Wireguard persistent configuration with Netctl

the · 2021-10-05 16:34:16

I followed the wiki page to setup wireguard with Netctl: https://wiki.archlinux.org/title/WireGuard#Netctl
In general, this works fine. Wireguard runs on my server and I can connect from a peer.

The problem I'm facing is less a problem and more an annoyance.
Netctl can start the tunnel correctly, but claims to fail when starting with systemd. Also I cannot stop the tunnel afterwards via systemd.

I have the following setup:

# cat /etc/netctl/wg0
Description="WireGuard tunnel on peer A"
Interface=wg0
Connection=wireguard
WGConfigFile=/etc/wireguard/peer_A.conf

IP=static
Address=('10.0.0.1/24')
Routes=('10.0.0.0/24 dev wg0')

# cat /etc/wireguard/peer_A.conf
[Interface]
ListenPort = 51871
PrivateKey = (redacted)

[Peer]
PublicKey = (redacted)
PresharedKey = (redacted)
AllowedIPs = 10.0.0.2/32

And I can start the interface but it claims to fail:

# systemctl start netctl@wg0
# systemctl status netctl@wg0
× netctl@wg0.service - WireGuard tunnel on peer A
     Loaded: loaded (/usr/lib/systemd/system/netctl@.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/netctl@wg0.service.d
             └─profile.conf
     Active: failed (Result: exit-code) since Tue 2021-10-05 18:07:58 CEST; 11min ago
       Docs: man:netctl.profile(5)
    Process: 489059 ExecStart=/usr/lib/netctl/network start wg0 (code=exited, status=1/FAILURE)
   Main PID: 489059 (code=exited, status=1/FAILURE)
        CPU: 20ms

Oct 05 18:07:58 saudose systemd[1]: Starting WireGuard tunnel on peer A...
Oct 05 18:07:58 saudose network[489059]: Starting network profile 'wg0'...
Oct 05 18:07:58 saudose systemd[1]: Started WireGuard tunnel on peer A.
Oct 05 18:07:58 saudose network[489073]: RTNETLINK answers: File exists
Oct 05 18:07:58 saudose network[489059]: Could not add route '10.0.0.0/24 dev wg0' to interface 'wg0'
Oct 05 18:07:58 saudose network[489059]: Failed to bring the network up for profile 'wg0'
Oct 05 18:07:58 saudose systemd[1]: netctl@wg0.service: Main process exited, code=exited, status=1/FAILURE
Oct 05 18:07:58 saudose systemd[1]: netctl@wg0.service: Failed with result 'exit-code'.

Although the interface has been created correctly:

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
... # shortened
18: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wg0
       valid_lft forever preferred_lft forever

# wg
interface: wg0
  public key: (redacted)
  private key: (hidden)
  listening port: 51871

peer: (redacted)
  preshared key: (hidden)
  endpoint: 109.43.50.123:8809
  allowed ips: 10.0.0.2/32
  latest handshake: 3 seconds ago
  transfer: 180 B received, 92 B sent

Now neither of those commands remove the interface again:

systemctl stop netctl@wg0
netctl stop wg0

Does anyone know how to setup netctl with wireguard and being able to control it with systemd?

Morta · 2021-10-05 17:42:10

Have you tried as root user with systemd?

Will fail with normal system user....

the · 2021-10-05 19:13:10

Yes, everything was executed as root.

Lone_Wolf · 2021-10-06 10:33:27

Oct 05 18:07:58 saudose network[489073]: RTNETLINK answers: File exists

I've encountered that/similar message from netctl with realtek & broadcom chipsets before (never on intel or atheros chipsets though)

It doesn't happen every boot, but if it does, try running netctl stop-all , wait until it returns and run netctl start desired-profile .

Last edited by Lone_Wolf (2021-10-06 10:33:56)

Arch Linux

#1 2021-10-05 16:34:16

Wireguard persistent configuration with Netctl

#2 2021-10-05 17:42:10

Re: Wireguard persistent configuration with Netctl

#3 2021-10-05 19:13:10

Re: Wireguard persistent configuration with Netctl

#4 2021-10-06 10:33:27

Re: Wireguard persistent configuration with Netctl

Board footer