Newbie - WireGuard per systemd on Debian Buster

Newbie - WireGuard per systemd on Debian Buster

[Hans Kraus]

I'm a newbie to wireguard and trying to install a working environment,
starting with one server and one client. First I used the example in
<https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
and got it working.

To get a more persistent installation I followed the example in
<https://wiki.debian.org/Wireguard>, with one server and one client,
"Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
my client(s) get their addresses via DHCP (home network and road
warrior). My two "/etc/systemd/network" files on my server are:

/etc/systemd/network/wg0.netdev
---------------------------------------------
[NetDev]
Name=wg0
Kind=wireguard
Description=Wireguard kraush

[WireGuard]
PrivateKey=<private key server>
ListenPort=#####

[WireGuardPeer]
PublicKey=<public key client>
AllowedIPs=<free range>.0/24
---------------------------------------------

/etc/systemd/network/wg0.network
---------------------------------------------
[Match]
Name=wg0

[Network]
Address=<free range>.1/24
---------------------------------------------
I omitted the "Endpoint=<remote IP or hostname>:<remote port>" part
because I don't know (at least at server startup) the IP address of my
client(s).

That doesn't work. wg0 is up, ip addr show shows an address bound to the
interface. But it seems that the server doesn't recognize the peer
because "wg show wg0 peers" gives an empty list back.

Any help appreciated,
Hans

--
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus

Re: Newbie - WireGuard per systemd on Debian Buster

[Alex Xu (Hello71)]

Excerpts from Hans Kraus's message of April 16, 2020 12:23 pm:
> I'm a newbie to wireguard and trying to install a working environment,
> starting with one server and one client. First I used the example in
> <https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
> and got it working.
> 
> To get a more persistent installation I followed the example in
> <https://wiki.debian.org/Wireguard>, with one server and one client,
> "Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
> my client(s) get their addresses via DHCP (home network and road
> warrior). My two "/etc/systemd/network" files on my server are:
> 
> /etc/systemd/network/wg0.netdev
> ---------------------------------------------
> [NetDev]
> Name=wg0
> Kind=wireguard
> Description=Wireguard kraush
> 
> [WireGuard]
> PrivateKey=<private key server>
> ListenPort=#####
> 
> [WireGuardPeer]
> PublicKey=<public key client>
> AllowedIPs=<free range>.0/24
> ---------------------------------------------
> 
> /etc/systemd/network/wg0.network
> ---------------------------------------------
> [Match]
> Name=wg0
> 
> [Network]
> Address=<free range>.1/24
> ---------------------------------------------
> I omitted the "Endpoint=<remote IP or hostname>:<remote port>" part
> because I don't know (at least at server startup) the IP address of my
> client(s).
> 
> That doesn't work. wg0 is up, ip addr show shows an address bound to the
> interface. But it seems that the server doesn't recognize the peer
> because "wg show wg0 peers" gives an empty list back.
> 
> Any help appreciated,
> Hans
> 
> -- 
> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
> https://www.avast.com/antivirus
> 
> 

It could be that your public key is in the wrong format. Check journal 
to see if systemd-networkd outputs any information.

Re: Newbie - WireGuard per systemd on Debian Buster

[inrin]

Hi
On Thu, Apr 16, 2020 at 06:23:01PM +0200, Hans Kraus wrote:
>I'm a newbie to wireguard and trying to install a working environment,
>starting with one server and one client. First I used the example in
><https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
>and got it working.
>
>To get a more persistent installation I followed the example in
><https://wiki.debian.org/Wireguard>, with one server and one client,
>"Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
>my client(s) get their addresses via DHCP (home network and road
>warrior). My two "/etc/systemd/network" files on my server are:
>
>/etc/systemd/network/wg0.netdev
>---------------------------------------------
>[NetDev]
>Name=wg0
>Kind=wireguard
>Description=Wireguard kraush
>
>[WireGuard]
>PrivateKey=<private key server>
At least on current systemd (245.5) It is called: ``PrivateKeyFile''.
Please not the "File" part.

Please look up under ``man systemd.netdev'' if it is also ``PrivateKeyFile''
Btw. you could use wg-quick Service with normal WG-config .

Greetings
Inrin

Re: Newbie - WireGuard per systemd on Debian Buster

[Félix Baylac]

Hi,

You also probably want to add:

[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

to your /etc/systemd/system/systemd-networkd.service.d/01-log-level-debug.conf

Networkd is not really chatty by default, the config parser will
silently ignore the syntax errors unless you enable the debug logging :/

Note: remember to disable this once your problem gets fixed.

Re: Newbie - WireGuard per systemd on Debian Buster

[Jonas Kalderstam]

[-- Attachment #1: Type: text/plain, Size: 1641 bytes --]


I've been running wireguard with systemd in Debian for some time 
now.

On 2020-04-16 木 18:23, Hans Kraus <hans@hanswkraus.com> wrote:
> /etc/systemd/network/wg0.netdev
> ---------------------------------------------
> [NetDev]
> Name=wg0
> Kind=wireguard
> Description=Wireguard kraush
>
> [WireGuard]
> PrivateKey=<private key server>
> ListenPort=#####
>
> [WireGuardPeer]
> PublicKey=<public key client>
> AllowedIPs=<free range>.0/24
> ---------------------------------------------

The only thing I can think of here is that your AllowedIPs ends 
with a
zero - on the server you have to specify the exact IP 
address. It's on
the client side where you let the AllowedIPs be a wildcard.

Examples:

server-side:
---
[WireGuardPeer]
# Client1 address
AllowedIPs=192.168.2.5

[WireGuardPeer]
# Client2 address
AllowedIPs=192.168.2.6
---


client-side:
---
[WireGuardPeer]
# Entire wireguard range
AllowedIPs=192.168.2.0/24
---

> /etc/systemd/network/wg0.network
> ---------------------------------------------
> [Match]
> Name=wg0
>
> [Network]
> Address=<free range>.1/24
> ---------------------------------------------

You might want to consider adding

 IPForward=yes

for the server's .network file, and

 FwMark=1234

to client's .netdev file, to be sure you can do proper road 
warrioring
down the line.

I'm also a bit paranoid and have added the following to my client
.network files:

client.network:
---
[Route]
Address=192.168.2.0/24
---


Hopefully the peer address fix solves your issues.

--
Jonas Kalderstam
PGP key: 987C54AB0D4451ED

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]