Systemd-networkd-wait-online[934764]: Timeout occurred while waiting for network connectivity

TornaxO7 · September 29, 2023, 7:00pm

Hello guys! I’m trying to setup wireguard but I’m getting the following error message:

× systemd-networkd-wait-online.service - Wait for Network to be Configured
     Loaded: loaded (/etc/systemd/system/systemd-networkd-wait-online.service; enabled; preset: enabled)
    Drop-In: /nix/store/8j8c4r234r5j735k1j27z1jf0zk2k2qa-system-units/systemd-networkd-wait-online.service.d
             └─overrides.conf
     Active: failed (Result: exit-code) since Fri 2023-09-29 20:39:22 CEST; 89ms ago
       Docs: man:systemd-networkd-wait-online.service(8)
    Process: 934764 ExecStart=/nix/store/1zmmnm0r0bdga398rl7fc7s4hkyqxjk4-systemd-254.3/lib/systemd/systemd-networkd-wait-online --timeout=120 (code=exited, status=1/FAILURE)
   Main PID: 934764 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
        CPU: 10ms

Sep 29 20:37:22 pc systemd[1]: Starting Wait for Network to be Configured...
Sep 29 20:39:22 pc systemd-networkd-wait-online[934764]: Timeout occurred while waiting for network connectivity.
Sep 29 20:39:22 pc systemd[1]: systemd-networkd-wait-online.service: Main process exited, code=exited, status=1/FAILURE
Sep 29 20:39:22 pc systemd[1]: systemd-networkd-wait-online.service: Failed with result 'exit-code'.
Sep 29 20:39:22 pc systemd[1]: Failed to start Wait for Network to be Configured.

I’m using nix-flakes to config my system.
This is in my flake.nix:

    systemd.network = {
      enable = true;
      netdevs.wireguard = {
        enable = true;
        netdevConfig = {
          Kind = "wireguard";
          Name = "wg0";
        };
        wireguardConfig = {
          PrivateKeyFile = config.age.secrets.wireguard.file;
          ListenPort = 51820;
        };
        wireguardPeers = [
          {
            wireguardPeerConfig = {
              PublicKey = "ZsQgSN9hiz+fPnRu3sZGxzQy0SanhGrxGq57Fl/xjX0=";
              AllowedIPs = [ "10.100.0.2" ];
            };
          }
        ];
      };

      networks.wg0 = {
        matchConfig.Name = "wg0";
        address = [ "10.100.0.1/24" ];
        networkConfig = {
          IPMasquerade = "ipv4";
          IPForward = true;
        };
      };
    };

I basically followed “Setting up WireGuard with systemd-networkd” but it doesn’t work on my system as you can see…

TLATER · September 30, 2023, 1:23am

What do you get from networkctl status wg0 and just networkctl?

That error message is just the overzealous systemd unit checking if any devices fail. It doesn’t help debug anything.

TornaxO7 · September 30, 2023, 9:14am

This is what I’m getting from networkctl status wg0:

Interface "wg0" not found.

and this from networkctl:

IDX LINK   TYPE     OPERATIONAL SETUP
  1 lo     loopback carrier     unmanaged
  2 enp6s0 ether    routable    unmanaged

2 links listed.

TornaxO7 · September 30, 2023, 9:17am

Ok, after taking a look into journalctl -fe I found this line:

pc systemd-networkd[12795]: /nix/store/v9fh7i1v3f74bgc90r9zlblxqfdfh6yq-source/secrets/wireguard.age has 0444 mode that is too permissive, please adjust the ownership and access mode.

looks like that the symlink from agenix is a problem.

TornaxO7 · September 30, 2023, 9:23am

I updated the permission from my wireguard.age to 600 but now after removing this error, I’m still getting the timeout.

TornaxO7 · September 30, 2023, 9:40am

ok… nvm… after setting the following in my nix-config:

    age.secrets.wireguard = {
      file = ./wireguard.age;
      mode = "600";
      owner = "tornax";
      group = "wheel";
    };

the linked file still has 0444 permissions…

TornaxO7 · September 30, 2023, 9:55am

ok, I found the culprit for this, I chose the wrong attribute… so the permission stuff is fixed, however, this systemd-networkd-wait-online still gets a timeout error

TornaxO7 · September 30, 2023, 9:58am

Ok, so according to systemd.network.wait-online.enable:

systemd-networkd-wait-online can timeout and fail if there are no network interfaces available for it to manage. When systemd-networkd is enabled but a different service is responsible for managing the system’s internet connection (for example, NetworkManager or connman are used to manage WiFi connections), this service is unnecessary and can be disabled.

I set systemd.network.wait-online.enable = false and my sytem boild succeeds but networkctl still doesn’t show me the wg0 interface.

TLATER · September 30, 2023, 10:55am

Ah, you misunderstand; yes, that is an error, but by that time the build has already succeeded and nix switched to the new generation. Your build has always worked, just systemd decided to tell you that it’s failing to manage your network interfaces, and nix will display the errors of units that fail while you are switching to the new configuration. I believe it even does so if the unit failed previously and simply has not been successfully restarted yet.

Another solution is to set this option, so it will only complain if no interfaces have internet: NixOS Search

Or you can add specific interfaces you don’t want to check for internet connection because they aren’t intended to get one before the system is fully up (like wg0) with this option: NixOS Search

Personally, I use a networkd setting to mark the wg0 interface as not required for online: tlaternet-server/wireguard.nix at master - tlaternet-server - Forgejo: Beyond coding. We Forge.

This is the real problem here; why is systemd-networkd not creating the interface? You can see the logs of systemd-networkd with:

journalctl -xe --unit systemd-networkd

If you add --boot to that it will also be restricted to the current boot.

That should give us more information to work from.

Pretty sure -f and -e are incompatible on journalctl by the way, since -f disables the pager, meaning -e has no end to scroll to.

ppenguin · October 18, 2023, 2:15pm

@TornaxO7 I had the same and it was a permission problem. It appears systemd.networkd runs as a specific user so if you adjust the secret’s permissions accordingly it works. In my (sops-nix) case:

sops.secrets = sopsInitSecretsPerms "wireguard" config.users.users.systemd-network.name config.users.users.systemd-network.group "440" [
  "private" "psk"
];

where the init function is just a convenience utility to save boiler plate:

	sopsInitSecretsPerms = prefix: owner: group: mode: secretNames:
	    lib.genAttrs (map (n: "${prefix}/${n}") secretNames) (a: {
            owner = owner;
            group = group;
            mode = mode;
        });