Creating wireguard connection on network manager snap

rahul-tt · March 18, 2022, 9:25am

Hi,

I am working with wireguard and network manager. When i tested it on ubuntu server with network manager apt package, it works fine.

i run

“sudo nmcli c add type wireguard ifname nm-tur con-name nm-tur”

My goal is to get it to work on ubuntu core. So, i used network manager snap. But i am not able to add any wireguard interface connection using the snap package. I keep getting

" failure adding connection: keyfile writer produces an invalid connection: cannot access file: No such file or directory"

i have seen a bug report relating this issue https://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg6001597.html

is the snap package out of sync with the apt package?

Can someone help me with this?

Thanks in advance

rahul-tt · March 18, 2022, 9:33am

Can i create a pull request to network manager snap?

rahul-tt · March 21, 2022, 8:00am

One of the main issues with wireguard and network-manager snap is that, when wireguard creates a new connection using "wg-quick up " it create a yaml file in /etc/netplan.

This config file generated is produced is in wrong format. Since network manager snap works with netplan yaml files, upon reboot it fails to convert these yaml files in /etc/netplan to key files. So, it removes all of its connections from /etc/netplan folder . So, when i reboots i am left with no wifi connections or ethernet connections.

This is the netplan generated by wireguard:

  network:
    version: 2
    tunnels:
      nm-name:
        renderer: NetworkManager
        addresses:
        - "<address>"
        ipv6-address-generation: "stable-privacy"
        networkmanager:
          uuid: "<uuid>"
          name: "<name>"
          passthrough:
            connection.type: "wireguard"
            connection.autoconnect: "false"
            connection.permissions: ""
            connection.timestamp: "1647848473"
            wireguard.listen-port: "59015"
            wireguard-peer.<peer-id>.endpoint: ""
            ipv4.dns-priority: "100"
            ipv4.dns-search: ""
            ipv6.dns-priority: "100"
            ipv6.dns-search: ""
            ipv6.method: "ignore"
            proxy._: ""

When i try running netplan generate, it says athat mode and keys fields are missing. Even when i do add then it doesn’t work

ijohnson · March 21, 2022, 11:41pm

cc @abeato who may be able to answer questions about the network-manager snap for you

abeato · March 22, 2022, 11:29am

@rahul-tt just today we released a new network-manager snap (1.22.10-11) that includes some netplan fixes, could you please try that one?

Also, which ubuntu server version are you using?

And of course you can create PRs for the snap . This is the repo: lp:~snappy-hwe-team/snappy-hwe-snaps/+git/network-manager : Git : Code : snappy-hwe-snaps

cc @slyon

slyon · March 22, 2022, 11:52am

Yes, this sounds a lot like LP: #1962297, which should be fixed In Jammy and Focal. So I’m wondering which version of Ubuntu Server (and which version of netplan.io) is being used here?

(Impish to be fixed soon via LP: #1964481)

rahul-tt · March 22, 2022, 12:53pm

Hi @abeato ,

i am using Ubuntu server 20.04 and Ubuntu core 20.

rahul-tt · March 22, 2022, 2:18pm

Hi @slyon @abeato,
I did try it with the latest release of network manager 1.22.10.-11, but i still get the same error after i create a wireguard interface and when i run netplan generate i get:

Error in network definition: nm-name: missing ‘mode’ property for tunnel renderer: NetworkManager

slyon · March 22, 2022, 3:35pm

@rahul-tt could you please check your netplan version using apt list *netplan* to check if you’re on >= 0.103-0ubuntu5~20.04.6 already? Phased updates could potentialy have delayed this update, as it’s still pretty fresh.

rahul-tt · March 22, 2022, 3:39pm

Hi, Yeah i am in that revision

netplan.io/focal-updates,now 0.103-0ubuntu5~20.04.6 arm64 [installed,automatic]

slyon · March 22, 2022, 4:19pm

Hmm… interesting. And are you sure this broken YAML file was actually produced by netplan 0.103-0ubuntu5~20.04.6 ? Or could it be that this was generated during some earlier testing and is a left-over in /etc/netplan/ ?

As with the fix/changes from https://github.com/canonical/netplan/pull/247 this version of netplan should not create any tunnel: definitions anymore using the NM snap, but instead put it into a nm-devices: section.

Can you try deleting the broken YAML file from /etc/netplan/ (or clear all of /etc/netplan/*.yaml) and try again? If that doesn’t work, could you please report a bug with all the details and steps how to reproduce at https://bugs.launchpad.net/ubuntu/+source/netplan.io/+filebug so I can try to reproduce once I find some time?

rahul-tt · March 22, 2022, 4:35pm

Hi, The way this netplan is generated is using wireguard, using:

wg-quick up file.conf

This basically does:

ip link add dev type wireguard

…and some more steps

This creates a netplan yaml, which is shown above. I have deleted all the netplan in /etc/netplan folder and tried it again. But it keeps generating the same netplan.

The NM snap i am using is on arm64 cm4 is that a issue?

I will send you a setup file with which you can reproduce the issue i have and i will report a bug.

rahul-tt · March 23, 2022, 9:11am

Hi @slyon;

Here are the steps to recreate the issue i have:

- Install network manager snap:
    sudo snap install network-manager

- Remove network manager that is installed as apt package(if any):
    sudo apt remove network-manager

- Install wireguard and wireguard tools:
    sudo apt install wireguard wireguard-tools

- Create a wiregurad conf file in /etc/wireguard in the format:
    Ref: https://www.wireguard.com/quickstart/
    #########
    [Interface]
    Address = 10.0.0.5/32
    PrivateKey = <private key>


    [Peer]
    PublicKey = <public key>
    AllowedIPs = 10.0.0.0/24
    Endpoint = < end point>
    PersistentKeepalive = 20
    ##########

- bring up this connection:
    sudo wg-quick up <conf file name>

    This would perform the following steps:
    [#] ip link add <conf file name> type wireguard
    [#] wg setconf <conf file name> /dev/fd/63
    [#] ip -4 address add 10.0.0.5/32 dev <conf file name>
    [#] ip link set mtu 1420 up dev <conf file name>
    [#] ip -4 route add 10.0.0.0/24 dev <conf file name>


- This creates a NM snap connection which would be active and also creates a netplan in /etc/netplan:

- Run netplan generate, this would fail because the netplan generated is in wrong format:
    sudo netplan generate

- Reboot the system:

- Upon reboot you will observe that the wifi is down:
    nmcli d
    nmcli c

- To recover remove the files related to wireguard at : /etc/netplan
    sudo wg-quick down <conf file name>

- reload Nm connections:
    sudo nmcli c reload

I have created a bug report too

I hope this issue gets resolved fast

slyon · March 23, 2022, 10:48am

Thank you very much for the detailed information in LP: #1966047 @rahul-tt this is much appreciated!

I have been thinking about this a lot as I cannot understand how it would still create a tunnels: stanza on the latest version of netplan. But I think I found an explanation now:

The NM snap is not actually using the netplan version installed on your Focal Server system, but rather the netplan version in the “core20” base snap (which lacks behind focal-updates a bit). netplan v0.103-0ubuntu5~20.04.6 already landed in focal-updates, but not yet in core20’s latest/stable channel.

Could you please try to refresh your “core20” base snap to version “20220318” that is currently in the “latest/candidate” channel and try to reproduce again? This should fix the issue IMO!

rahul-tt · March 23, 2022, 11:59am

Hi @slyon,

I moved core20 to candidate channel and now it creates the right netplan with nm-devices. Thanks for the help. Do you know hen this would be pushed into stable?

slyon · March 23, 2022, 12:19pm

Sweet! I cannot say for sure when it is being pushed into the stable channel. AFAIK this is a manual process. It apparently just moved to candidate today, so I assume they’re running a bunch of tests and it should land in stable within the next 1-2 weeks.

rahul-tt · March 24, 2022, 10:17am

Hi @slyon,

I encountered a new issue yet again When wireguard creates a new interface, the netplan.io creates a new netplan with a new uuid, right?

But when it creates the same interface again, shouldnt the netplan.io say that it already exists? and not create a new connection?

But it creates a new network-manager connection everytime. So the /etc/netplan is piled up with netplans. Do you knwo how this can be fixed.

This is my “nmcli c” output:

NAME UUID TYPE DEVICE
Turf Tank Dev f2030c26-2bc2-4ba7-a20c-03a3766c56c1 wifi wlan0
nm-bLjAroHd b2134dd5-c51e-4200-afb5-6350b1bda893 wireguard nm-bLjAroHd nm-turftank c3f9ff2f-cc3f-407d-b564-2dc4cfcd0e7b wireguard nm-turftank Wired connection 1 0da86665-c11b-39a2-95c7-0d638b64b62c ethernet –
nm-bLjAroHd eac018d7-9acc-429e-87df-dc1488aaa3ec wireguard –
nm-bLjAroHd aae1a1a5-b800-4934-98d2-994f008dcb1a wireguard –
nm-bLjAroHd a823f35a-25ed-4675-b213-97c7bca36cb0 wireguard –
nm-turftank ff4937f3-28f3-46f5-bb7f-1529b5510a66 wireguard –

Also, when the wireguard interfaces are deleted the netplans in the /etc/netplan folders are not removed. This is also one the reasons for piling up of netplans

slyon · March 23, 2023, 4:12pm

@rahul-tt I think what you’re seeing might actually be described here: https://bugs.launchpad.net/netplan/+bug/1998207 and we’ve fixed it recently via https://github.com/snapcore/network-manager-snap/pull/15 (The fix should soon be included in the 22/edge channel of the network-manager snap).

Could you give the exact steps/commands of how to reproduce this (i.e. how to instructe WireGuard to create those new interfaces)? So I can try to reproduce.