Best way to start wg-quick (Wireguard) before WM

CuriousOne · 2026-02-20 14:16:22

I autostart my browser when I start my WM, which is right after login on tty1 (using a conditional in my bash profile). I want my Wireguard VPN to be up before the browser. Using the default wg-quick@.service it is not (tested with `ip l && librewolf`).
Currently I fix this with an override to the provided wg-quick@.service, shown below. While this does work, it takes 12 seconds during boot, with the message "A start job is running for Wait for Network to be Online" (always 12 seconds). I'd like to reduce the additional boot time.

# /usr/lib/systemd/system/wg-quick@.service
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target
...

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/wg-quick@wg0.service.d/override.conf
[Unit]
Before=getty@tty1.service

To fix wireguard not running when the browser it started, I added the above override.
The start job waits for network to be online, which isn't part of my override, but it doesn't happen if I remove the override.

`systemd-analyze blame` seems to suggest it's not the wg-quick service itself causing the 12 second delay:

285ms wg-quick@wg0.service

Does anyone have any idea why my override causes boot to take 12 seconds extra?

V1del · 2026-02-20 18:07:25

What do you mean why? by depending on network-online target the service is only considered up once you actually have an established internet connection and can technically connect to the internet. if it takes that long to finalize connecting to the net there's little inherent way around this, might want to share some details of how you establish the actual connection (wifi/LAN which network daemon, do you have control of the router, is that potentially configured suboptimally...)

-thc · 2026-02-20 18:26:19

Additionally: If you have an IPv4/IPv6 dual-stack, the mandatory IPv6 duplicate address detection (DAD - for choosing the interface ID) takes around 8 seconds and AFAIK cannot be reduced.

dimich · 2026-02-20 18:34:50

CuriousOne wrote:

I want my Wireguard VPN to be up before the browser.

Do you mean to delay this specific browser instance autostart until wireguard VPN is up, or prevent any browser run if VPN is not up, or don't allow any user's process to access internet bypassing VPN?

CuriousOne · 2026-02-20 18:44:37

@V1del sorry, I guess I didn't quite connect the dots in my head. Of course if I specify a service that requires internet to start before getty getty will wait for internet.
I use ethernet, systemd networkd and resolved, and no I don't have control of the router though I could potentially look into its configuration (it's not something I've every thought about before).
I didn't realise it takes that long to establish an internet connection, I'll try searching online in the browser as soon as it opens after a reboot to see.

CuriousOne · 2026-02-20 18:46:41

@-thc OK, good to know. More to learn about.
I'm a noob at this, as y'all can doubtless tell.

CuriousOne · 2026-02-20 18:48:23

@dimich currently it's just the one specific browser instance, but I want it more generally in the case that I autostart other programs that connect to the internet automatically at whatever point in the future.

dimich · 2026-02-21 00:56:57

CuriousOne wrote:

@dimich currently it's just the one specific browser instance, but I want it more generally in the case that I autostart other programs that connect to the internet automatically at whatever point in the future.

I don't know ready-made solution, unfortunately. However, consider the following: create system service X which runs as your user (User=...) and depends on wireguard (starts after wireguard service). Service X starts user service Y with "systemd-run --user ...". Service Y launches browser in user's session.

V1del · 2026-02-21 16:07:43

You could also overwrite whatever sequence you are currently using to autostart your browser to do the online check that this service does and only then launch the browser. Because with systemd-networkd, there's simply a binary (... called systemd-networkd-wait-online, might also want to consider what -thc mentions and you could setup an override for the systemd-networkd-wait-online.service and add the flag for --ipv4 so it doesn't wait for v6 if that's an option ) that you can also just invoke yourself -- at any time. maybe, though I don't have much experience here, there are also some wireguard toolings that can be queried on whether the VPN is already established and block if not

Arch Linux

#1 2026-02-20 14:16:22

Best way to start wg-quick (Wireguard) before WM

#2 2026-02-20 18:07:25

Re: Best way to start wg-quick (Wireguard) before WM

#3 2026-02-20 18:26:19

Re: Best way to start wg-quick (Wireguard) before WM

#4 2026-02-20 18:34:50

Re: Best way to start wg-quick (Wireguard) before WM

#5 2026-02-20 18:44:37

Re: Best way to start wg-quick (Wireguard) before WM

#6 2026-02-20 18:46:41

Re: Best way to start wg-quick (Wireguard) before WM

#7 2026-02-20 18:48:23

Re: Best way to start wg-quick (Wireguard) before WM

#8 2026-02-21 00:56:57

Re: Best way to start wg-quick (Wireguard) before WM

#9 2026-02-21 16:07:43

Re: Best way to start wg-quick (Wireguard) before WM

Board footer