ಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)1d ago

Has anyone gotten a WireGuard VPN setup to work using systemd's netdev and network files (rather than wg-quick@ template units)?

#AskFedi #Linux #Systemd #Debian #WireGuard #VPN

Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)23h ago

I mainly need the client side config b/c I'm using a commercial VPN (Proton).

In the netdev, I have the [NetDev] section (Name and Kind), [WireGuard] section (PrivateKey), and [WireGuardPeer] section (PublicKey, AllowedIPs, and Endpoint). In the network, I have the [Match] section (Name), [Network] section (Address, DNS, and Domains=~.), and [Route] section (Gateway, manually added when debugging). Also ActivationPolicy=manual for now.

Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)23h ago
DNS resolution goes through the VPN, but I think the routing is off (as verified by looking at the routing tables with `ip route show table all` with wg-quick@ and with networkd). Just not sure how to fix it!
Show threadDaniel Lakeland23h ago
@chiraag
in my config, I was using the VPN as a point-to-point connection between households and I gave [Route] configs in the .network file. I think wgquick by default routes all allowed IPs through the tunnel. Whereas networkd doesn't do any route twiddling unless you explicitly tell it to.
Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)23h ago
@dlakelan Yeah, exactly. So I need to figure out how to convert the routing changes wg-quick does into directives in the .network file... :/
Show threadDaniel Lakeland23h ago

@chiraag
assuming you want to route everything through the tunnel it should be pretty easy, something like

[Route]
Gateway=...
Metric=1 #lower is preferred!

Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)22h ago
@dlakelan I tried adding `DefaultRouteOnDevice = true` which makes the routing table look more like what I see from wg-quick, but...then I can't connect to anything? It's so odd...
Show threadDaniel Lakeland22h ago
@chiraag
Oh you know what? maybe its trying to route the wireguard packets over the wireguard tunnel itself? Set up a route to the proton server on the Ethernet device so you are able to actually send the container packets.
Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)20h ago
@dlakelan Hmmm...that's probably what's happening. How would that look in the routing table (e.g. `ip route show table all`)?
Show threadDaniel Lakeland20h ago

@chiraag

nft isn't part of it, unless they're marking the server packets and routing based on rules related to firewall marks or something...

But you should be able to just put something like:

[Route]
Destination=_proton_server_ip/32
Gateway=_your_isp_gateway_

in your eth0.network or whatever the underlying transport is.

If it's on a laptop you might need to do something in NetworkManager somewhere I don't know.

Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)17h ago
@dlakelan Yeah, I think it's doing the routing using firewall marks. Let me see if I can at least get it working using your solution though.
Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)17h ago
@dlakelan Yes, this works! Now...my question is how can I do this such that I can change server IPs dynamically? There must be a way!
Show threadಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)
@dlakelan I'm writing a script to convert wireguard config to systemd stuff, and it's already structred data in there, so I can probably ask for the base .network file and modify it in this way.
Mar 28 at 10:33pmWeb