You are not logged in.

#1 2021-10-05 16:34:16

the
Member
Registered: 2016-05-31
Posts: 8

Wireguard persistent configuration with Netctl

I followed the wiki page to setup wireguard with Netctl: https://wiki.archlinux.org/title/WireGuard#Netctl
In general, this works fine. Wireguard runs on my server and I can connect from a peer.

The problem I'm facing is less a problem and more an annoyance.
Netctl can start the tunnel correctly, but claims to fail when starting with systemd. Also I cannot stop the tunnel afterwards via systemd.

I have the following setup:

# cat /etc/netctl/wg0
Description="WireGuard tunnel on peer A"
Interface=wg0
Connection=wireguard
WGConfigFile=/etc/wireguard/peer_A.conf

IP=static
Address=('10.0.0.1/24')
Routes=('10.0.0.0/24 dev wg0')
# cat /etc/wireguard/peer_A.conf
[Interface]
ListenPort = 51871
PrivateKey = (redacted)

[Peer]
PublicKey = (redacted)
PresharedKey = (redacted)
AllowedIPs = 10.0.0.2/32

And I can start the interface but it claims to fail:

# systemctl start netctl@wg0
# systemctl status netctl@wg0
× netctl@wg0.service - WireGuard tunnel on peer A
     Loaded: loaded (/usr/lib/systemd/system/netctl@.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/netctl@wg0.service.d
             └─profile.conf
     Active: failed (Result: exit-code) since Tue 2021-10-05 18:07:58 CEST; 11min ago
       Docs: man:netctl.profile(5)
    Process: 489059 ExecStart=/usr/lib/netctl/network start wg0 (code=exited, status=1/FAILURE)
   Main PID: 489059 (code=exited, status=1/FAILURE)
        CPU: 20ms

Oct 05 18:07:58 saudose systemd[1]: Starting WireGuard tunnel on peer A...
Oct 05 18:07:58 saudose network[489059]: Starting network profile 'wg0'...
Oct 05 18:07:58 saudose systemd[1]: Started WireGuard tunnel on peer A.
Oct 05 18:07:58 saudose network[489073]: RTNETLINK answers: File exists
Oct 05 18:07:58 saudose network[489059]: Could not add route '10.0.0.0/24 dev wg0' to interface 'wg0'
Oct 05 18:07:58 saudose network[489059]: Failed to bring the network up for profile 'wg0'
Oct 05 18:07:58 saudose systemd[1]: netctl@wg0.service: Main process exited, code=exited, status=1/FAILURE
Oct 05 18:07:58 saudose systemd[1]: netctl@wg0.service: Failed with result 'exit-code'.

Although the interface has been created correctly:

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
... # shortened
18: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wg0
       valid_lft forever preferred_lft forever
# wg
interface: wg0
  public key: (redacted)
  private key: (hidden)
  listening port: 51871

peer: (redacted)
  preshared key: (hidden)
  endpoint: 109.43.50.123:8809
  allowed ips: 10.0.0.2/32
  latest handshake: 3 seconds ago
  transfer: 180 B received, 92 B sent

Now neither of those commands remove the interface again:

systemctl stop netctl@wg0
netctl stop wg0

Does anyone know how to setup netctl with wireguard and being able to control it with systemd?

Offline

#2 2021-10-05 17:42:10

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: Wireguard persistent configuration with Netctl

Have you tried as root user with systemd?

Will fail with normal system user....

Offline

#3 2021-10-05 19:13:10

the
Member
Registered: 2016-05-31
Posts: 8

Re: Wireguard persistent configuration with Netctl

Yes, everything was executed as root.

Offline

#4 2021-10-06 10:33:27

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: Wireguard persistent configuration with Netctl

Oct 05 18:07:58 saudose network[489073]: RTNETLINK answers: File exists

I've encountered that/similar message from netctl with realtek & broadcom chipsets before (never on intel or atheros chipsets though)

It doesn't happen every boot, but if it does, try running  netctl stop-all , wait until it returns and run netctl start desired-profile .

Last edited by Lone_Wolf (2021-10-06 10:33:56)


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

Board footer

Powered by FluxBB