Wg0: Failed to read private key

spalf · August 8, 2023, 8:14pm

Hi,

I am using a very similar configuration to what is told on
https://nixos.wiki/wiki/WireGuard#Setting_up_WireGuard_with_systemd-networkd

I used nixos-infect on a system, so it uses the old networking.interfaces etc for the network configuration, but I added networking.useNetworkd = true; to get it working system working with systemd-networkd.

My wireguard config is:

wireguardConfig = {
          PrivateKeyFile = "/run/keys/wireguard-privkey";
          ListenPort = 51820;
        };

And I set up the keyfiles exactly as described in man systemd.netdev
so:

> ll /run/keys/wireguard-privkey
-rw-r----- 1 root systemd-network 45 Aug  8 19:51 /run/keys/wireguard-privkey

I generated the keys in the standard way:
wg genkey > /run/keys/wireguard-privkey

I see the kernel module is loaded:

lsmod | grep wire
wireguard              98304  0
curve25519_x86_64      36864  1 wireguard
libchacha20poly1305    16384  1 wireguard
libcurve25519_generic    49152  2 curve25519_x86_64,wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  1 wireguard

But no matter what I do I always get:

...
Starting Network Configuration...
Aug 08 20:03:59 spalf systemd-networkd[27228]: wg0: Failed to read private key from /run/keys/wireguard-privkey. Ignoring network device.
Aug 08 20:03:59 spalf systemd-networkd[27228]: lo: Link UP
...

When restarting systemd-networkd
I can see the error must be coming from here:
https://git.progress-linux.org/packages/fuchur-backports/systemd/tree/src/network/netdev/wireguard.c?h=upstream/251_rc2&id=7dcba4b07ba9120262c2359248409dc459efb054#n1133

But does anyone have any clue what could be causing this?

adamcstephens · August 8, 2023, 8:27pm

Have you tried giving ownership of the key file to the systemd-networkd user?

spalf · August 8, 2023, 8:29pm

Yes, I’ve also just tried chmod 777 with no avail

adamcstephens · August 8, 2023, 8:38pm

What are the permissions of /run/keys ?

spalf · August 8, 2023, 9:10pm

ll /run | grep keys
drwxr-x---  2 root keys    0 Aug  8 19:46 keys

spalf · August 8, 2023, 9:24pm

ah so yes, it seemed to be the parent directory.
next problem is my server seems to be unreachable after wireguard properly running xD

adamcstephens · August 9, 2023, 11:15pm

A user needs execute bit on a directory in order to access files inside of it.

denisrosca · September 14, 2023, 3:26pm

@spalf I’m having the same problems with the key.
Could you explain exactly what the permissions need to be on the file/parent-directory?

Thank you.

denisrosca · September 14, 2023, 3:35pm

Ok, looks like

chown root:systemd-network /run/keys

fixed it.

I’m a bit of a newbie, hope nothing else breaks

adamcstephens · September 16, 2023, 10:40pm

This is the correct fix. The systemd-networkd user needs access to the key.