[PATCH] tools: add wireguard@.service

[PATCH] tools: add wireguard@.service

[Florian Klink]

If you simply want to create wireguard interfaces and configure them,
wg-quick might be too much, as it also configures Addresses, MTU and
adds routes. This unit file can be used in cases where you want to use
wg(8) to configure the wireguard interface, but do regular network
configuration on top of the link by something else (possibly not knowing
wireguard, like systemd-networkd or NetworkManager.

Signed-off-by: Florian Klink <flokli@flokli.de>
---
 src/tools/Makefile           |  3 ++-
 src/tools/wireguard@.service | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 src/tools/wireguard@.service

diff --git a/src/tools/Makefile b/src/tools/Makefile
index 2dd7f6a..5206832 100644
--- a/src/tools/Makefile
+++ b/src/tools/Makefile
@@ -51,6 +51,7 @@ clean:
 install: wg
 	@install -v -d "$(DESTDIR)$(BINDIR)" && install -m 0755 -v wg "$(DESTDIR)$(BINDIR)/wg"
 	@install -v -d "$(DESTDIR)$(MANDIR)/man8" && install -m 0644 -v wg.8 "$(DESTDIR)$(MANDIR)/man8/wg.8"
+	[ "$(WITH_SYSTEMDUNITS)" = "yes" ] && install -v -d "$(DESTDIR)$(SYSTEMDUNITDIR)" && install -m 0644 -v wireguard@.service "$(DESTDIR)$(SYSTEMDUNITDIR)/wireguard@.service"
 	@[ "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \
 	install -v -d "$(DESTDIR)$(BASHCOMPDIR)" && install -m 0644 -v completion/wg.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/wg"
 	@[ "$(WITH_WGQUICK)" = "yes" ] || exit 0; \
@@ -60,7 +61,7 @@ install: wg
 	@[ "$(WITH_WGQUICK)" = "yes" -a "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \
 	install -m 0644 -v completion/wg-quick.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/wg-quick"
 	@[ "$(WITH_WGQUICK)" = "yes" -a "$(WITH_SYSTEMDUNITS)" = "yes" ] || exit 0; \
-	install -v -d "$(DESTDIR)$(SYSTEMDUNITDIR)" && install -m 0644 -v wg-quick@.service "$(DESTDIR)$(SYSTEMDUNITDIR)/wg-quick@.service"
+	install -m 0644 -v wg-quick@.service "$(DESTDIR)$(SYSTEMDUNITDIR)/wg-quick@.service"
 
 check: clean
 	CFLAGS=-g scan-build --view --keep-going $(MAKE) wg
diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service
new file mode 100644
index 0000000..b6d53bf
--- /dev/null
+++ b/src/tools/wireguard@.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=WireGuard via wg(8) for %I
+After=network-online.target
+Wants=network-online.target
+Documentation=man:wg(8)
+Documentation=https://www.wireguard.io/
+Documentation=https://www.wireguard.io/quickstart/
+Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=/sbin/ip link add dev %i type wireguard
+ExecStart=/usr/bin/wg setconf %i /etc/wireguard/%i.conf
+ExecStop=/sbin/ip link del %i
+ExecReload=/usr/bin/wg setconf %i /etc/wireguard/%i.conf
+
+[Install]
+WantedBy=multi-user.target
-- 
2.13.0

Re: [PATCH] tools: add wireguard@.service

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 1581 bytes --]

Hi Florian--

On Fri 2017-05-26 10:44:23 +0200, Florian Klink wrote:
> If you simply want to create wireguard interfaces and configure them,
> wg-quick might be too much, as it also configures Addresses, MTU and
> adds routes. This unit file can be used in cases where you want to use
> wg(8) to configure the wireguard interface, but do regular network
> configuration on top of the link by something else (possibly not knowing
> wireguard, like systemd-networkd or NetworkManager.

I like this suggestion, but i see it as a stopgap until there is real
integration with systemd-networkd -- this would ideally be a .network
unit just like every other network interface, right?

A couple thoughts on the .service file:

> diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service
> new file mode 100644
> index 0000000..b6d53bf
> --- /dev/null
> +++ b/src/tools/wireguard@.service
> @@ -0,0 +1,19 @@
> +[Unit]
> +Description=WireGuard via wg(8) for %I
> +After=network-online.target
> +Wants=network-online.target

This implies that the network is online *before* the interface comes up.
That means that other tools which depend on the wireguard link being
established can no longer depend on network-online.target, right?

> +Documentation=man:wg(8)
> +Documentation=https://www.wireguard.io/
> +Documentation=https://www.wireguard.io/quickstart/
> +Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8

I think given the use of the conf file, the [Unit] section should also
have:

ConditionFileNotEmpty=/etc/wireguard/%i.conf

Regards,

        --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [PATCH] tools: add wireguard@.service

[Florian Klink]

[-- Attachment #1: Type: text/plain, Size: 3356 bytes --]

Hey dkg,

Once upon a time, Daniel Kahn Gillmor wrote:
>Hi Florian--
>
>On Fri 2017-05-26 10:44:23 +0200, Florian Klink wrote:
>> If you simply want to create wireguard interfaces and configure them,
>> wg-quick might be too much, as it also configures Addresses, MTU and
>> adds routes. This unit file can be used in cases where you want to use
>> wg(8) to configure the wireguard interface, but do regular network
>> configuration on top of the link by something else (possibly not knowing
>> wireguard, like systemd-networkd or NetworkManager.
>
>I like this suggestion, but i see it as a stopgap until there is real
>integration with systemd-networkd -- this would ideally be a .network
>unit just like every other network interface, right?

There is already a pull request to allow systemd-networkd to create
wireguard interfaces and configure wireguard-specific settings on them:
https://github.com/systemd/systemd/pull/4191

This will allow `*.netdev` files with `Kind=wireguard` to be created,
with all the wireguard-specific settings currently defined in
`/etc/wireguard/*.conf` and understood by plain `wg setconf`.

However, this PR will need to wait until wireguard is considered stable:
https://github.com/systemd/systemd/pull/4191#issuecomment-252923968

What currently already works in systemd-networkd is the whole
IP, Route etc. configuration, which is independent of the underlying
wireguard config and done in `*.network` files (man systemd.network).

wg-quick, which already brings systemd unit files, is too much, as it
also adds addresses and routes (in my case, it gets in my way, as I'd
like to set  AllowedIPs to `::/0 and 0.0.0.0/0` but not default route),
but there may also be other cases where you don't need or want the whole
wg-quick.

So as long as support for configuring the underlying wireguard netdev
interface entirely inside systemd-networkd is missing, I'd really favor
a unit file to only configure wireguard-specific parameters. 

>
>A couple thoughts on the .service file:
>
>> diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service
>> new file mode 100644
>> index 0000000..b6d53bf
>> --- /dev/null
>> +++ b/src/tools/wireguard@.service
>> @@ -0,0 +1,19 @@
>> +[Unit]
>> +Description=WireGuard via wg(8) for %I
>> +After=network-online.target
>> +Wants=network-online.target
>
>This implies that the network is online *before* the interface comes up.
>That means that other tools which depend on the wireguard link being
>established can no longer depend on network-online.target, right?

Right. This was simply copied from wg-quick@.service. ;-)

These two lines
could probably be replaced by

After=network-pre.target
Wants=network.target

but I'm open to other suggestions :-)

>
>> +Documentation=man:wg(8)
>> +Documentation=https://www.wireguard.io/
>> +Documentation=https://www.wireguard.io/quickstart/
>> +Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8
>
>I think given the use of the conf file, the [Unit] section should also
>have:
>
>ConditionFileNotEmpty=/etc/wireguard/%i.conf

Yes, this might make sense. Not sure if `wg setconf` will fail anyhow,
but failing before creating the interface might be a good idea, thanks :-)

Regards,
flokli

>
>Regards,
>
>        --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH] tools: add wireguard@.service

[Jörg Thalheim]

On 2017-05-26 16:30, Daniel Kahn Gillmor wrote:
>> diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service
>> new file mode 100644
>> index 0000000..b6d53bf
>> --- /dev/null
>> +++ b/src/tools/wireguard@.service
>> @@ -0,0 +1,19 @@
>> +[Unit]
>> +Description=WireGuard via wg(8) for %I
>> +After=network-online.target
>> +Wants=network-online.target

My guess is that network-online.target was chosen for wg-quick because DNS resolving of endpoints might be required.
For this target to become effective this requires either systemd-networkd or a recent version NetworkManager to be running
(or any other service, which makes its connection state a dependency of |network-online.target|).

Once wireguard becomes integrated into systemd-networkd, networkd will just retry forever to resolve endpoints with exponential back-off.