Development discussion of WireGuard
 help / color / Atom feed
* Newbie - WireGuard per systemd on Debian Buster
@ 2020-04-16 16:12 hans
  2020-05-04 13:33 ` alex_y_xu
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: hans @ 2020-04-16 16:12 UTC (permalink / raw)


I'm a newbie to wireguard and trying to install a working environment,
starting with one server and one client. First I used the example in
<https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
and got it working.

To get a more persistent installation I followed the example in
<https://wiki.debian.org/Wireguard>, with one server and one client,
"Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
my client(s) get their addresses via DHCP (home network and road
warrior). My two "/etc/systemd/network" files on my server are:

/etc/systemd/network/wg0.netdev
---------------------------------------------
[NetDev]
Name=wg0
Kind=wireguard
Description=Wireguard kraush

[WireGuard]
PrivateKey=<private key server>
ListenPort=#####

[WireGuardPeer]
PublicKey=<public key client>
AllowedIPs=<free range>.0/24
---------------------------------------------

/etc/systemd/network/wg0.network
---------------------------------------------
[Match]
Name=wg0

[Network]
Address=<free range>.1/24
---------------------------------------------
I omitted the "Endpoint=<remote IP or hostname>:<remote port>" part
because I don't know (at least at server startup) the IP address of my
client(s).

That doesn't work. wg0 is up, ip addr show shows an address bound to the
interface. But it seems that the server doesn't recognize the peer
because "wg show wg0 peers" gives an empty list back.

Any help appreciated,
Hans

-- 
Diese E-Mail wurde von Avast Antivirus-Software auf Viren gepr?ft.
https://www.avast.com/antivirus



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Newbie - WireGuard per systemd on Debian Buster
  2020-04-16 16:12 Newbie - WireGuard per systemd on Debian Buster hans
@ 2020-05-04 13:33 ` alex_y_xu
  2020-05-05  7:28   ` 
  2020-05-04 14:50 ` inrin
  2020-05-07 10:43 ` Jonas Kalderstam
  2 siblings, 1 reply; 5+ messages in thread
From: alex_y_xu @ 2020-05-04 13:33 UTC (permalink / raw)


Excerpts from Hans Kraus's message of April 16, 2020 12:23 pm:
> I'm a newbie to wireguard and trying to install a working environment,
> starting with one server and one client. First I used the example in
> <https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
> and got it working.
> 
> To get a more persistent installation I followed the example in
> <https://wiki.debian.org/Wireguard>, with one server and one client,
> "Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
> my client(s) get their addresses via DHCP (home network and road
> warrior). My two "/etc/systemd/network" files on my server are:
> 
> /etc/systemd/network/wg0.netdev
> ---------------------------------------------
> [NetDev]
> Name=wg0
> Kind=wireguard
> Description=Wireguard kraush
> 
> [WireGuard]
> PrivateKey=<private key server>
> ListenPort=#####
> 
> [WireGuardPeer]
> PublicKey=<public key client>
> AllowedIPs=<free range>.0/24
> ---------------------------------------------
> 
> /etc/systemd/network/wg0.network
> ---------------------------------------------
> [Match]
> Name=wg0
> 
> [Network]
> Address=<free range>.1/24
> ---------------------------------------------
> I omitted the "Endpoint=<remote IP or hostname>:<remote port>" part
> because I don't know (at least at server startup) the IP address of my
> client(s).
> 
> That doesn't work. wg0 is up, ip addr show shows an address bound to the
> interface. But it seems that the server doesn't recognize the peer
> because "wg show wg0 peers" gives an empty list back.
> 
> Any help appreciated,
> Hans
> 
> -- 
> Diese E-Mail wurde von Avast Antivirus-Software auf Viren gepr?ft.
> https://www.avast.com/antivirus
> 
> 

It could be that your public key is in the wrong format. Check journal 
to see if systemd-networkd outputs any information.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Newbie - WireGuard per systemd on Debian Buster
  2020-04-16 16:12 Newbie - WireGuard per systemd on Debian Buster hans
  2020-05-04 13:33 ` alex_y_xu
@ 2020-05-04 14:50 ` inrin
  2020-05-07 10:43 ` Jonas Kalderstam
  2 siblings, 0 replies; 5+ messages in thread
From: inrin @ 2020-05-04 14:50 UTC (permalink / raw)


Hi
On Thu, Apr 16, 2020 at 06:23:01PM +0200, Hans Kraus wrote:
>I'm a newbie to wireguard and trying to install a working environment,
>starting with one server and one client. First I used the example in
><https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
>and got it working.
>
>To get a more persistent installation I followed the example in
><https://wiki.debian.org/Wireguard>, with one server and one client,
>"Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
>my client(s) get their addresses via DHCP (home network and road
>warrior). My two "/etc/systemd/network" files on my server are:
>
>/etc/systemd/network/wg0.netdev
>---------------------------------------------
>[NetDev]
>Name=wg0
>Kind=wireguard
>Description=Wireguard kraush
>
>[WireGuard]
>PrivateKey=<private key server>
At least on current systemd (245.5) It is called: ``PrivateKeyFile''.
Please not the "File" part.

Please look up under ``man systemd.netdev'' if it is also ``PrivateKeyFile''
Btw. you could use wg-quick Service with normal WG-config .

Greetings
Inrin


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Newbie - WireGuard per systemd on Debian Buster
  2020-05-04 13:33 ` alex_y_xu
@ 2020-05-05  7:28   ` 
  0 siblings, 0 replies; 5+ messages in thread
From:  @ 2020-05-05  7:28 UTC (permalink / raw)


Hi,

You also probably want to add:

[Service]
Environment=SYSTEMD_LOG_LEVEL=debug

to your /etc/systemd/system/systemd-networkd.service.d/01-log-level-debug.conf

Networkd is not really chatty by default, the config parser will
silently ignore the syntax errors unless you enable the debug logging :/

Note: remember to disable this once your problem gets fixed.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Newbie - WireGuard per systemd on Debian Buster
  2020-04-16 16:12 Newbie - WireGuard per systemd on Debian Buster hans
  2020-05-04 13:33 ` alex_y_xu
  2020-05-04 14:50 ` inrin
@ 2020-05-07 10:43 ` Jonas Kalderstam
  2 siblings, 0 replies; 5+ messages in thread
From: Jonas Kalderstam @ 2020-05-07 10:43 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1: Type: text/plain, Size: 1641 bytes --]


I've been running wireguard with systemd in Debian for some time 
now.

On 2020-04-16 木 18:23, Hans Kraus <hans@hanswkraus.com> wrote:
> /etc/systemd/network/wg0.netdev
> ---------------------------------------------
> [NetDev]
> Name=wg0
> Kind=wireguard
> Description=Wireguard kraush
>
> [WireGuard]
> PrivateKey=<private key server>
> ListenPort=#####
>
> [WireGuardPeer]
> PublicKey=<public key client>
> AllowedIPs=<free range>.0/24
> ---------------------------------------------

The only thing I can think of here is that your AllowedIPs ends 
with a
zero - on the server you have to specify the exact IP 
address. It's on
the client side where you let the AllowedIPs be a wildcard.

Examples:

server-side:
---
[WireGuardPeer]
# Client1 address
AllowedIPs=192.168.2.5

[WireGuardPeer]
# Client2 address
AllowedIPs=192.168.2.6
---


client-side:
---
[WireGuardPeer]
# Entire wireguard range
AllowedIPs=192.168.2.0/24
---

> /etc/systemd/network/wg0.network
> ---------------------------------------------
> [Match]
> Name=wg0
>
> [Network]
> Address=<free range>.1/24
> ---------------------------------------------

You might want to consider adding

 IPForward=yes

for the server's .network file, and

 FwMark=1234

to client's .netdev file, to be sure you can do proper road 
warrioring
down the line.

I'm also a bit paranoid and have added the following to my client
.network files:

client.network:
---
[Route]
Address=192.168.2.0/24
---


Hopefully the peer address fix solves your issues.

--
Jonas Kalderstam
PGP key: 987C54AB0D4451ED

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-16 16:12 Newbie - WireGuard per systemd on Debian Buster hans
2020-05-04 13:33 ` alex_y_xu
2020-05-05  7:28   ` 
2020-05-04 14:50 ` inrin
2020-05-07 10:43 ` Jonas Kalderstam

Development discussion of WireGuard

Archives are clonable: git clone --mirror http://inbox.vuxu.org/wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git