Hi! I’m trying to bring up a Wireguard interface with a peer having a preshared-key (obtained from wg genpsk and run generate wireguard preshared-key). But it seems the psk gets passed as a non-existing file to wg and therefore ends up not working - seems like a bug?:
[edit interfaces wireguard wg0]
vyos@vyos# show
address x.x.x.x/24
+peer my_peer {
+ allowed-ips x.x.x.x/32
+ preshared-key PRESHARED_KEY...=
+ pubkey PUBKEY=
+}
port 44509
[edit interfaces wireguard wg0]
vyos@vyos# commit
[ interfaces wireguard wg0 ]
VyOS had an issue completing a command.
We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
https://vyos.slack.com
When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
business policy requires it)
- and include all the information presented below
Report Time: 2020-06-21 08:50:22
Image Version: VyOS 1.3-rolling-202006201113
Release Train: equuleus
Built by: autobuild@vyos.net
Built on: Sat 20 Jun 2020 11:13 UTC
Build UUID: 5e73a01f-a68a-47bd-8fdb-8909ef1d0f51
Build Commit ID: bda222bba250b1
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 327, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 311, in apply
w.update()
File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 214, in update
self._cmd(cmd)
File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 48, in _cmd
return cmd(command, self.debug)
File "/usr/lib/python3/dist-packages/vyos/util.py", line 179, in cmd
raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: wg set wg0 listen-port 44509 fwmark 0 private-key /config/auth/wireguard/default/private.key peer PUBKEY= preshared-key /config/auth/wireguard/psk allowed-ips x.x.x.x/32 persistent-keepalive 0
returned:
exit code: 1
noteworthy:
cmd 'wg set wg0 listen-port 44509 fwmark 0 private-key /config/auth/wireguard/default/private.key peer PUBKEY= preshared-key /config/auth/wireguard/psk allowed-ips x.x.x.x/32 persistent-keepalive 0'
returned (out):
returned (err):
fopen: No such file or directory
[[interfaces wireguard wg0]] failed
Commit failed
[edit interfaces wireguard wg0]
Thanks for the quick reply! I was setting the preshared-key to be a proper key value as yours (which I removed on the example config above). It seems it is being passed as /config/auth/wireguard/psk for some reason to wg, despite it being passed as a key string on the config, but I can’t get it to reproduce reliably.
It seems to happen mostly when updating an existing interface and adding a new peer, sometimes commit works, sometimes it fails there. It works when setting a new config from scratch but not all times when updating it. In some cases adding a new peer to a config that already has one with a set preshared-key seems to trigger it too. Here’s something on top of your example:
wireguard wg9 {
address 192.0.2.0/31
peer tmp {
allowed-ips 0.0.0.0/0
persistent-keepalive 35
preshared-key 2NicnHfa+sWUvF27gSDrVF0W9NYRO06Azz0AbpyXBFo=
pubkey /qQGAQ2HfLSZBSCpdgps04r9wRlK7bSFraCH9+MScmw=
}
port 22222
}
[edit interfaces]
vyos@vyos# set wireguard wg9 peer tmp2 pubkey qCAOggioo7QlnSmoQ1t1ohd+LJjTVzxlByRupkhr3U8=
[edit interfaces]
vyos@vyos# set wireguard wg9 peer tmp2 allowed-ips 10.33.33.0/24
[edit interfaces]
vyos@vyos# commit
[ interfaces wireguard wg9 ]
VyOS had an issue completing a command.
We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Make sure you are running the latest version of the code available at
https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
- Consult the forum to see how to handle this issue
https://forum.vyos.io
- Join our community on slack where our users exchange help and advice
https://vyos.slack.com
When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
business policy requires it)
- and include all the information presented below
Report Time: 2020-06-22 08:26:25
Image Version: VyOS 1.3-rolling-202006201113
Release Train: equuleus
Built by: autobuild@vyos.net
Built on: Sat 20 Jun 2020 11:13 UTC
Build UUID: 5e73a01f-a68a-47bd-8fdb-8909ef1d0f51
Build Commit ID: bda222bba250b1
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: QEMU
Hardware model: Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID: 3882df9c-5a40-4f22-8c6c-12d5e6097c00
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 327, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/interfaces-wireguard.py", line 311, in apply
w.update()
File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 214, in update
self._cmd(cmd)
File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 48, in _cmd
return cmd(command, self.debug)
File "/usr/lib/python3/dist-packages/vyos/util.py", line 179, in cmd
raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: wg set wg9 listen-port 22222 fwmark 0 private-key /config/auth/wireguard/default/private.key peer qCAOggioo7QlnSmoQ1t1ohd+LJjTVzxlByRupkhr3U8= preshared-key /config/auth/wireguard/psk allowed-ips 10.33.33.0/24 persistent-keepalive 35
returned:
exit code: 1
noteworthy:
cmd 'wg set wg9 listen-port 22222 fwmark 0 private-key /config/auth/wireguard/default/private.key peer qCAOggioo7QlnSmoQ1t1ohd+LJjTVzxlByRupkhr3U8= preshared-key /config/auth/wireguard/psk allowed-ips 10.33.33.0/24 persistent-keepalive 35'
returned (out):
returned (err):
fopen: No such file or directory
Happy to help if there’s somewhere else I can gather to debug this (not sure if there’s any internal state or any other debug log I can gather?)