You are not logged in.

Pages: 1

#1 2020-12-28 12:03:54

Der Chefkoch
Member
Registered: 2020-12-05
Posts: 100

Wireguard fails to start at bootup

While I got Wireguard to work nicely, an issue remains with having the service start automatically at bootup (I run Arch on a laptop).

The service is enabled via

 sudo systemctl enable wg-quick@ARCH.service

After a reboot, 

 sudo systemctl status wg-quick@ARCH.service

returns

wg-quick@ARCH.service - WireGuard via wg-quick(8) for ARCH
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Sun 2020-12-27 08:56:25 CET; 18s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 1108 ExecStart=/usr/bin/wg-quick up ARCH (code=exited, status=1/FAILURE)
   Main PID: 1108 (code=exited, status=1/FAILURE)

Dez 27 08:56:24 arch systemd[1]: Starting WireGuard via wg-quick(8) for ARCH...
Dez 27 08:56:24 arch wg-quick[1108]: [#] ip link add ARCH type wireguard
Dez 27 08:56:25 arch wg-quick[1108]: [#] wg setconf ARCH /dev/fd/63
Dez 27 08:56:25 arch wg-quick[1130]: Name or service not known: `[URL:port]' #EDITED
Dez 27 08:56:25 arch wg-quick[1130]: Configuration parsing error
Dez 27 08:56:25 arch wg-quick[1108]: [#] ip link delete dev ARCH

The last 3 lines led me to assume that Wireguard was trying to connect while the network was still down. So I checked in the respective config file in folder /etc/systemd/system/multi-user.target.wants/:

[Unit]
Description=WireGuard via wg-quick(8) for %I
Wants=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target
PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target

I would have assumed that these lines

Wants=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target

would let Wireguard wait for the network (wifi in my case) to be up, but it doesn't seem to work. What am I missing?

Offline

#2 2020-12-28 12:05:33

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,257
Website

Re: Wireguard fails to start at bootup

Well, you edited out the source of the error:

Dez 27 08:56:25 arch wg-quick[1130]: Name or service not known: `[URL:port]' #EDITED
Dez 27 08:56:25 arch wg-quick[1130]: Configuration parsing error

Please post the respective configuration file, so that we can see any possible error.

In any case, Name or service not known indicates, that DNS resultion is not (yet) available.

Requires=network-online.target nss-lookup.target

Might solve that.
How do you connect to the internet anyways? systemd-networkd, netctl, dhcpcd, NetworkManager, ...?

Last edited by schard (2020-12-28 12:07:53)

Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#3 2020-12-28 12:22:48

Der Chefkoch
Member
Registered: 2020-12-05
Posts: 100

Re: Wireguard fails to start at bootup

schard wrote:

Well, you edited out the source of the error:

Dez 27 08:56:25 arch wg-quick[1130]: Name or service not known: `[URL:port]' #EDITED
Dez 27 08:56:25 arch wg-quick[1130]: Configuration parsing error

Please post the respective configuration file, so that we can see any possible error.

Thanks for your input. I only edited out my IP and port which are correct, as I can connect with this config file just fine otherwise.

schard wrote:

In any case, Name or service not known indicates, that DNS resultion is not (yet) available.

Requires=network-online.target nss-lookup.target

Might solve that.
How do you connect to the internet anyways? systemd-networkd, netctl, dhcpcd, NetworkManager, ...?

I will give that a try, do I replace  

Wants=network-online.target nss-lookup.target

with your suggestion?

I haven't bothered with the network connection in over a month after installation, I think it is NetworkManager as I have a config file for the service.

Last edited by Der Chefkoch (2020-12-28 12:23:44)

Offline

#4 2020-12-28 12:28:25

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,257
Website

Re: Wireguard fails to start at bootup

Der Chefkoch wrote:

I will give that a try, do I replace  

Wants=network-online.target nss-lookup.target

with your suggestion?

Exactly.

Der Chefkoch wrote:

I haven't bothered with the network connection in over a month after installation, I think it is NetworkManager as I have a config file for the service.

systemctl list-unit-files --state enabled

Will give you an (incomplete) idea of what it mght be.

Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#5 2020-12-28 12:38:35

Der Chefkoch
Member
Registered: 2020-12-05
Posts: 100

Re: Wireguard fails to start at bootup

UNIT FILE                          STATE   VENDOR PRESET
bluetooth.service                  enabled disabled     
getty@.service                     enabled enabled      
lightdm.service                    enabled disabled     
NetworkManager-dispatcher.service  enabled disabled     
NetworkManager-wait-online.service enabled disabled     
NetworkManager.service             enabled disabled     
systemd-resolved.service           enabled enabled      
systemd-timesyncd.service          enabled enabled      
tlp.service                        enabled disabled     
cups.socket                        enabled disabled     
remote-fs.target                   enabled enabled      
fstrim.timer                       enabled disabled

jup, NetworkManager.

Unfortunately, the suggested change to the service file did not resolve the issue (below the edit).

[Unit]
Description=WireGuard via wg-quick(8) for %I
Requires=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target
PartOf=wg-quick.target

Offline

#6 2020-12-28 12:46:03

progandy
Member
Registered: 2012-05-17
Posts: 5,280

Re: Wireguard fails to start at bootup

If I read the manual correctly, then you must not add the "Requires" line, only "After" for nss-lookup

https://www.freedesktop.org/software/sy … ecial.html

nss-lookup.target

    A target that should be used as synchronization point for all host/network name service lookups. Note that this is independent of UNIX user/group name lookups for which nss-user-lookup.target should be used. All services for which the availability of full host/network name resolution is essential should be ordered after this target, but not pull it in. systemd automatically adds dependencies of type After= for this target unit to all SysV init script service units with an LSB header referring to the "$named" facility.

Last edited by progandy (2020-12-28 12:46:44)

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#7 2020-12-28 12:51:57

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,257
Website

Re: Wireguard fails to start at bootup

As @progandy noted, undo the last change and add:

After=NetworkManager-wait-online.service
Requires=NetworkManager-wait-online.service

to the dependencies.

Last edited by schard (2020-12-28 12:53:53)

Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#8 2020-12-28 13:49:33

Der Chefkoch
Member
Registered: 2020-12-05
Posts: 100

Re: Wireguard fails to start at bootup

I enabled the suggested service via

 sudo systemctl enable NetworkManager-wait-online.service

Changed the config file

[Unit]
Description=WireGuard via wg-quick(8) for %I
Wants=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target
After=NetworkManager-wait-online.service
Requires=NetworkManager-wait-online.service
PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target

Unfortunately, did not work.

Offline

#9 2021-01-06 04:52:18

1b3r1c0
Member
Registered: 2021-01-06
Posts: 1

Re: Wireguard fails to start at bootup

maybe try

    sudo systemctl enable wg-quick@wg0.service

I think "%i" is the bit in between the "@" and the ".service" and in this case its supposed to be wiregaurd's tunnel interface (maybe you named your interface "ARCH"?)

From https://blog.fruxlabs.com/setting-up-wireguard-vpn/

    To start WireGuard automatically on system startup
    systemctl enable wg-quick@wg0

Offline

#10 2021-01-28 14:14:19

smirky
Member
From: Bulgaria
Registered: 2013-02-23
Posts: 277
Website

Re: Wireguard fails to start at bootup

Hi!

I've hit the same problem. I find it odd, but in my case, it appears to be a race condition. On random (re)boots, the wg-quick service fails. What's also odd is that a restart of the service doesn't make it work either, considering it should be having at that point what we suspect here to be the problem (Network Manager). Rebooting obviously fixes it, but I'm not sure why restarting of the service doesn't. Anyway, does anyone have any ideas how to troubleshoot this? Is it perhaps something that needs to be modified in the service file and reported upstream?

Personal spot  ::  https://www.smirky.net/  ::  Try not to get lost!

Offline

#11 2021-02-05 06:52:25

smirky
Member
From: Bulgaria
Registered: 2013-02-23
Posts: 277
Website

Re: Wireguard fails to start at bootup

I just found my cause for wireguard to fail at boot in random boots. As per:

Jan 07 21:03:10 archy systemd[1]: Stopping WireGuard via wg-quick(8) for wg0...
Jan 07 21:03:10 archy wg-quick[451985]: [#] ip link delete dev wg0
Jan 07 21:03:11 archy wg-quick[451985]: [#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s31f6 -j MASQUERADE
Jan 07 21:03:11 archy wg-quick[452171]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Jan 07 21:03:11 archy systemd[1]: wg-quick@wg0.service: Control process exited, code=exited, status=4/NOPERMISSION
Jan 07 21:03:11 archy systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Jan 07 21:03:11 archy systemd[1]: Stopped WireGuard via wg-quick(8) for wg0.

The important message is xtables lock being obtained and obviously WireGuard needs it. So I searched a little bit and found that perhaps something that manages iptables can be causing this.
Immediately, I thought of fail2ban and that was exactly the problem. After stopping fail2ban, wg-quick@wg0.service started just fine and of course I started fail2ban afterwards without a problem, but manually.

Question now is, how to prevent this from happening in the most clean way or perhaps I shouldn't and this could be a bug?

Last edited by smirky (2021-02-05 07:09:19)

Personal spot  ::  https://www.smirky.net/  ::  Try not to get lost!

Offline

Pages: 1

Board footer

Powered by FluxBB