Home / ubuntu / Questions / 1161679
Accepted
WoJ
Asked: 2019-07-29 06:36:24 +0800 CST

How is Wireguard managed?

  • 772

I use Wireguard as my primary VPN (running a server and having several clients connecting to it) - it works fine but I realized today that I do not understand how it is actually managed. It is the following sequence of events which led me to that realization:

  • client A and client B are defined in /etc/wireguard/wg0.conf. They both connect correctly.
  • I added some packages that modified the kernel. This triggered the usual messages about modprobe etc. I never really paid attention to those as they were acknowledgements that everything was OK.
  • when the step above is done, client A is still connected, client B does not connect anymore. I am trying with a client C and it connects.

I then had a look at wg show and it was not showing peer B. Since peer B (= client B) is in /etc/wireguard/wg0.conf then something must have gone wrong. Solution: reboot.

After the reboot client A reconnects automatically, client B still does not connect (and is still not visible in wg show, even in the disconnected state).

How could have it be connected in the first place at all? (I ask myself).

Last idea:

wg-quick down wg0
wg-quick up wg0

and everything is back to normal, client A and client B connect.

This means one thing: the initial (post-boot or post-apt-which-changed-kernel) startup of wireguard must use another configuration file. This is conceivable - client A was set up a long time ago and client B added only recently (to /etc/wireguard/wg0) so it may be that I forgot where I set this up.

I had the problem above once in the past, now that I remember it, and fixed it with the two wg-quick commands but had no time to debate any further (which would explain how client B managed to connect at all)

My question: in Ubuntu 18.04, what is the service actually starting wireguard (installed from the wireguard PPA) and where is the configuration file used by that service?

networking server vpn wireguard

2 Answers

  1. Wireguard is started via systemd-networkd. The installation also creates a new interface wg0.

    The configuration is done via two files (somename can be anything, for instance wg0 or wireguard)(1)

    1. /etc/systemd/network/somename.netdev

    This file will hold the configuration of the interface and peers. It uses [WireGuard] and [WireGuardPeer] instead of the usual [Interface] and [Peer] (see (1))

    [NetDev]
Name = wg0
Kind = wireguard
Description = Wireguard

[WireGuard]
ListenPort = 51820
PrivateKey = <your private key>

# laptop
[WireGuardPeer]
PublicKey = h/trC+5Z8qbGBJtroYITQGMNUn5XQZ/JRqVR3iIH5Ro=
AllowedIPs = 192.168.20.2/32
    1. /etc/systemd/network/somename.network

    This file will hold the IP-related configuration of the interface (nothing specifically wireguard-related here)

    [Match]
Name = wg0

[Network]
Address = 192.168.20.1/32

[Route]
Gateway = 192.168.20.1
Destination = 192.168.20.0/24

    These configuration files are read upon a systemctl [re]start systemd-networkd.

    (1) Note that the configuration file referred to in various documentations (/etc/wireguard/wg0) is not used with systemd-networkd. It would be used if you ran wg-quick commands.

    This answer is here thanks to @Rinzwind and him pointing to systemd-networkd and its configuration files

    • 2
  2. Best Answer

    I am adding another answer because I ended up using another approach. That one is based on the [email protected] template.

    I enable (and start, stop, etc.) it via systemctl enable [email protected] and the configuration lives in /etc/wireguard. It has the classical format of Wireguard.

    In order to manage the configuration, I use the excellent Wg Gen Web interface.

    • 0