@causeless, @jdoefp, can either of you review my SRU template info,
especially the test case section, to make sure it is correct.  I've
reproduced locally but would like to make sure the steps I mentioned are
correct.

** Description changed:

+ [impact]
+ 
+ systemd does not set endpoints for wireguard interfaces correctly.  This
+ makes wireguard unusable.
+ 
+ [test case]
+ 
+ install a disco or eoan system and set up a wireguard interface:
+ 
+ $ sudo add-apt-repository ppa:wireguard/wireguard
+ $ sudo apt install wireguard
+ ...(this does a lot of stuff)...
+ 
+ set up a wireguard server on a separate (pre-disco) system
+ (I used instructions from 
https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#configure-wireguard-server)
+ 
+ create a file as below; the private key doesn't matter (can create one
+ with 'wg genkey'), but the WireGuardPeer public key and ip addresses
+ should match what the wireguard server set up above is using:
+ 
+ $ cat /etc/systemd/network/wg0.netdev
+ [NetDev]
+ Name=wg0
+ Kind=wireguard
+ 
+ [WireGuard]
+ PrivateKey=*************
+ ListenPort=51820
+ 
+ [WireGuardPeer]
+ PublicKey=*************
+ AllowedIPs=10.0.0.0/8
+ Endpoint=192.168.1.1:51820
+ 
+ 
+ $ sudo systemctl restart systemd-networkd
+ $ sudo wg show wg0
+ 
+ interface: wg0
+   public key: *****************
+   private key: (hidden)
+   listening port: 51820
+ 
+ peer: *****************
+   allowed ips: 10.0.0.0/8
+ 
+ the last command should print remote endpoint address, e.g.:
+ 
+ peer: *****************
+   endpoint: 192.168.1.1:51820
+   allowed ips: 10.0.0.0/8
+ 
+ [regression potential]
+ 
+ any changes to systemd contain the potential for serious regressions.
+ However, this is cherry picked directly from upstream, with the releases
+ requiring patching (disco and eoan) being at exactly the same version
+ and very close to upstream already.  Additionally, while this does add 2
+ new functions (from upstream commit
+ 
https://github.com/systemd/systemd/pull/11580/commits/abd48ec87f2ac5dd571a99dcb4db88c4affdffc8),
+ they are only used - and code is only changed in - wireguard.c, so any
+ regressions should be limited to wireguard interfaces (unless systemd
+ crashes completely).
+ 
+ [other info]
+ 
+ original description:
+ 
+ ---
+ 
  systemd/disco 240 shipped with Ubuntu 19.04 beta does not set endpoints
  for [WireguradPeer] properly.
  
  This regression was introduced in v241 and merged into v240.
  systemd 241 doesn't set wireguard peer endpoint
  https://github.com/systemd/systemd/issues/11579
  
  Revert of the regression was landed on v240 stable branch
  https://github.com/systemd/systemd-stable/pull/39
  
  1)2) confirmed with,
  
  systemd/disco 240-6ubuntu5 amd64
  
  3)
  put a netdev file /etc/systemd/network/wg0.netdev
  
  ---
  [NetDev]
  Name=wg0
  Kind=wireguard
  
  [WireGuard]
  PrivateKey=**************
  ListenPort=51820
  
  [WireGuardPeer]
  PublicKey=*************
  AllowedIPs=10.0.0.0/8
  Endpoint=192.168.1.1:51820
  ----
  
  and run
  ---
  # systemctl restart systemd-networkd
  # wg show wg0
  
  interface: wg0
-   public key: *****************
-   private key: (hidden)
-   listening port: 51820
+   public key: *****************
+   private key: (hidden)
+   listening port: 51820
  
  peer: *****************
-   allowed ips: 10.0.0.0/8
+   allowed ips: 10.0.0.0/8
  ----
  
- 4) 
+ 4)
  the last command should print remote endpoint address.
  ---
  # wg show wg0
  
  interface: wg0
-   public key: *****************
-   private key: (hidden)
-   listening port: 51820
+   public key: *****************
+   private key: (hidden)
+   listening port: 51820
  
  peer: *****************
-   endpoint: 192.168.1.1:51820
-   allowed ips: 10.0.0.0/8
+   endpoint: 192.168.1.1:51820
+   allowed ips: 10.0.0.0/8
  ----

** Description changed:

  [impact]
  
  systemd does not set endpoints for wireguard interfaces correctly.  This
  makes wireguard unusable.
  
  [test case]
  
  install a disco or eoan system and set up a wireguard interface:
  
  $ sudo add-apt-repository ppa:wireguard/wireguard
  $ sudo apt install wireguard
  ...(this does a lot of stuff)...
  
  set up a wireguard server on a separate (pre-disco) system
  (I used instructions from 
https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#configure-wireguard-server)
  
  create a file as below; the private key doesn't matter (can create one
  with 'wg genkey'), but the WireGuardPeer public key and ip addresses
  should match what the wireguard server set up above is using:
  
  $ cat /etc/systemd/network/wg0.netdev
  [NetDev]
  Name=wg0
  Kind=wireguard
  
  [WireGuard]
  PrivateKey=*************
  ListenPort=51820
  
  [WireGuardPeer]
  PublicKey=*************
  AllowedIPs=10.0.0.0/8
  Endpoint=192.168.1.1:51820
  
- 
  $ sudo systemctl restart systemd-networkd
  $ sudo wg show wg0
  
  interface: wg0
    public key: *****************
    private key: (hidden)
    listening port: 51820
  
  peer: *****************
    allowed ips: 10.0.0.0/8
  
  the last command should print remote endpoint address, e.g.:
  
  peer: *****************
    endpoint: 192.168.1.1:51820
    allowed ips: 10.0.0.0/8
  
  [regression potential]
  
  any changes to systemd contain the potential for serious regressions.
  However, this is cherry picked directly from upstream, with the releases
  requiring patching (disco and eoan) being at exactly the same version
  and very close to upstream already.  Additionally, while this does add 2
  new functions (from upstream commit
  
https://github.com/systemd/systemd/pull/11580/commits/abd48ec87f2ac5dd571a99dcb4db88c4affdffc8),
  they are only used - and code is only changed in - wireguard.c, so any
  regressions should be limited to wireguard interfaces (unless systemd
  crashes completely).
  
  [other info]
+ 
+ this bug is not present in cosmic and earlier, and is already fixed in
+ upstream systemd, so this is needed only for disco and eoan.
  
  original description:
  
  ---
  
  systemd/disco 240 shipped with Ubuntu 19.04 beta does not set endpoints
  for [WireguradPeer] properly.
  
  This regression was introduced in v241 and merged into v240.
  systemd 241 doesn't set wireguard peer endpoint
  https://github.com/systemd/systemd/issues/11579
  
  Revert of the regression was landed on v240 stable branch
  https://github.com/systemd/systemd-stable/pull/39
  
  1)2) confirmed with,
  
  systemd/disco 240-6ubuntu5 amd64
  
  3)
  put a netdev file /etc/systemd/network/wg0.netdev
  
  ---
  [NetDev]
  Name=wg0
  Kind=wireguard
  
  [WireGuard]
  PrivateKey=**************
  ListenPort=51820
  
  [WireGuardPeer]
  PublicKey=*************
  AllowedIPs=10.0.0.0/8
  Endpoint=192.168.1.1:51820
  ----
  
  and run
  ---
  # systemctl restart systemd-networkd
  # wg show wg0
  
  interface: wg0
    public key: *****************
    private key: (hidden)
    listening port: 51820
  
  peer: *****************
    allowed ips: 10.0.0.0/8
  ----
  
  4)
  the last command should print remote endpoint address.
  ---
  # wg show wg0
  
  interface: wg0
    public key: *****************
    private key: (hidden)
    listening port: 51820
  
  peer: *****************
    endpoint: 192.168.1.1:51820
    allowed ips: 10.0.0.0/8
  ----

** Tags added: ddstreet-next

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1825378

Title:
  systemd-networkd doesn't set wireguard peer endpoint

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1825378/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to