names in wireguard.conf & bringing interface up

Development discussion of WireGuard
 help / color / mirror / Atom feed

* names in wireguard.conf & bringing interface up
@ 2021-08-01  8:37 Michael Tokarev
  0 siblings, 0 replies; only message in thread
From: Michael Tokarev @ 2021-08-01  8:37 UTC (permalink / raw)
  To: wireguard

Hello.

We're having fun issue with wireguard at boot.

The thing is that there are a few "Endpoint" settings
in wg.conf which are names, not IP addresses - names
which are being resolved over DNS.

The problem is that DNS startup is scheduled AFTER the
interfaces are up, but in order to bring interfaces up,
we're waiting for DNS.

For the wg interface to be up there's no need to resolve
names. Yet `wg setconf' insists on resovling everything.

As the result, system waits (deadwaits) for quite some
time and does not bring wg interfaces up, resulting in
network being !up.

Like this:
...
ifup[952]: Temporary failure in name resolution: `wg.corpit.ru:51820'. Trying again in 7.43 seconds...
ifup[952]: Temporary failure in name resolution: `wg.corpit.ru:51820'. Trying again in 8.92 seconds...
ifup[952]: Temporary failure in name resolution: `wg.corpit.ru:51820'. Trying again in 10.70 seconds...
ifup[952]: Temporary failure in name resolution: `wg.corpit.ru:51820'. Trying again in 12.84 seconds...
ifup[952]: Temporary failure in name resolution: `wg.corpit.ru:51820'
ifup[952]: Configuration parsing error
ifup[530]: ifup: failed to bring up wgtls

We used tinc before trying out wireguard. In tinc, we had
an asyncronous DNS resolution which continued as long as
the daemon is running (and since the daemon must run all
the time the tunnel is up, it were always running - unlike
wg). So the DNS resolution has always worked.

Now I wonder how I can solve this.  Maybe I can configure
the basic interface parameters (local IP address/netmask,
routes, etc), and try to actually set all the info about
remotes in the background somehow?

But this still looks quite fragile - we should not fail to
bring whole thing up even if we can't connect to just one
endpoint, - this way we also can't connect TO the server to
fix things if the tunnel is the only way to log in.  All
local config does not require any DNS or other remote info,
only the few "connect to this remote" require it.

Please note that we can't connect TO this server from the outside
even if I put process of configuring the peer into background,
until everything is working.

I also tried to split configuration into two parts, one which
require some network access and one which doesn't, but this
way commands like syncconf does not work anymore, obviously -
we can't change configuration at runtime and reload it.

Comments?

Thanks,

/mjt

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-08-01  8:38 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-01  8:37 names in wireguard.conf & bringing interface up Michael Tokarev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).