[SOLVED] Run Wireguard Client on Proxmox Host

[turborierer]

Dear all,

I'm trying to run a Wireguard client on one of my cluster nodes that I can access the WebGUI from home and actually it worked more or less in the passt like this. The problem was always that from time to time the connection got lost or it needed 1-2 minutes to load the web GUI via WG. So I found some posts that "resolvconf" would probably not work together with other network managers. So this time I setup the complete cluster from the scratch and I would like to do it better this time. So far I did install wireguard and crated a /etc/wireguard/wg0.conf file with the working credentials in it.

At this point I tried to start the service but got the following error:

root@cluster01-hp-proliant-gen9:/# systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sat 2022-12-17 01:08:11 CET; 1min 12s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 21055 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=127)
   Main PID: 21055 (code=exited, status=127)
        CPU: 69ms

Dec 17 01:08:11 cluster01-hp-proliant-gen9 wg-quick[21055]: [#] wg setconf wg0 /dev/fd/63
Dec 17 01:08:11 cluster01-hp-proliant-gen9 wg-quick[21055]: [#] ip -4 address add 10.66.66.13/32 dev wg0
Dec 17 01:08:11 cluster01-hp-proliant-gen9 wg-quick[21055]: [#] ip -6 address add fd42:42:42::13/128 dev wg0
Dec 17 01:08:11 cluster01-hp-proliant-gen9 wg-quick[21055]: [#] ip link set mtu 1420 up dev wg0
Dec 17 01:08:11 cluster01-hp-proliant-gen9 wg-quick[21086]: [#] resolvconf -a wg0 -m 0 -x
Dec 17 01:08:11 cluster01-hp-proliant-gen9 wg-quick[21088]: /usr/bin/wg-quick: line 32: resolvconf: command not found
Dec 17 01:08:11 cluster01-hp-proliant-gen9 wg-quick[21055]: [#] ip link delete dev wg0
Dec 17 01:08:11 cluster01-hp-proliant-gen9 systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=127/n/a
Dec 17 01:08:11 cluster01-hp-proliant-gen9 systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Dec 17 01:08:11 cluster01-hp-proliant-gen9 systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.

Now is my question what should I install? resolvconf, or something different? Is there anything else to think about when running WG on a Proxmox system itself?

 

[Nomis]

I try the same thing at the moment as well, installing openresolve turned out to be sufficient and does not break DNS.

 

[leesteken]

Running Wireguard in a unpriviledged Debian container also works, if the kernel module is loaded on the host.

 

[Nomis]

I found a cleaner way without messing up the PVE standard installation:
1.) do not install resolvconf or openresolv, if already installed, remove them
2.) tidy up your /etc/resolv.conf
3.) link /usr/bin/resolvectl to /usr/sbin/resolvconf
4.) remove the DNS entries from your wgX.conf
5.) optional: if you want to have a specific DNS for this tunnel, follow the section "override dns for specific domains" in this article.

This works for the following scenario:
You have a PVE running somewhere and want it to connect as a client to a wireguard "server" at another place (e.g. your admin's homeoffice).

If you want your PVE to reconnect to a wg server with a dynamic ip, then add a cron job to call this script in intervals as needed.

 

[turborierer]

I found a cleaner way whithout messing up the PVE standard installation:
1.) do not install resolvconf or openresolv, if already installed, remove them
2.) tidy up your /etc/resolv.conf
3.) link /usr/bin/resolvectl to /usr/sbin/resolvconf
4.) remove the DNS entries from your wgX.conf
5.) optional: if you want to have a specific DNS for this tunnel, follow the section "override dns for specific domains" in this article.

This works for the following scenario:
You have a PVE running somewhere and want it to connect as a client to a wireguard "server" at another place (e.g. your admin's homeoffice).

If you want your PVE to reconnect to a wg server with a dynamic ip, then add a cron job to call this script in intervals as needed.

Great! Thank you for this explanation.

1 and 2 is clear.
3) Which link do you mean? A symbolic link from this resolvectl (seems to be a binary) to the other folder where currently no "resolvconf" is present, instead tell the system to use the "resolvectl", right? Sorry for the noob explanation. So I would do now:

ln -s /usr/bin/resolvectl  /usr/sbin/resolvconf

Please correct me if I'm wrong.

4. is clear, 5 not needed.

Thank you so much!

 

[turborierer]

Great! Thank you for this explanation.

1 and 2 is clear.
3) Which link do you mean? A symbolic link from this resolvectl (seems to be a binary) to the other folder where currently no "resolvconf" is present, instead tell the system to use the "resolvectl", right? Sorry for the noob explanation. So I would do now:

ln -s /usr/bin/resolvectl  /usr/sbin/resolvconf

Please correct me if I'm wrong.

4. is clear, 5 not needed.

Thank you so much!

BAAAM!! @Nomis You made my day. Its just working 1 year of broken connections and infinite loading times are over now.
Thank you so much.

 

[Nomis]

3) Which link do you mean? A symbolic link from this resolvectl (seems to be a binary) to the other folder where currently no "resolvconf" is present, instead tell the system to use the "resolvectl", right? Sorry for the noob explanation. So I would do now:

ln -s /usr/bin/resolvectl  /usr/sbin/resolvconf

Please correct me if I'm wrong.

Correct! I guess you figured out yourself while I was asleep

 

[ale.ttone]

Hi, I'm trying to setup proxmox as a client of an existing Wireguard's server in order to connect from outside my home network.
I followed this guide
https://www.server-world.info/en/note?os=Debian_11&p=wireguard&f=2

and then running

systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

but the status is Active: active (exited) and I never see any connection on the server side.

This is what I get after installing and configuring:

root@algo:~# systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; preset: enabled)
     Active: active (exited) since Wed 2023-10-25 12:58:25 CEST; 5min ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 777 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 777 (code=exited, status=0/SUCCESS)
        CPU: 25ms

Oct 25 12:58:25 algo systemd[1]: Starting wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0...
Oct 25 12:58:25 algo wg-quick[777]: [#] ip link add wg0 type wireguard
Oct 25 12:58:25 algo wg-quick[777]: [#] wg setconf wg0 /dev/fd/63
Oct 25 12:58:25 algo wg-quick[777]: [#] ip -4 address add 12.187.257.16 dev wg0
Oct 25 12:58:25 algo wg-quick[777]: [#] ip link set mtu 1420 up dev wg0
Oct 25 12:58:25 algo wg-quick[777]: [#] ip -6 route add ::/1 dev wg0
Oct 25 12:58:25 algo wg-quick[777]: [#] ip -6 route add 8000::/1 dev wg0
Oct 25 12:58:25 algo wg-quick[777]: [#] ip -4 route add 128.0.0.0/1 dev wg0
Oct 25 12:58:25 algo wg-quick[777]: [#] ip -4 route add 0.0.0.0/1 dev wg0
Oct 25 12:58:25 algo systemd[1]: Finished wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0.
root@algo:~#

Do you have any idea?
Thanks!

 

[ale.ttone]

I've edited my original post with more details following a different installation guide (not via an LXC container).
Thank you!