Using a preshared-key in a Wireguard interface

Hi! I’m trying to bring up a Wireguard interface with a peer having a preshared-key (obtained from wg genpsk and run generate wireguard preshared-key). But it seems the psk gets passed as a non-existing file to wg and therefore ends up not working - seems like a bug?:

[edit interfaces wireguard wg0]
vyos@vyos# show
 address x.x.x.x/24
+peer my_peer {
+    allowed-ips x.x.x.x/32
+    preshared-key PRESHARED_KEY...=
+    pubkey PUBKEY=
+}
 port 44509
[edit interfaces wireguard wg0]
vyos@vyos# commit
[ interfaces wireguard wg0 ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2020-06-21 08:50:22
Image Version:    VyOS 1.3-rolling-202006201113
Release Train:    equuleus

Built by:         autobuild@vyos.net
Built on:         Sat 20 Jun 2020 11:13 UTC
Build UUID:       5e73a01f-a68a-47bd-8fdb-8909ef1d0f51
Build Commit ID:  bda222bba250b1

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 327, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 311, in apply
    w.update()
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 214, in update
    self._cmd(cmd)
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 48, in _cmd
    return cmd(command, self.debug)
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 179, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: wg set wg0 listen-port 44509 fwmark 0 private-key /config/auth/wireguard/default/private.key peer PUBKEY= preshared-key /config/auth/wireguard/psk  allowed-ips x.x.x.x/32 persistent-keepalive 0
returned: 
exit code: 1

noteworthy:
cmd 'wg set wg0 listen-port 44509 fwmark 0 private-key /config/auth/wireguard/default/private.key peer PUBKEY=  preshared-key /config/auth/wireguard/psk  allowed-ips x.x.x.x/32 persistent-keepalive 0'
returned (out):

returned (err):
fopen: No such file or directory

[[interfaces wireguard wg0]] failed
Commit failed
[edit interfaces wireguard wg0]

Hi,

I can’r reproduce the issue on the same image locally:

vyos@vyos# show interfaces wireguard
 wireguard wg0 {
     address 192.0.2.0/31
     peer tmp {
         allowed-ips 0.0.0.0/0
         preshared-key e+SIIUcrnrSDHhbTtpjwKhSlSdUALA5ZvoCjfQXcvmA=
         pubkey /qQGAQ2HfLSZBSCpdgps04r9wRlK7bSFraCH9+MScmw=
     }
     port 22222
 }

It looks like you wan’t to set a filename for the keys which is not supported. Please also check https://docs.vyos.io/en/latest/vpn/wireguard.html

1 Like

Thanks for the quick reply! I was setting the preshared-key to be a proper key value as yours (which I removed on the example config above). It seems it is being passed as /config/auth/wireguard/psk for some reason to wg, despite it being passed as a key string on the config, but I can’t get it to reproduce reliably.

It seems to happen mostly when updating an existing interface and adding a new peer, sometimes commit works, sometimes it fails there. It works when setting a new config from scratch but not all times when updating it. In some cases adding a new peer to a config that already has one with a set preshared-key seems to trigger it too. Here’s something on top of your example:

 wireguard wg9 {
     address 192.0.2.0/31
     peer tmp {
         allowed-ips 0.0.0.0/0
         persistent-keepalive 35
         preshared-key 2NicnHfa+sWUvF27gSDrVF0W9NYRO06Azz0AbpyXBFo=
         pubkey /qQGAQ2HfLSZBSCpdgps04r9wRlK7bSFraCH9+MScmw=
     }
     port 22222
 }
[edit interfaces]
vyos@vyos# set wireguard  wg9 peer tmp2 pubkey qCAOggioo7QlnSmoQ1t1ohd+LJjTVzxlByRupkhr3U8=
[edit interfaces]
vyos@vyos# set wireguard  wg9 peer tmp2 allowed-ips 10.33.33.0/24
[edit interfaces]
vyos@vyos# commit
[ interfaces wireguard wg9 ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
  https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
  https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your 
  business policy requires it)
- and include all the information presented below

Report Time:      2020-06-22 08:26:25
Image Version:    VyOS 1.3-rolling-202006201113
Release Train:    equuleus
Built by:         autobuild@vyos.net
Built on:         Sat 20 Jun 2020 11:13 UTC
Build UUID:       5e73a01f-a68a-47bd-8fdb-8909ef1d0f51
Build Commit ID:  bda222bba250b1

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    3882df9c-5a40-4f22-8c6c-12d5e6097c00

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 327, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 311, in apply
    w.update()
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 214, in update
    self._cmd(cmd)
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 48, in _cmd
    return cmd(command, self.debug)
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 179, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: wg set wg9 listen-port 22222 fwmark 0 private-key /config/auth/wireguard/default/private.key peer qCAOggioo7QlnSmoQ1t1ohd+LJjTVzxlByRupkhr3U8=  preshared-key /config/auth/wireguard/psk  allowed-ips 10.33.33.0/24 persistent-keepalive 35
returned: 
exit code: 1

noteworthy:
cmd 'wg set wg9 listen-port 22222 fwmark 0 private-key /config/auth/wireguard/default/private.key peer qCAOggioo7QlnSmoQ1t1ohd+LJjTVzxlByRupkhr3U8=  preshared-key /config/auth/wireguard/psk  allowed-ips 10.33.33.0/24 persistent-keepalive 35'
returned (out):

returned (err):
fopen: No such file or directory

Happy to help if there’s somewhere else I can gather to debug this (not sure if there’s any internal state or any other debug log I can gather?)

@SteamedHams So it looks like PSKs are required for both peers to work not only one. This behavior was working in 1.2.

Progress tracked via: https://phabricator.vyos.net/T2632

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.