Ubuntu
systemd package

systemd-networkd doesn't set wireguard peer endpoint

Bug #1825378 reported by Ko-Zu
36
This bug affects 6 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Fix Released
Medium
Dan Streetman
Cosmic
Invalid
Undecided
Unassigned
Disco
Fix Released
Medium
Dan Streetman
Eoan
Fix Released
Medium
Dan Streetman

Bug Description

[impact]

systemd does not set endpoints for wireguard interfaces correctly. This makes wireguard unusable.

[test case]

install a disco or eoan system and set up a wireguard interface:

$ sudo add-apt-repository ppa:wireguard/wireguard
$ sudo apt install wireguard
...(this does a lot of stuff)...

create a file as below; There is no need to setup remote server to reproduce this issue, but PublicKey/PrivateKey should be valid one (used instructions from https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-ubuntu/#configure-wireguard-server):

$ cat /etc/systemd/network/wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey=uMuCbguKYdKanRYMbDSriIdgxGxJR57Us1zEy8wRc1M=
ListenPort=51820

[WireGuardPeer]
PublicKey=ZRyl+kvb6o2/6Da5YLum6GnSrzDj3J002+2kmK5CnS4=
AllowedIPs=10.0.0.0/8
Endpoint=192.168.1.1:51820

$ sudo systemctl restart systemd-networkd
$ sudo wg show wg0

interface: wg0
  public key: BnvFgvPiVb5xURfzZ5liV1P77qeGeJDIX3C1iNquA2k=
  private key: (hidden)
  listening port: 51820

peer: ZRyl+kvb6o2/6Da5YLum6GnSrzDj3J002+2kmK5CnS4=
  allowed ips: 10.0.0.0/8

the last command should print remote endpoint address, e.g.:

peer: ZRyl+kvb6o2/6Da5YLum6GnSrzDj3J002+2kmK5CnS4=
  endpoint: 192.168.1.1:51820
  allowed ips: 10.0.0.0/8

[regression potential]

any changes to systemd contain the potential for serious regressions. However, this is cherry picked directly from upstream, with the releases requiring patching (disco and eoan) being at exactly the same version and very close to upstream already. Additionally, while this does add 2 new functions (from upstream commit https://github.com/systemd/systemd/pull/11580/commits/abd48ec87f2ac5dd571a99dcb4db88c4affdffc8), they are only used - and code is only changed in - wireguard.c, so any regressions should be limited to wireguard interfaces (unless systemd crashes completely).

[other info]

this bug is not present in cosmic and earlier, and is already fixed in upstream systemd, so this is needed only for disco and eoan.

original description:

---

systemd/disco 240 shipped with Ubuntu 19.04 beta does not set endpoints for [WireguradPeer] properly.

This regression was introduced in v241 and merged into v240.
systemd 241 doesn't set wireguard peer endpoint
https://github.com/systemd/systemd/issues/11579

Revert of the regression was landed on v240 stable branch
https://github.com/systemd/systemd-stable/pull/39

1)2) confirmed with,

systemd/disco 240-6ubuntu5 amd64

3)
put a netdev file /etc/systemd/network/wg0.netdev

---
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey=**************
ListenPort=51820

[WireGuardPeer]
PublicKey=*************
AllowedIPs=10.0.0.0/8
Endpoint=192.168.1.1:51820
----

and run
---
# systemctl restart systemd-networkd
# wg show wg0

interface: wg0
  public key: *****************
  private key: (hidden)
  listening port: 51820

peer: *****************
  allowed ips: 10.0.0.0/8
----

4)
the last command should print remote endpoint address.
---
# wg show wg0

interface: wg0
  public key: *****************
  private key: (hidden)
  listening port: 51820

peer: *****************
  endpoint: 192.168.1.1:51820
  allowed ips: 10.0.0.0/8
----

See original description
Ko-Zu (causeless)
tags: added: regression
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Revision history for this message
John Doe (jdoefp) wrote :

Hi all, could the package maintainer(s) please take a look at this?

This breaks (almost) any WireGuard endpoint configured by systemd-networkd. Worse, it breaks them silently, which makes for a fun debugging adventure.

The fixed patch (https://github.com/systemd/systemd-stable/pull/39) has been applied upstream since early February, how did the broken one get backported without testing during a release freeze?

Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Eoan):
status: Confirmed → In Progress
Changed in systemd (Ubuntu Disco):
status: New → In Progress
Changed in systemd (Ubuntu Eoan):
importance: Undecided → Medium
Changed in systemd (Ubuntu Disco):
importance: Undecided → Medium
Changed in systemd (Ubuntu Eoan):
assignee: nobody → Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Disco):
assignee: nobody → Dan Streetman (ddstreet)
Revision history for this message
Dan Streetman (ddstreet) wrote :

@causeless, @jdoefp, can either of you review my SRU template info, especially the test case section, to make sure it is correct. I've reproduced locally but would like to make sure the steps I mentioned are correct.

description: updated
description: updated
tags: added: ddstreet-next
Revision history for this message
Ko-Zu (causeless) wrote :

This issue can be reproduced without remote server. thanks for the brushup.

description: updated
Revision history for this message
John Doe (jdoefp) wrote :

I don't have access to the affected systems at the moment, but the test case and your summary looks correct.

Thanks for taking a look at this.

Dan Streetman (ddstreet)
Changed in systemd (Ubuntu Cosmic):
status: New → Invalid
Revision history for this message
Dan Streetman (ddstreet) wrote :
Dimitri John Ledkov (xnox)
Changed in systemd (Ubuntu Eoan):
status: In Progress → Fix Committed
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Dan Streetman (ddstreet)
tags: removed: ddstreet-next
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Ko-Zu, or anyone else affected,

Accepted systemd into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/240-6ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in systemd (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-disco
Revision history for this message
Ko-Zu (causeless) wrote :

Tested with disco-proposed and confirmed this issue has been resolved.

# apt list systemd
Listing... Done
systemd/disco-proposed,now 240-6ubuntu5.1 amd64 [installed]

tags: added: verification-done-disco
removed: verification-needed-disco
Revision history for this message
jrb0001 (jrb0001) wrote :

disco-proposed fixed it for me as well:
- Clean disco installation.
- Create .netdev file.
- reboot
--> Endpoint is not set.
- Update systemd from disco-proposed.
- reboot
--> Endpoint is set.

Dan Streetman (ddstreet)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Dan Streetman (ddstreet) wrote :

autopkgtest failures for this upload analyzed in bug 1825997

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package systemd - 240-6ubuntu9

---------------
systemd (240-6ubuntu9) eoan; urgency=medium

  * Fix typpo in storage test.
    File: debian/tests/storage
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f28aa5fe4ab175b99b6ea702559c59ca473b4ca8

  * Fix bashism
    File: debian/extra/dhclient-enter-resolved-hook
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=0725c1169ddde4f41cacba7af3e546704e2206be

systemd (240-6ubuntu8) eoan; urgency=medium

  * Only restart resolved on changes in dhclient enter hook.
    This prevents spurious restarts of resolved on rebounds when
    the addresses did not change. (LP: #1805183)
    Author: Julian Andres Klode
    File: debian/extra/dhclient-enter-resolved-hook
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=258893bae8cbb12670e4807636fe8f7e9fb5407a

  * Wait for cryptsetup unit to start, before stopping.
    Patch from cascardo. Plus small refactor for readability. (LP: #1814373)
    File: debian/tests/storage
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b65aa350be7e61c65927fbc0921a750fcfaa51cd

  * Wait for systemctl is-system-running state.
    File: debian/tests/boot-smoke
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=776998f1f55c445b6e385cab69a4219c42d00838

systemd (240-6ubuntu7) eoan; urgency=medium

  * Revert "Add check to switch VTs only between K_XLATE or K_UNICODE"
    This reverts commit 60407728a1a453104e3975ecfdf25a254dd7cc44.
    Files:
    - debian/patches/Add-check-to-switch-VTs-only-between-K_XLATE-or-K_UNICODE.patch
    - debian/patches/Move-verify_vc_kbmode-to-terminal-util.c-as-vt_verify_kbm.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=18029ab5ff436bfb3b401f24cd1e3a4cf2a1579c

  * Cherrypick missing systemd-stable patches to unbreak wireguard peer endpoints.
    Signed-off-by: Dimitri John Ledkov <email address hidden> (LP: #1825378)
    Author: Dan Streetman
    Files:
    - debian/patches/network-wireguard-fixes-sending-wireguard-peer-setti.patch
    - debian/patches/network-wireguard-use-sd_netlink_message_append_sock.patch
    - debian/patches/sd-netlink-introduce-sd_netlink_message_append_socka.patch
    - debian/patches/test-network-add-more-checks-in-NetworkdNetDevTests..patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4046f515e40c4dc80d18d2303466737f1f451f11

  * Remove expected failure from passing test.
    Signed-off-by: Dimitri John Ledkov <email address hidden> (LP: #1829450)
    Author: Dan Streetman
    File: debian/tests/systemd-fsckd
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c43b12037d08555dc1d26593307726d7c7992df0

  * Fix false negative checking for running jobs after boot.
    Signed-off-by: Dimitri John Ledkov <email address hidden> (LP: #1825997)
    Author: Dan Streetman
    File: debian/tests/boot-smoke
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=aeb01631efbaf3fe851dee15d496e0b66b5c347f

  * Cherrypick ask-password: prevent buffer ...

Read more...

Changed in systemd (Ubuntu Eoan):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 240-6ubuntu5.1

---------------
systemd (240-6ubuntu5.1) disco; urgency=medium

  * d/p/ask-password-prevent-buffer-overrow-when-reading-fro.patch:
    - prevent buffer overflow when reading keyring (LP: #1814373)
  * d/p/network-wireguard-fixes-sending-wireguard-peer-setti.patch,
    d/p/test-network-add-more-checks-in-NetworkdNetDevTests..patch,
    d/p/sd-netlink-introduce-sd_netlink_message_append_socka.patch,
    d/p/network-wireguard-use-sd_netlink_message_append_sock.patch:
    - systemd doesn't set wireguard peer endpoint (LP: #1825378)
  * d/t/boot-smoke:
    - Fix false negative checking for running jobs after boot
      (LP: #1825997)

 -- Dan Streetman <email address hidden> Thu, 16 May 2019 06:07:49 -0400

Changed in systemd (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for systemd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Jelle de Jong (jelledejong) wrote :

I can confirm this issue with systemd/bionic-updates, now 237-3ubuntu10.39 amd64
Is there a way to get an bionic update as well?

This is very annoying bug, as systemd-networkd intergrates with systemd-resolve and wg-quick does not.

Revision history for this message
Dan Streetman (ddstreet) wrote :

> I can confirm this issue with systemd/bionic-updates

are you sure? The original cause of this bug isn't present in Bionic so if something isn't working for you, it probably is a new bug, not the same as this one.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.