[PATCH] tools: add wireguard at .service
Florian Klink
flokli at flokli.de
Fri May 26 19:01:35 CEST 2017
Hey dkg,
Once upon a time, Daniel Kahn Gillmor wrote:
>Hi Florian--
>
>On Fri 2017-05-26 10:44:23 +0200, Florian Klink wrote:
>> If you simply want to create wireguard interfaces and configure them,
>> wg-quick might be too much, as it also configures Addresses, MTU and
>> adds routes. This unit file can be used in cases where you want to use
>> wg(8) to configure the wireguard interface, but do regular network
>> configuration on top of the link by something else (possibly not knowing
>> wireguard, like systemd-networkd or NetworkManager.
>
>I like this suggestion, but i see it as a stopgap until there is real
>integration with systemd-networkd -- this would ideally be a .network
>unit just like every other network interface, right?
There is already a pull request to allow systemd-networkd to create
wireguard interfaces and configure wireguard-specific settings on them:
https://github.com/systemd/systemd/pull/4191
This will allow `*.netdev` files with `Kind=wireguard` to be created,
with all the wireguard-specific settings currently defined in
`/etc/wireguard/*.conf` and understood by plain `wg setconf`.
However, this PR will need to wait until wireguard is considered stable:
https://github.com/systemd/systemd/pull/4191#issuecomment-252923968
What currently already works in systemd-networkd is the whole
IP, Route etc. configuration, which is independent of the underlying
wireguard config and done in `*.network` files (man systemd.network).
wg-quick, which already brings systemd unit files, is too much, as it
also adds addresses and routes (in my case, it gets in my way, as I'd
like to set AllowedIPs to `::/0 and 0.0.0.0/0` but not default route),
but there may also be other cases where you don't need or want the whole
wg-quick.
So as long as support for configuring the underlying wireguard netdev
interface entirely inside systemd-networkd is missing, I'd really favor
a unit file to only configure wireguard-specific parameters.
>
>A couple thoughts on the .service file:
>
>> diff --git a/src/tools/wireguard at .service b/src/tools/wireguard at .service
>> new file mode 100644
>> index 0000000..b6d53bf
>> --- /dev/null
>> +++ b/src/tools/wireguard at .service
>> @@ -0,0 +1,19 @@
>> +[Unit]
>> +Description=WireGuard via wg(8) for %I
>> +After=network-online.target
>> +Wants=network-online.target
>
>This implies that the network is online *before* the interface comes up.
>That means that other tools which depend on the wireguard link being
>established can no longer depend on network-online.target, right?
Right. This was simply copied from wg-quick at .service. ;-)
These two lines
could probably be replaced by
After=network-pre.target
Wants=network.target
but I'm open to other suggestions :-)
>
>> +Documentation=man:wg(8)
>> +Documentation=https://www.wireguard.io/
>> +Documentation=https://www.wireguard.io/quickstart/
>> +Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8
>
>I think given the use of the conf file, the [Unit] section should also
>have:
>
>ConditionFileNotEmpty=/etc/wireguard/%i.conf
Yes, this might make sense. Not sure if `wg setconf` will fail anyhow,
but failing before creating the interface might be a good idea, thanks :-)
Regards,
flokli
>
>Regards,
>
> --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20170526/3d746646/attachment.asc>
More information about the WireGuard
mailing list