Difference between revisions of "Talk:WireGuard"

From ArchWiki
Jump to: navigation, search
(Sounds Like an Ad: new section)
(systemd-networkd-wait-online.service needed?: reply)
 
(20 intermediate revisions by 7 users not shown)
Line 1: Line 1:
== client/server ==
+
== <s>usage section and vpn server</s> ==
 +
I took a stab at making the server section a little more verbose.  As I read through the article as someone with just learned about this software, I was initially confused about what was informational and needed to get it working.  What do others think about reordering the article to
 +
# provide some background/introduction
 +
# show an example client/server model
 +
# show the more shell-like section and optional systemd networking devices
 +
 
 +
Thoughts? [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 14:51, 13 November 2018 (UTC)
 +
 
 +
:A bit unsure. The peer functionality should work as a background/introduction. Communicating with peers is what wireguard does. Setting up a "server" is a bi-effect of us tunneling traffic between servers. cli -> wireguard config -> systemd setup works as different ways to configure a wireguard interface. But a VPN server is a usecase.
 +
:We can rework the sections and try clear up the confusion, but I don't think reordering the sections would be beneficial.
 +
:[[User:Foxboron|Foxboron]] ([[User talk:Foxboron|talk]]) 15:03, 13 November 2018 (UTC)
 +
 
 +
::I like this setup (which I think is quite how the page is now):
 +
::
 +
::# introduction
 +
::# raw configuration (with {{ic|ip}} and {{ic|wg}})
 +
::# auto tools (like {{ic|wg-quick}} and {{ic|systemd-networkd}})
 +
::# troubleshooting
 +
::
 +
::Thanks for the improvements by the way, [[User:Graysky|Graysky]]. I recently learned about wireguard myself, and were also confused about some aspects. For example, how to use wireguard with systemd-networkd.
 +
::
 +
::[[User:Aude|Aude]] ([[User talk:Aude|talk]]) 11:51, 14 November 2018 (UTC)
 +
 
 +
== <s>client/server</s> ==
  
 
I'm not sure that we should named both peers as "client" "server" as the documentation will mainly talk about "peer"
 
I'm not sure that we should named both peers as "client" "server" as the documentation will mainly talk about "peer"
Line 11: Line 34:
 
::[[User:Bobsaintcool|Bobsaintcool]] ([[User talk:Bobsaintcool|talk]]) 19:34, 29 December 2017 (UTC)bobsaintcool
 
::[[User:Bobsaintcool|Bobsaintcool]] ([[User talk:Bobsaintcool|talk]]) 19:34, 29 December 2017 (UTC)bobsaintcool
  
== Suggest adding advice about IP forwarding ==
+
== <s>Suggest adding advice about IP forwarding </s>==
  
 
When I set up wireguard it took me a little time to realize I had to enable IP forwarding in the kernel. Once I knew, all I had to do was:
 
When I set up wireguard it took me a little time to realize I had to enable IP forwarding in the kernel. Once I knew, all I had to do was:
Line 19: Line 42:
 
[[User:Buffalo|Buffalo]] ([[User talk:Buffalo|talk]]) 23:28, 3 February 2018 (UTC)
 
[[User:Buffalo|Buffalo]] ([[User talk:Buffalo|talk]]) 23:28, 3 February 2018 (UTC)
  
== Sounds Like an Ad ==
+
:I do not have this parameter set and wireguard works without any issues on my setup [[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 10:14, 7 February 2018 (UTC)
 +
 
 +
== <s>Sounds Like an Ad</s> ==
  
 
Being a blurb from the project's authors is no excuse.  The following, unsubstantiated claim sounds like an advertisement:
 
Being a blurb from the project's authors is no excuse.  The following, unsubstantiated claim sounds like an advertisement:
  
 
:... it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
 
:... it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
 +
 +
{{Unsigned|09:36, 7 February 2018‎ (UTC)|NoSuck}}
 +
 +
== systemd-networkd-wait-online.service needed? ==
 +
 +
{{ic|wq-quick@.service}} already contains {{ic|1=After=network-online.target}}. Enabling the wait online service causes the whole boot process to pause while waiting for a network connection and can dramatically increase boot times.
 +
{{Unsigned|03:54, 3 May 2018‎ (UTC)|Smasher816}}
 +
 +
: I suspect the long network wait times might be caused by a lack of entropy rather than the target unit.  Recommend [[rng-tools]] or [[haveged]]. [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 12:09, 17 November 2018 (UTC)
 +
 +
:: [[systemd-networkd]] has a timeout of 2 minutes for {{ic|systemd-networkd-wait-online}}. See this GitHub issue: https://github.com/systemd/systemd/issues/6441 (especially [https://github.com/systemd/systemd/issues/6441#issuecomment-418592758 this comment]). I've had to explicitly tell [[systemd-networkd]] to ignore all links on one of my systems (with {{ic|1=RequireForOnline=no}}), because it seems to wait for ''all'' devices to be online, not ''one'' of them. [[User:Aude|Aude]] ([[User talk:Aude|talk]]) 17:40, 17 November 2018 (UTC)
 +
 +
::: Just a guess based on some delays with a headless box.  For some other use cases (wpa_supplicant on a raspberry pi), I needed to use an override as well. [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 19:33, 17 November 2018 (UTC).
 +
{{hc|/etc/systemd/system/systemd-networkd-wait-online.service.d/override.conf|2=
 +
[Service]
 +
ExecStart=
 +
ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore eth0
 +
}}
 +
 +
:::: Yeah, that makes sense. I did an error and made the reply to your comment [[User:Graysky|Graysky]], but it was supposed to be a reply to the original poster. Sorry for the confusion. [[User:Aude|Aude]] ([[User talk:Aude|talk]]) 22:05, 17 November 2018 (UTC)
 +
 +
== DNS troubleshoot ==
 +
 +
Until a proper NM plugin is released, weird interactions are going to occur between Wireguard and NM. Typically, if you create a tunnel and NM touches DNS for whatever reason (lease timeout, reconnection, etc.) I loose my connection.
 +
 +
I specifically focused on {{ic|systemd-resolved}} because I find the approach much saner than the resolvconf mess. It is also supported by NM and not really "broadly" documented elsewhere.
 +
{{Unsigned|10:52, 15 September 2018‎ (UTC)|Gdonval}}
 +
 +
== <s>umask</s> ==
 +
 +
The addition of "umask 077" on all the commands generating keys is a bit redundant. Stricter permissions on the files is a recommendation, but not a necessity. Hench a Note about doing this should be sufficient. Currently we are just duplicating things without any real benefit. SSH Keys do require a strict permission, but we don't chmod the resulting key, nor subshell with a umask, on every example on that wikipage.
 +
[[User:Foxboron|Foxboron]] ([[User talk:Foxboron|talk]]) 20:12, 16 November 2018 (UTC)
 +
 +
:Good point, please feel free to edit per this observation. [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 20:17, 16 November 2018 (UTC)
 +
 +
::Agree. Too complex, was not easy to read. Good edit. [[User:Aude|Aude]] ([[User talk:Aude|talk]]) 10:37, 17 November 2018 (UTC)

Latest revision as of 22:05, 17 November 2018

usage section and vpn server

I took a stab at making the server section a little more verbose. As I read through the article as someone with just learned about this software, I was initially confused about what was informational and needed to get it working. What do others think about reordering the article to

  1. provide some background/introduction
  2. show an example client/server model
  3. show the more shell-like section and optional systemd networking devices

Thoughts? Graysky (talk) 14:51, 13 November 2018 (UTC)

A bit unsure. The peer functionality should work as a background/introduction. Communicating with peers is what wireguard does. Setting up a "server" is a bi-effect of us tunneling traffic between servers. cli -> wireguard config -> systemd setup works as different ways to configure a wireguard interface. But a VPN server is a usecase.
We can rework the sections and try clear up the confusion, but I don't think reordering the sections would be beneficial.
Foxboron (talk) 15:03, 13 November 2018 (UTC)
I like this setup (which I think is quite how the page is now):
  1. introduction
  2. raw configuration (with ip and wg)
  3. auto tools (like wg-quick and systemd-networkd)
  4. troubleshooting
Thanks for the improvements by the way, Graysky. I recently learned about wireguard myself, and were also confused about some aspects. For example, how to use wireguard with systemd-networkd.
Aude (talk) 11:51, 14 November 2018 (UTC)

client/server

I'm not sure that we should named both peers as "client" "server" as the documentation will mainly talk about "peer"

Bobsaintcool (talk) 17:36, 29 December 2017 (UTC) bobsaintcool

That sounds sane. It was mostly what made sense to me when learning wireguard.
Foxboron (talk) 18:23, 29 December 2017 (UTC)
I've done some modication in that way
Bobsaintcool (talk) 19:34, 29 December 2017 (UTC)bobsaintcool

Suggest adding advice about IP forwarding

When I set up wireguard it took me a little time to realize I had to enable IP forwarding in the kernel. Once I knew, all I had to do was:

# sysctl net.ipv4.ip_forward=1

So I think that would be good to add to the troubleshooting section or the tips and tricks section. The iptables forwarding rules suggested here won't work with that turned off.

Buffalo (talk) 23:28, 3 February 2018 (UTC)

I do not have this parameter set and wireguard works without any issues on my setup Gregosky (talk) 10:14, 7 February 2018 (UTC)

Sounds Like an Ad

Being a blurb from the project's authors is no excuse. The following, unsubstantiated claim sounds like an advertisement:

... it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

—This unsigned comment is by NoSuck (talk) 09:36, 7 February 2018‎ (UTC). Please sign your posts with ~~~~!

systemd-networkd-wait-online.service needed?

wq-quick@.service already contains After=network-online.target. Enabling the wait online service causes the whole boot process to pause while waiting for a network connection and can dramatically increase boot times. —This unsigned comment is by Smasher816 (talk) 03:54, 3 May 2018‎ (UTC). Please sign your posts with ~~~~!

I suspect the long network wait times might be caused by a lack of entropy rather than the target unit. Recommend rng-tools or haveged. Graysky (talk) 12:09, 17 November 2018 (UTC)
systemd-networkd has a timeout of 2 minutes for systemd-networkd-wait-online. See this GitHub issue: https://github.com/systemd/systemd/issues/6441 (especially this comment). I've had to explicitly tell systemd-networkd to ignore all links on one of my systems (with RequireForOnline=no), because it seems to wait for all devices to be online, not one of them. Aude (talk) 17:40, 17 November 2018 (UTC)
Just a guess based on some delays with a headless box. For some other use cases (wpa_supplicant on a raspberry pi), I needed to use an override as well. Graysky (talk) 19:33, 17 November 2018 (UTC).
/etc/systemd/system/systemd-networkd-wait-online.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/lib/systemd/systemd-networkd-wait-online --ignore eth0
Yeah, that makes sense. I did an error and made the reply to your comment Graysky, but it was supposed to be a reply to the original poster. Sorry for the confusion. Aude (talk) 22:05, 17 November 2018 (UTC)

DNS troubleshoot

Until a proper NM plugin is released, weird interactions are going to occur between Wireguard and NM. Typically, if you create a tunnel and NM touches DNS for whatever reason (lease timeout, reconnection, etc.) I loose my connection.

I specifically focused on systemd-resolved because I find the approach much saner than the resolvconf mess. It is also supported by NM and not really "broadly" documented elsewhere. —This unsigned comment is by Gdonval (talk) 10:52, 15 September 2018‎ (UTC). Please sign your posts with ~~~~!

umask

The addition of "umask 077" on all the commands generating keys is a bit redundant. Stricter permissions on the files is a recommendation, but not a necessity. Hench a Note about doing this should be sufficient. Currently we are just duplicating things without any real benefit. SSH Keys do require a strict permission, but we don't chmod the resulting key, nor subshell with a umask, on every example on that wikipage. Foxboron (talk) 20:12, 16 November 2018 (UTC)

Good point, please feel free to edit per this observation. Graysky (talk) 20:17, 16 November 2018 (UTC)
Agree. Too complex, was not easy to read. Good edit. Aude (talk) 10:37, 17 November 2018 (UTC)