You are not logged in.

#1 2021-05-24 10:51:46

eNV25
Member
Registered: 2020-09-15
Posts: 11

[SOLVED]WireGuard endpoint using DNS and wg-quick service on system...

I decided to try using a WireGuard VPN on my home computer to see how the experience was. I am using Cloudflare's WARP service, and using
wgcf to generate WireGuard profiles comatible with wg-quick. This is the profile that could be generated:

[Interface]
PrivateKey = xxx
Address = xxx
Address = xxx
DNS = 1.1.1.1
MTU = 1280
[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408

As you can see DNS is needed to resolve the endpoint.

I use the following commands to connect to the VPN. This works perfectly.

# ln -s ~/wgcf-profile.conf /etc/wireguard/WARP.conf
# wg-quick up WARP  # or
# systemctl start wg-quick@WARP.service

But the service fails with the following error message after enabled. This happens only on startup but everything is fine when I restart the service afterwards.

systemd[1]: Starting WireGuard via wg-quick(8) for WARP...
wg-quick[496]: [#] ip link add WARP type wireguard
wg-quick[496]: [#] wg setconf WARP /dev/fd/63
wg-quick[523]: Name or service not known: `engage.cloudflareclient.com:2408'
wg-quick[523]: Configuration parsing error
wg-quick[496]: [#] ip link delete dev WARP
systemd[1]: wg-quick@WARP.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: wg-quick@WARP.service: Failed with result 'exit-code'.
systemd[1]: Failed to start WireGuard via wg-quick(8) for WARP.

I suspect this is because wg-quick starts before the DNS service. A solution would involve making sure the DNS service starts before the wg-quick service.

I use systemd-resolved for DNS with NetworkManager. This is the service file that comes with wg-quick:

% systemctl cat wg-quick@.service
# /usr/lib/systemd/system/wg-quick@.service
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target

The service already has "network-online.target nss-lookup.target" in the "After=" and "Wants=" lines. I'm not sure what else I can add.

Last edited by eNV25 (2021-07-06 11:24:19)

Offline

#2 2021-05-24 11:24:04

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED]WireGuard endpoint using DNS and wg-quick service on system...

If you use systemd-networkd, then you should probably enable systemd-networkd-wait-online.service. You could also resolve the hostname and replace it with the IP.

Last edited by progandy (2021-05-24 11:24:38)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2021-05-24 15:29:22

eNV25
Member
Registered: 2020-09-15
Posts: 11

Re: [SOLVED]WireGuard endpoint using DNS and wg-quick service on system...

progandy wrote:

If you use systemd-networkd, then you should probably enable systemd-networkd-wait-online.service. You could also resolve the hostname and replace it with the IP.

I already enabled NetworkManager-wait-online.service

Offline

#4 2021-05-24 20:22:43

eNV25
Member
Registered: 2020-09-15
Posts: 11

Re: [SOLVED]WireGuard endpoint using DNS and wg-quick service on system...

I tried adding "systemd-resolved" to the "Before=" and "After=" fields. It didn't work.

# /etc/systemd/system/wg-quick@.service.d/override.conf
[Unit]
After=systemd-resolved.service
Wants=systemd-resolved.service

Offline

#5 2021-07-06 11:17:49

eNV25
Member
Registered: 2020-09-15
Posts: 11

Re: [SOLVED]WireGuard endpoint using DNS and wg-quick service on system...

In the end I ended up using this:

# /etc/systemd/system/wg-quick@.service.d/override.conf
[Service]
ExecStartPre=/bin/bash -c '{ exec {sleep}<> <(:); while ! : >/dev/udp/engage.cloudflareclient.com/2408; do read -t 1 -u $sleep; done } 2>/dev/null; exit 0'

It's a pure bash solution that sleeps until it can make a udp connection.

Offline

Board footer

Powered by FluxBB