Wireguard has an apparmor profile. Specifically for the wg binary, we
have:
profile wg /usr/bin/wg flags=(attach_disconnected){
include <abstractions/base>
include <abstractions/nameservice-strict>
capability net_admin,
capability net_bind_service,
# Network access rules
network netlink raw,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
# wireguard configuration and key files
file rw @{etc_rw}/wireguard/{,**},
mr @{exec_path},
# Site-specific additions and overrides. See local/README for details.
include if exists <local/wg>
}
That expects to read the keys and configuration files from /etc/wireguard. Your
command should work if the privatekey file is placed anywhere under
/etc/wireguard/. Can you please try?
If that works, but for some reason you don't want to put the private key
file in /etc/wireguard, then you can add an apparmor snippet file to
/etc/apparmor.d/local/wg with a rule that allows reading your private
key from wherever you placed it.
** Changed in: wireguard (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151123
Title:
wireguard front end wg can not open private key file (access denied)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/2151123/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
