* [PATCH] tools: add wireguard@.service @ 2017-05-26 8:44 Florian Klink 2017-05-26 15:30 ` Daniel Kahn Gillmor 0 siblings, 1 reply; 4+ messages in thread From: Florian Klink @ 2017-05-26 8:44 UTC (permalink / raw) To: wireguard If you simply want to create wireguard interfaces and configure them, wg-quick might be too much, as it also configures Addresses, MTU and adds routes. This unit file can be used in cases where you want to use wg(8) to configure the wireguard interface, but do regular network configuration on top of the link by something else (possibly not knowing wireguard, like systemd-networkd or NetworkManager. Signed-off-by: Florian Klink <flokli@flokli.de> --- src/tools/Makefile | 3 ++- src/tools/wireguard@.service | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 src/tools/wireguard@.service diff --git a/src/tools/Makefile b/src/tools/Makefile index 2dd7f6a..5206832 100644 --- a/src/tools/Makefile +++ b/src/tools/Makefile @@ -51,6 +51,7 @@ clean: install: wg @install -v -d "$(DESTDIR)$(BINDIR)" && install -m 0755 -v wg "$(DESTDIR)$(BINDIR)/wg" @install -v -d "$(DESTDIR)$(MANDIR)/man8" && install -m 0644 -v wg.8 "$(DESTDIR)$(MANDIR)/man8/wg.8" + [ "$(WITH_SYSTEMDUNITS)" = "yes" ] && install -v -d "$(DESTDIR)$(SYSTEMDUNITDIR)" && install -m 0644 -v wireguard@.service "$(DESTDIR)$(SYSTEMDUNITDIR)/wireguard@.service" @[ "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \ install -v -d "$(DESTDIR)$(BASHCOMPDIR)" && install -m 0644 -v completion/wg.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/wg" @[ "$(WITH_WGQUICK)" = "yes" ] || exit 0; \ @@ -60,7 +61,7 @@ install: wg @[ "$(WITH_WGQUICK)" = "yes" -a "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \ install -m 0644 -v completion/wg-quick.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/wg-quick" @[ "$(WITH_WGQUICK)" = "yes" -a "$(WITH_SYSTEMDUNITS)" = "yes" ] || exit 0; \ - install -v -d "$(DESTDIR)$(SYSTEMDUNITDIR)" && install -m 0644 -v wg-quick@.service "$(DESTDIR)$(SYSTEMDUNITDIR)/wg-quick@.service" + install -m 0644 -v wg-quick@.service "$(DESTDIR)$(SYSTEMDUNITDIR)/wg-quick@.service" check: clean CFLAGS=-g scan-build --view --keep-going $(MAKE) wg diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service new file mode 100644 index 0000000..b6d53bf --- /dev/null +++ b/src/tools/wireguard@.service @@ -0,0 +1,19 @@ +[Unit] +Description=WireGuard via wg(8) for %I +After=network-online.target +Wants=network-online.target +Documentation=man:wg(8) +Documentation=https://www.wireguard.io/ +Documentation=https://www.wireguard.io/quickstart/ +Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8 + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=/sbin/ip link add dev %i type wireguard +ExecStart=/usr/bin/wg setconf %i /etc/wireguard/%i.conf +ExecStop=/sbin/ip link del %i +ExecReload=/usr/bin/wg setconf %i /etc/wireguard/%i.conf + +[Install] +WantedBy=multi-user.target -- 2.13.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] tools: add wireguard@.service 2017-05-26 8:44 [PATCH] tools: add wireguard@.service Florian Klink @ 2017-05-26 15:30 ` Daniel Kahn Gillmor 2017-05-26 17:01 ` Florian Klink 2017-05-26 21:09 ` Jörg Thalheim 0 siblings, 2 replies; 4+ messages in thread From: Daniel Kahn Gillmor @ 2017-05-26 15:30 UTC (permalink / raw) To: Florian Klink, wireguard [-- Attachment #1: Type: text/plain, Size: 1581 bytes --] Hi Florian-- On Fri 2017-05-26 10:44:23 +0200, Florian Klink wrote: > If you simply want to create wireguard interfaces and configure them, > wg-quick might be too much, as it also configures Addresses, MTU and > adds routes. This unit file can be used in cases where you want to use > wg(8) to configure the wireguard interface, but do regular network > configuration on top of the link by something else (possibly not knowing > wireguard, like systemd-networkd or NetworkManager. I like this suggestion, but i see it as a stopgap until there is real integration with systemd-networkd -- this would ideally be a .network unit just like every other network interface, right? A couple thoughts on the .service file: > diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service > new file mode 100644 > index 0000000..b6d53bf > --- /dev/null > +++ b/src/tools/wireguard@.service > @@ -0,0 +1,19 @@ > +[Unit] > +Description=WireGuard via wg(8) for %I > +After=network-online.target > +Wants=network-online.target This implies that the network is online *before* the interface comes up. That means that other tools which depend on the wireguard link being established can no longer depend on network-online.target, right? > +Documentation=man:wg(8) > +Documentation=https://www.wireguard.io/ > +Documentation=https://www.wireguard.io/quickstart/ > +Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8 I think given the use of the conf file, the [Unit] section should also have: ConditionFileNotEmpty=/etc/wireguard/%i.conf Regards, --dkg [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tools: add wireguard@.service 2017-05-26 15:30 ` Daniel Kahn Gillmor @ 2017-05-26 17:01 ` Florian Klink 2017-05-26 21:09 ` Jörg Thalheim 1 sibling, 0 replies; 4+ messages in thread From: Florian Klink @ 2017-05-26 17:01 UTC (permalink / raw) To: Daniel Kahn Gillmor; +Cc: wireguard [-- Attachment #1: Type: text/plain, Size: 3356 bytes --] Hey dkg, Once upon a time, Daniel Kahn Gillmor wrote: >Hi Florian-- > >On Fri 2017-05-26 10:44:23 +0200, Florian Klink wrote: >> If you simply want to create wireguard interfaces and configure them, >> wg-quick might be too much, as it also configures Addresses, MTU and >> adds routes. This unit file can be used in cases where you want to use >> wg(8) to configure the wireguard interface, but do regular network >> configuration on top of the link by something else (possibly not knowing >> wireguard, like systemd-networkd or NetworkManager. > >I like this suggestion, but i see it as a stopgap until there is real >integration with systemd-networkd -- this would ideally be a .network >unit just like every other network interface, right? There is already a pull request to allow systemd-networkd to create wireguard interfaces and configure wireguard-specific settings on them: https://github.com/systemd/systemd/pull/4191 This will allow `*.netdev` files with `Kind=wireguard` to be created, with all the wireguard-specific settings currently defined in `/etc/wireguard/*.conf` and understood by plain `wg setconf`. However, this PR will need to wait until wireguard is considered stable: https://github.com/systemd/systemd/pull/4191#issuecomment-252923968 What currently already works in systemd-networkd is the whole IP, Route etc. configuration, which is independent of the underlying wireguard config and done in `*.network` files (man systemd.network). wg-quick, which already brings systemd unit files, is too much, as it also adds addresses and routes (in my case, it gets in my way, as I'd like to set AllowedIPs to `::/0 and 0.0.0.0/0` but not default route), but there may also be other cases where you don't need or want the whole wg-quick. So as long as support for configuring the underlying wireguard netdev interface entirely inside systemd-networkd is missing, I'd really favor a unit file to only configure wireguard-specific parameters. > >A couple thoughts on the .service file: > >> diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service >> new file mode 100644 >> index 0000000..b6d53bf >> --- /dev/null >> +++ b/src/tools/wireguard@.service >> @@ -0,0 +1,19 @@ >> +[Unit] >> +Description=WireGuard via wg(8) for %I >> +After=network-online.target >> +Wants=network-online.target > >This implies that the network is online *before* the interface comes up. >That means that other tools which depend on the wireguard link being >established can no longer depend on network-online.target, right? Right. This was simply copied from wg-quick@.service. ;-) These two lines could probably be replaced by After=network-pre.target Wants=network.target but I'm open to other suggestions :-) > >> +Documentation=man:wg(8) >> +Documentation=https://www.wireguard.io/ >> +Documentation=https://www.wireguard.io/quickstart/ >> +Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8 > >I think given the use of the conf file, the [Unit] section should also >have: > >ConditionFileNotEmpty=/etc/wireguard/%i.conf Yes, this might make sense. Not sure if `wg setconf` will fail anyhow, but failing before creating the interface might be a good idea, thanks :-) Regards, flokli > >Regards, > > --dkg [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tools: add wireguard@.service 2017-05-26 15:30 ` Daniel Kahn Gillmor 2017-05-26 17:01 ` Florian Klink @ 2017-05-26 21:09 ` Jörg Thalheim 1 sibling, 0 replies; 4+ messages in thread From: Jörg Thalheim @ 2017-05-26 21:09 UTC (permalink / raw) To: wireguard On 2017-05-26 16:30, Daniel Kahn Gillmor wrote: >> diff --git a/src/tools/wireguard@.service b/src/tools/wireguard@.service >> new file mode 100644 >> index 0000000..b6d53bf >> --- /dev/null >> +++ b/src/tools/wireguard@.service >> @@ -0,0 +1,19 @@ >> +[Unit] >> +Description=WireGuard via wg(8) for %I >> +After=network-online.target >> +Wants=network-online.target My guess is that network-online.target was chosen for wg-quick because DNS resolving of endpoints might be required. For this target to become effective this requires either systemd-networkd or a recent version NetworkManager to be running (or any other service, which makes its connection state a dependency of |network-online.target|). Once wireguard becomes integrated into systemd-networkd, networkd will just retry forever to resolve endpoints with exponential back-off. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-05-26 20:56 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-05-26 8:44 [PATCH] tools: add wireguard@.service Florian Klink 2017-05-26 15:30 ` Daniel Kahn Gillmor 2017-05-26 17:01 ` Florian Klink 2017-05-26 21:09 ` Jörg Thalheim
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.