wg0-client.conf Wireguard script fails with Ubuntu 16.10 *client*

[fghorow]

A newly re-installed Ubuntu 16.04 Streisand server supplies a wg0-client.conf file for wireguard that fails under an Ubuntu 16.10 client.

The line:
PostUp = echo nameserver 10.192.122.1 | resolvconf -a %i -m 0 -x
adds a file /run/resolvconf/interfaces/wg0-client (N.B. no '.wg-quick' or somesuch postfix as suggested by resolvconf doco) containing the appropriate nameserver line. However, the info in that file is not propagated into /run/resolvconf/resolv.conf (which, in turn, is symlinked to by the traditional /etc/resolv.conf file).

Additionally, when the interface wg0-client is showing in ifconfig with address 10.192.122.2, pinging 10.192.122.1 fails with Destination Host Unreachable. The routing table shows nothing related to the 10.192.122.0/24 subnet.

Now, my setup is admittedly a little off (I'm running dnsmasq on my Ubuntu 16.10 box), but I'm unsure if that has anything to do with the problems above.

Also, the -m 0 -x options to resolvconf are not documented in any of the manpage, the resolvconf script itself, or the Ubuntu README file, as far as I can tell. Where the heck is the doco for those options???

Any hints on configuration would be greatly appreciated!

[zx2c4]

Also, the -m 0 -x options to resolvconf are not documented in any of the manpage, the resolvconf script itself, or the Ubuntu README file, as far as I can tell. Where the heck is the doco for those options???

Documentation on resolvconf -m 0 -x: http://manpages.ubuntu.com/manpages/xenial/man8/resolvconf.8.html .

     -m metric
             Set the metric of the interface when adding it, default of 0.
             Lower metrics take precedence.  This affects the default order of
             interfaces when listed.

     -x      Mark the interface resolv.conf as exclusive when adding,
             otherwise only use the latest exclusive interface.

Now, my setup is admittedly a little off (I'm running dnsmasq on my Ubuntu 16.10 box), but I'm unsure if that has anything to do with the problems above.

If you've got something explicitly directing your nameservers to localhost for use with dnsmasq, then indeed this is your problem.

[fghorow]

Thanks for that. Evidently my manpage for resolvconf (8) is obsolete...

[fghorow]

Nope. It wasn't obsolete. There are 2 packages in Ubuntu providing resolvconf. The one you want is openresolv. I originally had resolvconf -- which I'm guessing is installed by default on 16.10 since I don't recall specifying one or the other... That fixes the DNS issue, now to muck around with the routing...

[zx2c4]

@EggieCode @cryptofuture - I don't know how to analyze this discovery. In your opinion, should the Ubuntu WireGuard package explicitly depend on openresolv? Or is this just some random guy's misconfiguration? Can you look into the interaction between these different elements on Ubuntu?

[cryptofuture]

Most time you don't need to use resolvconf or openresolv with wireguard at all.
More above resolvconf is default in Ubuntu and openresolv conflicts with resolvconf package. And most software presume is a resolvconf package installed.
I have no idea, how far openresolv and resolvconf compatible with etch other (both provide resolvconf binary), but will be not right to add openresolv with package, since its always better to stay with default in my opinion.
Could you provide your full config @fghorow ?

[fghorow]

I just experimented a bit with openresolvinstalled instead of resolvconf on Ubuntu 16.10. I'd recommend against making that the default, since it left the DNS situation being served by dnsmasq in an unusable state prior to any invocation of wg-quick.

@cryptofuture ? Do you mean the config state of my wg0-client.conf script? It's what is supplied by Streisand as the config for a remote client. (It contains keys, and endpoint IP numbers, so I'm not going to post it publicly...) What other details do you want?

[zx2c4]

I just experimented a bit with openresolvinstalled instead of resolvconf on Ubuntu 16.10. I'd recommend against making that the default, since it left the DNS situation being served by dnsmasq in an unusable state prior to any invocation of wg-quick.

Sounds like uninformed FUD. The reason you're having issues is that you haven't configured it properly for use with dnsmasq.

[fghorow]

Sounds like uninformed FUD.

@zx2c4? Can we please try to remain civil? I'm 100% certain that I want to try your code. I admit to struggling a bit. Your advice on checking my dnsmasq configuration will be followed when I have a chance.

As far as I can tell, Streisand aspires to making all of its config straightforward. I am simply reporting my struggles with config as I go along.

Please don't alienate your testers.

[zx2c4]

Fair enough. I assume if you're using dnsmasq, then you want your /etc/resolv.conf to always say 127.0.0.1. Probably you can get this by populating the name_servers field in /etc/resolvconf.conf.

[cryptofuture]

It's what is supplied by Streisand as the config for a remote client.

Found it
I'll try to check configs in 16.10.x.

[cryptofuture]

I found the problem. Basically wg* interfaces not in the resolvconf scope. While resolvconf package used commonly in Debian/Ubuntu.

:/etc/resolvconf/interface-order
# interface-order(5)
lo.inet6
lo.inet
lo.@(dnsmasq|pdnsd)
lo.!(pdns|pdns-recursor)
lo
+wg*
tun*
tap*
hso*
em+([0-9])?(_+([0-9]))*
p+([0-9])p+([0-9])?(_+([0-9]))*
@(br|eth)*([^.]).inet6
@(br|eth)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
@(br|eth)*([^.]).inet
@(br|eth)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
@(br|eth)*
@(ath|wifi|wlan)*([^.]).inet6
@(ath|wifi|wlan)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
@(ath|wifi|wlan)*([^.]).inet
@(ath|wifi|wlan)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
@(ath|wifi|wlan)*
ppp*
*

Helps.
Not sure it will easy to move wg* naming in upstream. However I can hack interface-order in the package, or we could just switch to tunwg naming, but that could be misleading for users.

Note: Sure its possible to edit interface-order in PPA, but such things surely prohibited in Debian upstream policy. And as for package we not providing any sample configs right now, and even what we removed was with resolvconf line commented. So, it may be enough just to add note to quick start on wireguard website.
Also there no -m -x in original resolvconf so it could be misleading too. In same time it just ignores extra params, so only resolvconf -a interface part matter.

[cpu]

@cryptofuture I agree this seems like something worth pursuing with upstream of your resolvconf package. Have you opened a bug with them?

[zx2c4]

@cryptofuture Debian's resolvconf is limited and bad. What people actually want is openresolv, which "provides" resolvconf. So, just make the Ubuntu package depend on openresolv, and it should transparently replace resolvconf.

[cryptofuture]

So, just make the Ubuntu package depend on openresolv, and it should transparently replace resolvconf.

k, I'll change to openresolv for now.
Is anyone know where real resolvconf upstream is? I'll try to create bug in Debian/Ubuntu, today.
UPD (vote it): https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1680811
Send to Debian too, but didn't see mail rejection or updates on bug page.

[zx2c4]

This appears to have been fixed with EggieCode/wireguard-ppa#12 . I believe you can now close this ticket, unless @fghorow wants to confirm.