FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface

FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface

[David Anderson]

Posting here for posterity, in case someone else encounters this problem.

In systemd v242, networkd has a bug
(https://github.com/systemd/systemd/issues/12377), in which it ignores
the `ListenPort` directive in its config files for wireguard
interfaces. The results is that even if you specify ListenPort=51820,
when you restart networkd it'll assign a random listening port to the
wg interface.

This can lead to some frustrating debugging where your VPN
mysteriously doesn't come up, and it turns out to be because your
wireguard server is listening on entirely the wrong port. You fix it
with `wg set wg0 listen-port 51820` after networkd has started.

Because of systemd's "no patch releases" release cycle, this seems to
have been broken since 11 Apr for any distro using an unmodified v242
systemd. I discovered this on Debian Buster (the newest "stable").
Looks like the fix was pulled into at least NixOS and Gentoo, not sure
about other distros. v243 has the fix, and should be releasing Any
Time Now.

I'm going to file a Debian bug to request a backport of this patch,
since I'm guessing they're not going to be upgrading systemd routinely
on the stable track. Hopefully it won't bite too many people though,
since networkd isn't the default for network configuration on Buster
(I'm just an enthusiastic early adopter).

- Dave
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface

[David Anderson]

Seems to be known to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936198 . I'm not
super familiar with Debian's development process, but I _think_, from
that bug + the systemd debian repo's state, that the fix is now
submitted and pending upload to unstable, after which it should flow
backwards over time into Buster.

- Dave

On Mon, Sep 2, 2019 at 12:26 PM David Anderson <dave@natulte.net> wrote:
>
> Posting here for posterity, in case someone else encounters this problem.
>
> In systemd v242, networkd has a bug
> (https://github.com/systemd/systemd/issues/12377), in which it ignores
> the `ListenPort` directive in its config files for wireguard
> interfaces. The results is that even if you specify ListenPort=51820,
> when you restart networkd it'll assign a random listening port to the
> wg interface.
>
> This can lead to some frustrating debugging where your VPN
> mysteriously doesn't come up, and it turns out to be because your
> wireguard server is listening on entirely the wrong port. You fix it
> with `wg set wg0 listen-port 51820` after networkd has started.
>
> Because of systemd's "no patch releases" release cycle, this seems to
> have been broken since 11 Apr for any distro using an unmodified v242
> systemd. I discovered this on Debian Buster (the newest "stable").
> Looks like the fix was pulled into at least NixOS and Gentoo, not sure
> about other distros. v243 has the fix, and should be releasing Any
> Time Now.
>
> I'm going to file a Debian bug to request a backport of this patch,
> since I'm guessing they're not going to be upgrading systemd routinely
> on the stable track. Hopefully it won't bite too many people though,
> since networkd isn't the default for network configuration on Buster
> (I'm just an enthusiastic early adopter).
>
> - Dave
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface

[Georg Faerber]

Hi,

On 19-09-02 12:42:00, David Anderson wrote:
> Seems to be known to Debian:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936198 . I'm not
> super familiar with Debian's development process, but I _think_, from
> that bug + the systemd debian repo's state, that the fix is now
> submitted and pending upload to unstable, after which it should flow
> backwards over time into Buster.

That's only partially correct, and maybe the following is nitpicking,
but at least wanted to ensure this is known:

The fix is pending upload to unstable, and will hit testing soon after.
Expect this for the upcoming days. However, as buster is stable, it will
not "automatically" flow into buster. This needs proposing an targeted
update to the Stable Release Managers and an ACK by them -- which would
probably be granted due to the severity. If you want this to happen,
it's probably a good idea to tell the maintainer, so he knows people
would be happy if this gets fixed in buster as well.

Cheers,
Georg
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface

[David Anderson]

On Mon, Sep 2, 2019 at 3:42 PM Georg Faerber <georg@riseup.net> wrote:
>
> Hi,
>
> On 19-09-02 12:42:00, David Anderson wrote:
> > Seems to be known to Debian:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936198 . I'm not
> > super familiar with Debian's development process, but I _think_, from
> > that bug + the systemd debian repo's state, that the fix is now
> > submitted and pending upload to unstable, after which it should flow
> > backwards over time into Buster.
>
> That's only partially correct, and maybe the following is nitpicking,
> but at least wanted to ensure this is known:
>
> The fix is pending upload to unstable, and will hit testing soon after.
> Expect this for the upcoming days. However, as buster is stable, it will
> not "automatically" flow into buster. This needs proposing an targeted
> update to the Stable Release Managers and an ACK by them -- which would
> probably be granted due to the severity. If you want this to happen,
> it's probably a good idea to tell the maintainer, so he knows people
> would be happy if this gets fixed in buster as well.

Thanks for the correction! I tried to figure out how stuff gets into
stable, but my quick research didn't reveal an obvious standard
method.

So the way to go about this is to ping the maintainer of the systemd
package out of band? Or file a bug on Debian's bugtracker? I'm still
not sure how to kick off this process.

Cheers,
- Dave

>
> Cheers,
> Georg
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface

[Georg Faerber]

(Please don't Cc: me.)

Hi,

On 19-09-02 15:46:24, David Anderson wrote:
> Thanks for the correction!

Glad it was useful.

> I tried to figure out how stuff gets into stable, but my quick
> research didn't reveal an obvious standard method.

There is some more information at [1].

> So the way to go about this is to ping the maintainer of the systemd
> package out of band? Or file a bug on Debian's bugtracker? I'm still
> not sure how to kick off this process.

Yes, and: both is fine in my opinion. One advantage of using the bug
tracker is that this then gets public, allowing other people to keep
track (or to learn about it), etc. Just responding to the already
existing bug makes sense, I guess.

Cheers,
Georg


[1] https://wiki.debian.org/StableProposedUpdates
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface

[David Anderson]

One more correction: this only affects Debian testing and unstable.
Buster was released with systemd v241, which does not have the
regression. I got confused because I got one of my machines into a
borked state that's halfway between stable and testing, and it
included systemd v242.

- Dave

On Mon, Sep 2, 2019 at 12:42 PM David Anderson <dave@natulte.net> wrote:
>
> Seems to be known to Debian:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936198 . I'm not
> super familiar with Debian's development process, but I _think_, from
> that bug + the systemd debian repo's state, that the fix is now
> submitted and pending upload to unstable, after which it should flow
> backwards over time into Buster.
>
> - Dave
>
> On Mon, Sep 2, 2019 at 12:26 PM David Anderson <dave@natulte.net> wrote:
> >
> > Posting here for posterity, in case someone else encounters this problem.
> >
> > In systemd v242, networkd has a bug
> > (https://github.com/systemd/systemd/issues/12377), in which it ignores
> > the `ListenPort` directive in its config files for wireguard
> > interfaces. The results is that even if you specify ListenPort=51820,
> > when you restart networkd it'll assign a random listening port to the
> > wg interface.
> >
> > This can lead to some frustrating debugging where your VPN
> > mysteriously doesn't come up, and it turns out to be because your
> > wireguard server is listening on entirely the wrong port. You fix it
> > with `wg set wg0 listen-port 51820` after networkd has started.
> >
> > Because of systemd's "no patch releases" release cycle, this seems to
> > have been broken since 11 Apr for any distro using an unmodified v242
> > systemd. I discovered this on Debian Buster (the newest "stable").
> > Looks like the fix was pulled into at least NixOS and Gentoo, not sure
> > about other distros. v243 has the fix, and should be releasing Any
> > Time Now.
> >
> > I'm going to file a Debian bug to request a backport of this patch,
> > since I'm guessing they're not going to be upgrading systemd routinely
> > on the stable track. Hopefully it won't bite too many people though,
> > since networkd isn't the default for network configuration on Buster
> > (I'm just an enthusiastic early adopter).
> >
> > - Dave
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard