Setting up Wireguard on Fedora 39 Silverblue

I’d like to set up wireguard with wg-quick as a systemctl service.

I followed the instructions at Chapter 8. Setting up a WireGuard VPN Red Hat Enterprise Linux 9 | Red Hat Customer Portal (as well as those at Build a virtual private network with Wireguard - Fedora Magazine) and when I tried bringing the service up, I got

Dec 03 12:11:28 pi wg-quick[124827]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 03 12:11:28 pi systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE
Dec 03 12:11:28 pi systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Dec 03 12:11:28 pi systemd[1]: Failed to start wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.
# ll /etc/wireguard/wg0.conf
-rw-r--r--. 1 root root 233 Dec  3 12:05 /etc/wireguard/wg0.conf
# ll $(which wg-quick)
-rwxr-xr-x. 3 root root 13464 Jan  1  1970 /usr/bin/wg-quick

Feels like I’m missing something obvious here…

Solution: start firewalld and bring up the wireguard interface before trying to enable the service :person_shrugging:

systemctl start firewalld
wg-quick up wg0
systemctl enable wg-quick@wg0

Unsolving: the above command completed, but the service still doesn’t start

# systemctl status wg-quick@wg0.service
× wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Sun 2023-12-03 15:33:44 IST; 18s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 411182 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
   Main PID: 411182 (code=exited, status=1/FAILURE)
        CPU: 21ms

Dec 03 15:33:44 pi systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...
Dec 03 15:33:44 pi wg-quick[411182]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 03 15:33:44 pi systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE
Dec 03 15:33:44 pi systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Dec 03 15:33:44 pi systemd[1]: Failed to start wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.

This looks like the problem, but you showed the file exists. Could you share the contents of the file?

Perhaps SELinux is in the way? What does ls -lZ /etc/wireguard/wg0.conf say? Or what does sudo ausearch -m avc report?

❯ sudo ls -lZ /etc/wireguard/wg0.conf
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 499 Dec  3 15:25 /etc/wireguard/wg0.conf
❯ sudo ausearch -m avc
time->Wed Nov 29 02:00:25 2023
type=AVC msg=audit(1701216025.796:132): avc:  denied  { dac_override } for  pid=1179 comm="wg-quick" capability=1  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=0
root@pi:/etc/wireguard# semanage fcontext -a -t wireguard_t '/etc/wireguard(/.*)?'

ValueError: Type wireguard_t is invalid, must be a file or device type

SELinux strikes again! I would recommend filing a bug with Fedora SELinux folks about this denial - Log in to Red Hat Bugzilla

On my F39 host, I only have two wireguard specific SELinux file contexts:

$ sudo semanage fcontext -l | grep wireguard
/usr/bin/wg-quick                                  regular file       system_u:object_r:wireguard_exec_t:s0 
/usr/lib/systemd/system/wg-quick@\.service         regular file       system_u:object_r:wireguard_unit_file_t:s0 

Neither seem appropriate for a config file in /etc/wireguard.

I do have a /etc/wireguard directory, though. Perhaps etc_t is a better type for /etc/wireguard/wg0.conf?

$ sudo ls -alZ /etc/wireguard/
total 12
drwx------.   2 root root system_u:object_r:etc_t:s0    6 Dec  2 11:51 .
drwxr-xr-x. 138 root root system_u:object_r:etc_t:s0 8192 Dec  2 11:53 ..

(Or not…I’m a bit out of my SELinux comfort zone)

Hmm I have etc_t on that file as well, though, right?

/usr/bin/wg-quick is just a shell script using [[ -e $CONFIG_FILE ]].

Are you tab-completing the path to wg0.conf? Is it possible that there’s something like a non-printable character hidden in there? Slipping a ZWNJ (U+200C) into the filename yields the results you’re seeing.

No Unicode tricks,I checked

Oops, I missed that.

As a workaround, you could try using audit2allow to generate a SELinux policy modification. I grabbed the denial message and used it locally:

$ cat audit.log 
type=AVC msg=audit(1701216025.796:132): avc:  denied  { dac_override } for  pid=1179 comm="wg-quick" capability=1  scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:system_r:wireguard_t:s0 tclass=capability permissive=0
$ audit2allow -i audit.log -m local > local.te
$ cat local.te 

module local 1.0;

require {
        type wireguard_t;
        class capability dac_override;
}

#============= wireguard_t ==============
allow wireguard_t self:capability dac_override;
$ checkmodule -M -m -o local.mod local.te
$ semodule_package -o local.pp -m local.mod
$ semodule -i local.pp

See the man page for audit2allow for more details.

I would strongly encourage you to file that selinux-policy issue…there could be something we are missing here.

WireGuard works fine for me using NetworkManager and systemd-networkd.

https://bugzilla.redhat.com/show_bug.cgi?id=2252895

1 Like

that’s fine but i’d like to follow the official howto

From that BZ, it looks like the permissions on /etc/wireguard were incorrect:

# ls -ld / /etc /etc/wireguard/
drwxr-xr-x. 1 root root  158 Dec  5 08:33 /
drwxr-xr-x. 1 root root 4112 Nov 29 02:00 /etc
d-w-------. 1 root root   84 Dec  5 09:18 /etc/wireguard/

The suggested workaround was to run rpm --restore wireguard-tools, but that’s not going to work on an Silverblue system:

$ sudo rpm --restore wireguard-tools
error: can't create transaction lock on /usr/share/rpm/.rpm.lock (Read-only file system)

I think it should be possible to just sudo chmod u+r /etc/wireguard and that would fix the permissions correctly. YMMV.

For Silverblue, one can check /usr/etc:

ls -ld /usr/etc/wireguard

The correct permission appears to be 0700.