to configure. Since my corresponding *.network file uses some systemd-network magic, I'd like to let systemd-netoworkd to configure the entire interface.
2) Just working with the dummy peer feels like a dirty hack. Amongst the vast amount of peers to be added, having a dummy client amongst them, is prone to cause confusion in the future.

So, how can I setup a WireGuard interface using systemd-networkd which is having no initial peers?

Last edited by schard (2020-05-26 09:57:14)

progandy · 2020-05-26 09:37:02

It is impossible for now, that would need changes in systemd-networkd. For a reason I do not understand the creation of the wireguard interface is inside a loop that only runs when peers are configured.

Edit: That loop may be there to allow splitting up large amounts of peers into multiple netlink packages.

https://github.com/systemd/systemd/blob … ard.c#L243

Related bug report: https://github.com/systemd/systemd/issues/15786

Last edited by progandy (2020-05-26 09:47:13)

schard · 2020-05-26 09:57:02

Thanks. I actually searched the systemd issues tracker but must have overlooked this.
I'll go for the dummy peer solution for the time being then.

Arch Linux

#1 2020-05-26 08:57:22

[SOLVED] systemd-networkd: WireGuard interface without peers

#2 2020-05-26 09:37:02

Re: [SOLVED] systemd-networkd: WireGuard interface without peers

#3 2020-05-26 09:57:02

Re: [SOLVED] systemd-networkd: WireGuard interface without peers

Board footer