[WireGuard] Comments on wgserver.service

[WireGuard] Comments on wgserver.service

[Bruno Wolff III]

While wgserver.service is going to need some customization for each 
instance, there are a couple of things you might want to change in the 
example.

If for whatever reason wgserver is left setup, starting and restarting 
the service will fail until the device is manually removed.
Adding the following as the first ExecStart will help:
ExecStart=-/bin/ip link del dev wgserver
That will attempt to clean up any left over device as part of the 
startup process. Which will keep:
ExecStartPre=/usr/sbin/ip link add dev wg0 type wireguard
from failing (exit status 2 if the device already exists) and aborting 
the service startup.

Also according to the systemd documentation, ExecStopPost commands are 
supposed to be run when starting fails. It doesn't seem to actually work 
this way on Fedora and I have filed a bug about it. But it may still 
be better to change:
ExecStop=/bin/ip link del dev wgserver
To:
ExecStopPost=/bin/ip link del dev wgserver

Another note, that I'm not sure there is a standard fix for, but might 
be worth throwing in something for, is that if your config has a host 
name in it, you need functioning DNS when the service starts. And hence 
one may want to add Requires= and After= for a DNS service in some cases.

The example was helpful to me in figuring out the service files I am 
actually using on my two endpoints.

Re: [WireGuard] Comments on wgserver.service

[Jason A. Donenfeld]

Hi Bruno,

Thanks for your feedback on this. That's a good idea to call ip-link
del first. I get that the - will make the error non-fatal, but will it
also suppress writing the error message into journald?

Please feel free to make wgserver.service into a more robust unit file
and send patches (git-send-email), or make a few different unit files
show casing different types of configurations. I'm not a huge systemd
guy, so I just sort of threw that together haphazardly. It'd be nice
also to see this integrated into systemd-networkd and the .network
units. Are you involved with upstream at all? Interested in taking
this integration work on?

Jason

On Wed, Jul 6, 2016 at 2:04 PM, Bruno Wolff III <bruno@wolff.to> wrote:
> While wgserver.service is going to need some customization for each
> instance, there are a couple of things you might want to change in the
> example.
>
> If for whatever reason wgserver is left setup, starting and restarting the
> service will fail until the device is manually removed.
> Adding the following as the first ExecStart will help:
> ExecStart=-/bin/ip link del dev wgserver
> That will attempt to clean up any left over device as part of the startup
> process. Which will keep:
> ExecStartPre=/usr/sbin/ip link add dev wg0 type wireguard
> from failing (exit status 2 if the device already exists) and aborting the
> service startup.
>
> Also according to the systemd documentation, ExecStopPost commands are
> supposed to be run when starting fails. It doesn't seem to actually work
> this way on Fedora and I have filed a bug about it. But it may still be
> better to change:
> ExecStop=/bin/ip link del dev wgserver
> To:
> ExecStopPost=/bin/ip link del dev wgserver
>
> Another note, that I'm not sure there is a standard fix for, but might be
> worth throwing in something for, is that if your config has a host name in
> it, you need functioning DNS when the service starts. And hence one may want
> to add Requires= and After= for a DNS service in some cases.
>
> The example was helpful to me in figuring out the service files I am
> actually using on my two endpoints.
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [WireGuard] Comments on wgserver.service

[Bruno Wolff III]

On Wed, Jul 06, 2016 at 16:33:02 +0200,
  "Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
>
>Thanks for your feedback on this. That's a good idea to call ip-link
>del first. I get that the - will make the error non-fatal, but will it
>also suppress writing the error message into journald?

I don't think so. I see 'Cannot find device "wg0"' that looks like it 
comes from that command. It doesn't show up in systemctl status output 
though.

>Please feel free to make wgserver.service into a more robust unit file
>and send patches (git-send-email), or make a few different unit files
>show casing different types of configurations. I'm not a huge systemd
>guy, so I just sort of threw that together haphazardly. It'd be nice
>also to see this integrated into systemd-networkd and the .network
>units. Are you involved with upstream at all? Interested in taking
>this integration work on?

After I hear back about the systemd bug, I'll submit a simple change 
for robustness.

Some of the other stuff seems situational and I'm not sure makes for 
great examples. If I figure out a standard way to make sure dns is 
available, I'll include something for that, since that would be 
reasonable to do by default. But that is beyond my current systemd 
knowledge.

I don't know systemd well at all. Based on your example and some reading, 
I know significantly more today than I did yesterday morning. I do some 
stuff for Fedora and once in a while I'll do a bisect to try to narrow 
down a problem I'm having with a kernel on my hardware. I'm not a kernel 
developer at all.

Wireguard caught my eye because of the timing. I was looking at trying to 
set up an ipsec tunnel in preperation for having my work desktop switching 
to a non-routable IP address. Working with wireguard looked easier than 
trying to figure out ipsec, even with having to build wireguard from source. 
Potentially I could get involved with packing wg on Fedora, but there isn't 
much point until the kernel part is upstream.

Re: [WireGuard] Comments on wgserver.service

[Jason A. Donenfeld]

On Wed, Jul 6, 2016 at 5:19 PM, Bruno Wolff III <bruno@wolff.to> wrote:
> Potentially I could get involved with packing wg on Fedora, but there isn't
> much point until the kernel part is upstream.

Actually Fedora has quite a few modules in packages that aren't
upstream. They use dkms or akmod.

Re: [WireGuard] Comments on wgserver.service

[Daniel Kahn Gillmor]

On Wed 2016-07-06 10:33:02 -0400, Jason A. Donenfeld wrote:
> Please feel free to make wgserver.service into a more robust unit file
> and send patches (git-send-email), or make a few different unit files
> show casing different types of configurations. I'm not a huge systemd
> guy, so I just sort of threw that together haphazardly. It'd be nice
> also to see this integrated into systemd-networkd and the .network
> units.

I agree with this integration.  The current wireguard configuration is
actually pretty close to a .network unit, but not exactly aligned.

Arguably, it'd be more in-scope for a .netdev unit (see systemd.nedev(5)
than a .network unit, though.

If we could coax the wireguard config format to use config sections
identical to .netdev units, it'd probably be easier to approach
systemd-networkd about integration.  if none of the standard netdev
sections (aside from the descriptive [Netdev] section and the
conditional [Match] section) seem like they should be reusable for
wireguard ([Tunnel] doesn't seem to match exactly), maybe it's worth
defining the sections as [Wireguard] (currently [Interface]) and
[WireguardPeer] (currently [Peer]).

            --dkg

Re: [WireGuard] Comments on wgserver.service

[Bruno Wolff III]

On Wed, Jul 06, 2016 at 17:22:57 +0200,
  "Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
>On Wed, Jul 6, 2016 at 5:19 PM, Bruno Wolff III <bruno@wolff.to> wrote:
>> Potentially I could get involved with packing wg on Fedora, but there isn't
>> much point until the kernel part is upstream.
>
>Actually Fedora has quite a few modules in packages that aren't
>upstream. They use dkms or akmod.

I thought those usually end up in rpmfusion, copr or other external repos, 
rather than Fedora proper.

I'd still like to see if it is going to land upstream. Even if it ends up 
in 4.9, it'd probably be simpler to just wait and package the wg part 
when the kernel part is included with the Fedora kernel. If upstream declines 
merging it, then things would be different as we'd need to use dkms or akmod 
to make the packages easy to use.

Re: [WireGuard] Comments on wgserver.service

[Jason A. Donenfeld]

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

On Jul 6, 2016 5:47 PM, "Bruno Wolff III" <bruno@wolff.to> wrote:
> I thought those usually end up in rpmfusion, copr or other external
repos, rather than Fedora proper.

Nope, not the case.

>
> I'd still like to see if it is going to land upstream. Even if it ends up
in 4.9, it'd probably be simpler to just wait and package the wg part when
the kernel part is included with the Fedora kernel. If upstream declines
merging it, then things would be different as we'd need to use dkms or
akmod to make the packages easy to use.

It's going to be after 4.9 for sure. We've got a road to go. I'd really
recommend not waiting.

[-- Attachment #2: Type: text/html, Size: 795 bytes --]