Hey dkg, Once upon a time, Daniel Kahn Gillmor wrote:
Hi Florian--On Fri 2017-05-26 10:44:23 +0200, Florian Klink wrote:If you simply want to create wireguard interfaces and configure them, wg-quick might be too much, as it also configures Addresses, MTU and adds routes. This unit file can be used in cases where you want to use wg(8) to configure the wireguard interface, but do regular network configuration on top of the link by something else (possibly not knowing wireguard, like systemd-networkd or NetworkManager.I like this suggestion, but i see it as a stopgap until there is real integration with systemd-networkd -- this would ideally be a .network unit just like every other network interface, right?
There is already a pull request to allow systemd-networkd to create wireguard interfaces and configure wireguard-specific settings on them: https://github.com/systemd/systemd/pull/4191 This will allow `*.netdev` files with `Kind=wireguard` to be created, with all the wireguard-specific settings currently defined in `/etc/wireguard/*.conf` and understood by plain `wg setconf`. However, this PR will need to wait until wireguard is considered stable: https://github.com/systemd/systemd/pull/4191#issuecomment-252923968 What currently already works in systemd-networkd is the whole IP, Route etc. configuration, which is independent of the underlying wireguard config and done in `*.network` files (man systemd.network). wg-quick, which already brings systemd unit files, is too much, as it also adds addresses and routes (in my case, it gets in my way, as I'd like to set AllowedIPs to `::/0 and 0.0.0.0/0` but not default route), but there may also be other cases where you don't need or want the whole wg-quick. So as long as support for configuring the underlying wireguard netdev interface entirely inside systemd-networkd is missing, I'd really favora unit file to only configure wireguard-specific parameters.
A couple thoughts on the .service file:diff --git a/src/tools/[email protected] b/src/tools/[email protected] new file mode 100644 index 0000000..b6d53bf --- /dev/null +++ b/src/tools/[email protected] @@ -0,0 +1,19 @@ +[Unit] +Description=WireGuard via wg(8) for %I +After=network-online.target +Wants=network-online.targetThis implies that the network is online *before* the interface comes up. That means that other tools which depend on the wireguard link being established can no longer depend on network-online.target, right?
Right. This was simply copied from [email protected]. ;-) These two lines could probably be replaced by After=network-pre.target Wants=network.target but I'm open to other suggestions :-)
+Documentation=man:wg(8) +Documentation=https://www.wireguard.io/ +Documentation=https://www.wireguard.io/quickstart/ +Documentation=https://git.zx2c4.com/WireGuard/about/src/tools/wg.8I think given the use of the conf file, the [Unit] section should also have: ConditionFileNotEmpty=/etc/wireguard/%i.conf
Yes, this might make sense. Not sure if `wg setconf` will fail anyhow, but failing before creating the interface might be a good idea, thanks :-) Regards, flokli
Regards,
--dkg
signature.asc
Description: PGP signature
_______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
