Ambiente
Este é um servidor vps Ubuntu 22.04.5. O Wireguard usa tuntap em vez do kernel mod.
Roteiro
/etc/wireguard/gw0.shpode iniciar o wireguard corretamente se executado a partir da linha de comando:
# cleanup
echo "$(date) - cleanup"
/usr/sbin/ip link del gw0 2>&1
/usr/sbin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE 2>&1
# setup
echo "$(date) - setup"
#/usr/sbin/ip tuntap add dev gw0 mode tun
/usr/bin/wireguard gw0 2>&1
/usr/sbin/ip a add 10.0.0.1/24 dev gw0
/usr/bin/wg set gw0 listen-port 12345
/usr/bin/wg set gw0 private-key /etc/wireguard/gw0.key
# wg0
/usr/bin/wg set gw0 peer <wg0 key> allowed-ips 10.0.0.2/32
# wg1
/usr/bin/wg set gw0 peer <wg1 key> allowed-ips 10.0.0.3/32
# start
echo "$(date) - start"
/usr/sbin/ip link set gw0 up 2>&1
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE 2>&1
# end
echo "$(date) - end"
exit 0
Saída:
# /etc/wireguard/gw0.sh
Thu Dec 5 10:03:32 EST 2024 - cleanup
Cannot find device "gw0"
Thu Dec 5 10:03:32 EST 2024 - setup
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
Thu Dec 5 10:03:32 EST 2024 - start
Thu Dec 5 10:03:33 EST 2024 - end
Serviço Systemd
/etc/systemd/system/gw0.service:
[Unit]
Description = Start Wireguard gw0
After = network-online.target
Wants = network-online.target
[Service]
Type = oneshot
ExecStart = /usr/bin/bash -c "/etc/wireguard/gw0.sh >> /tmp/gw0.log"
[Install]
WantedBy=multi-user.target
Iniciar o serviço sempre resultará em erro de tempo limite e nenhum processo wireguard:
# systemctl start gw0.service
Job for gw0.service failed because a timeout was exceeded.
See "systemctl status gw0.service" and "journalctl -xeu gw0.service" for details.
# systemctl status gw0.service
× gw0.service - Start Wireguard gw0
Loaded: loaded (/etc/systemd/system/gw0.service; disabled; vendor preset: enabled)
Active: failed (Result: timeout) since Thu 2024-12-05 10:12:07 EST; 34s ago
Process: 95515 ExecStart=/usr/bin/bash -c /etc/wireguard/gw0.sh >> /tmp/gw0.log (code=exited, status=0/SUCCESS)
Main PID: 95515 (code=exited, status=0/SUCCESS)
Dec 05 10:10:37 mybox systemd[1]: Starting Start Wireguard gw0...
Dec 05 10:12:07 mybox systemd[1]: gw0.service: State 'stop-sigterm' timed out. Killing.
Dec 05 10:12:07 mybox systemd[1]: gw0.service: Failed with result 'timeout'.
Dec 05 10:12:07 mybox systemd[1]: Failed to start Start Wireguard gw0.
# journalctl -xeu gw0.service
Dec 05 10:10:37 mybox systemd[1]: Starting Start Wireguard gw0...
░░ Subject: A start job for unit gw0.service has begun execution
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit gw0.service has begun execution.
░░
░░ The job identifier is 2611.
Dec 05 10:12:07 mybox systemd[1]: gw0.service: State 'stop-sigterm' timed out. Killing.
Dec 05 10:12:07 mybox systemd[1]: gw0.service: Failed with result 'timeout'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ The unit gw0.service has entered the 'failed' state with result 'timeout'.
Dec 05 10:12:07 mybox systemd[1]: Failed to start Start Wireguard gw0.
░░ Subject: A start job for unit gw0.service has failed
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░
░░ A start job for unit gw0.service has finished with a failure.
░░
░░ The job identifier is 2611 and the job result is failed.
No entanto, /tmp/gw0.logmostra o script concluído:
Thu Dec 5 10:10:37 EST 2024 - cleanup
Thu Dec 5 10:10:37 EST 2024 - setup
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
Thu Dec 5 10:10:37 EST 2024 - start
Thu Dec 5 10:10:37 EST 2024 - end
Pergunta
Alguém tem ideia de como fazer gw0.servicefuncionar?
Não faça disso um
Type=oneshotserviço.O propósito dos serviços Type=oneshot é executar tarefas curtas, onde 100% da tarefa é feita na fase de "início" e nenhum processo (nenhum daemon ou qualquer outra coisa) permanece depois. Tais serviços só serão considerados "iniciados" quando seu processo principal sair , ou seja, quando ele tiver concluído seu trabalho.
Por exemplo,
wg-quickouwg setconf(ao usar o módulo do kernel) ouiptables -Ausaria Type=oneshot porque eles apenas configuram algum recurso do kernel e saem, não deixando nenhum processo para trás.Mas como você está usando "tuntap", você tem um processo daemon persistente – o daemon wireguard-go precisa permanecer em execução o tempo todo – então Type=oneshot não é adequado porque ele esperaria deliberadamente uma eternidade até que o daemon saísse.
Para wireguard-go, use um dos outros tipos, como
Type=forking(provavelmente o mais próximo de como seu script se comporta) ounotify(se wireguard-go suportar esse tipo) ousimple/exec.