Netplan with wireguard

Hi,

I’m following https://netplan.io/reference#properties-for-device-type-tunnels%3A to configure wireguard using netplan, and came up with this yaml file snippet:

network:
  version: 2
  tunnels:
    home0:
      mode: wireguard
      key: /etc/wireguard/laptop-private.key
      port: 51000
      addresses: [10.10.11.2/24]
      peers:
        - keys:
            public: syR+psKigVdJ+PZvpEkacU5niqg9WGYxepDZT/zLGj8=
          endpoint: 10.48.132.39:51000
          allowed-ips: [10.10.11.0/24, 10.10.10.0/24]

After I run netplan apply, however, I only have a route through the home0 interface for the 10.10.11.0/24 network, not the second network 10.10.10.0/24.

# ip route|grep home0
10.10.11.0/24 dev home0 proto kernel scope link src 10.10.11.2

The generated systemd netdev file contains both networks in AllowedIPs:

[NetDev]
Name=home0
Kind=wireguard

[WireGuard]
PrivateKeyFile=/etc/wireguard/laptop-private.key
ListenPort=51000

[WireGuardPeer]
PublicKey=syR+psKigVdJ+PZvpEkacU5niqg9WGYxepDZT/zLGj8=
AllowedIPs=10.10.11.0/24,10.10.10.0/24
Endpoint=10.48.132.39:51000

And the corresponding network file is this:

[Match]
Name=home0

[Network]
LinkLocalAddressing=ipv6
Address=10.10.11.2/24
ConfigureWithoutCarrier=yes

I suspect I only have a route for 10.10.11.0/24 because of the IP I chose for the home0 interface.

Googling around, I found this upstream systemd issue: https://github.com/systemd/systemd/issues/14176

Which has a lot of discussions, and PRs, but I’m left unclear whether this should work by default, or if more configuration tuning is needed. In any case, this is netplan generating the networkd configuration files, so if some extra tuning is needed, it should be netplan doing it.

The systemd.netdev(5) manpage does say that an extra route will be needed for the networks listed in AllowedIPs:

Note that this only affects routing inside the network interface itself, i.e. the packets that pass through the tunnel itself. To cause packets to be sent via the tunnel in the first place, an appropriate route needs to be added as well — either in the “[Routes]” section on the “.network” matching the wireguard interface, or externally to systemd-networkd.

Is this a bug in netplan?

1 Like

To be discussed here: https://bugs.launchpad.net/netplan/+bug/1987343

1 Like