I'm a newbie to wireguard and trying to install a working environment, starting with one server and one client. First I used the example in <https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server> and got it working. To get a more persistent installation I followed the example in <https://wiki.debian.org/Wireguard>, with one server and one client, "Step 2 - Alternative C - systemd". My server has a fixed ip4 address, my client(s) get their addresses via DHCP (home network and road warrior). My two "/etc/systemd/network" files on my server are: /etc/systemd/network/wg0.netdev --------------------------------------------- [NetDev] Name=wg0 Kind=wireguard Description=Wireguard kraush [WireGuard] PrivateKey=<private key server> ListenPort=##### [WireGuardPeer] PublicKey=<public key client> AllowedIPs=<free range>.0/24 --------------------------------------------- /etc/systemd/network/wg0.network --------------------------------------------- [Match] Name=wg0 [Network] Address=<free range>.1/24 --------------------------------------------- I omitted the "Endpoint=<remote IP or hostname>:<remote port>" part because I don't know (at least at server startup) the IP address of my client(s). That doesn't work. wg0 is up, ip addr show shows an address bound to the interface. But it seems that the server doesn't recognize the peer because "wg show wg0 peers" gives an empty list back. Any help appreciated, Hans -- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
Excerpts from Hans Kraus's message of April 16, 2020 12:23 pm:
> I'm a newbie to wireguard and trying to install a working environment,
> starting with one server and one client. First I used the example in
> <https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
> and got it working.
>
> To get a more persistent installation I followed the example in
> <https://wiki.debian.org/Wireguard>, with one server and one client,
> "Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
> my client(s) get their addresses via DHCP (home network and road
> warrior). My two "/etc/systemd/network" files on my server are:
>
> /etc/systemd/network/wg0.netdev
> ---------------------------------------------
> [NetDev]
> Name=wg0
> Kind=wireguard
> Description=Wireguard kraush
>
> [WireGuard]
> PrivateKey=<private key server>
> ListenPort=#####
>
> [WireGuardPeer]
> PublicKey=<public key client>
> AllowedIPs=<free range>.0/24
> ---------------------------------------------
>
> /etc/systemd/network/wg0.network
> ---------------------------------------------
> [Match]
> Name=wg0
>
> [Network]
> Address=<free range>.1/24
> ---------------------------------------------
> I omitted the "Endpoint=<remote IP or hostname>:<remote port>" part
> because I don't know (at least at server startup) the IP address of my
> client(s).
>
> That doesn't work. wg0 is up, ip addr show shows an address bound to the
> interface. But it seems that the server doesn't recognize the peer
> because "wg show wg0 peers" gives an empty list back.
>
> Any help appreciated,
> Hans
>
> --
> Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
> https://www.avast.com/antivirus
>
>
It could be that your public key is in the wrong format. Check journal
to see if systemd-networkd outputs any information.
Hi
On Thu, Apr 16, 2020 at 06:23:01PM +0200, Hans Kraus wrote:
>I'm a newbie to wireguard and trying to install a working environment,
>starting with one server and one client. First I used the example in
><https://github.com/pirate/wireguard-docs/tree/master/example-simple-client-to-server>
>and got it working.
>
>To get a more persistent installation I followed the example in
><https://wiki.debian.org/Wireguard>, with one server and one client,
>"Step 2 - Alternative C - systemd". My server has a fixed ip4 address,
>my client(s) get their addresses via DHCP (home network and road
>warrior). My two "/etc/systemd/network" files on my server are:
>
>/etc/systemd/network/wg0.netdev
>---------------------------------------------
>[NetDev]
>Name=wg0
>Kind=wireguard
>Description=Wireguard kraush
>
>[WireGuard]
>PrivateKey=<private key server>
At least on current systemd (245.5) It is called: ``PrivateKeyFile''.
Please not the "File" part.
Please look up under ``man systemd.netdev'' if it is also ``PrivateKeyFile''
Btw. you could use wg-quick Service with normal WG-config .
Greetings
Inrin
Hi, You also probably want to add: [Service] Environment=SYSTEMD_LOG_LEVEL=debug to your /etc/systemd/system/systemd-networkd.service.d/01-log-level-debug.conf Networkd is not really chatty by default, the config parser will silently ignore the syntax errors unless you enable the debug logging :/ Note: remember to disable this once your problem gets fixed.
[-- Attachment #1: Type: text/plain, Size: 1641 bytes --] I've been running wireguard with systemd in Debian for some time now. On 2020-04-16 木 18:23, Hans Kraus <hans@hanswkraus.com> wrote: > /etc/systemd/network/wg0.netdev > --------------------------------------------- > [NetDev] > Name=wg0 > Kind=wireguard > Description=Wireguard kraush > > [WireGuard] > PrivateKey=<private key server> > ListenPort=##### > > [WireGuardPeer] > PublicKey=<public key client> > AllowedIPs=<free range>.0/24 > --------------------------------------------- The only thing I can think of here is that your AllowedIPs ends with a zero - on the server you have to specify the exact IP address. It's on the client side where you let the AllowedIPs be a wildcard. Examples: server-side: --- [WireGuardPeer] # Client1 address AllowedIPs=192.168.2.5 [WireGuardPeer] # Client2 address AllowedIPs=192.168.2.6 --- client-side: --- [WireGuardPeer] # Entire wireguard range AllowedIPs=192.168.2.0/24 --- > /etc/systemd/network/wg0.network > --------------------------------------------- > [Match] > Name=wg0 > > [Network] > Address=<free range>.1/24 > --------------------------------------------- You might want to consider adding IPForward=yes for the server's .network file, and FwMark=1234 to client's .netdev file, to be sure you can do proper road warrioring down the line. I'm also a bit paranoid and have added the following to my client .network files: client.network: --- [Route] Address=192.168.2.0/24 --- Hopefully the peer address fix solves your issues. -- Jonas Kalderstam PGP key: 987C54AB0D4451ED [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --]