FYI: systemd's networkd (v242) incorrectly setting listen-port on wg interface
David Anderson
dave at natulte.net
Mon Sep 2 21:42:00 CEST 2019
Seems to be known to Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936198 . I'm not
super familiar with Debian's development process, but I _think_, from
that bug + the systemd debian repo's state, that the fix is now
submitted and pending upload to unstable, after which it should flow
backwards over time into Buster.
- Dave
On Mon, Sep 2, 2019 at 12:26 PM David Anderson <dave at natulte.net> wrote:
>
> Posting here for posterity, in case someone else encounters this problem.
>
> In systemd v242, networkd has a bug
> (https://github.com/systemd/systemd/issues/12377), in which it ignores
> the `ListenPort` directive in its config files for wireguard
> interfaces. The results is that even if you specify ListenPort=51820,
> when you restart networkd it'll assign a random listening port to the
> wg interface.
>
> This can lead to some frustrating debugging where your VPN
> mysteriously doesn't come up, and it turns out to be because your
> wireguard server is listening on entirely the wrong port. You fix it
> with `wg set wg0 listen-port 51820` after networkd has started.
>
> Because of systemd's "no patch releases" release cycle, this seems to
> have been broken since 11 Apr for any distro using an unmodified v242
> systemd. I discovered this on Debian Buster (the newest "stable").
> Looks like the fix was pulled into at least NixOS and Gentoo, not sure
> about other distros. v243 has the fix, and should be releasing Any
> Time Now.
>
> I'm going to file a Debian bug to request a backport of this patch,
> since I'm guessing they're not going to be upgrading systemd routinely
> on the stable track. Hopefully it won't bite too many people though,
> since networkd isn't the default for network configuration on Buster
> (I'm just an enthusiastic early adopter).
>
> - Dave
More information about the WireGuard
mailing list