Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#968683: wireguard-tools: missing dependency in wireguard-tools resolvconf - wg-quick up
67 views
Skip to first unread message
Carlos Henrique Lima Melara
Aug 19, 2020, 3:40:03 PM8/19/20
to
Package: wireguard-tools
Version: 1.0.20200513-1
Severity: normal
X-Debbugs-Cc: charle...@outlook.com
Hi,
I've installed wireguard and when I used wg-quick up an error occurred (see
below).
[#] ip link add charlao type wireguard
[#] wg setconf charlao /dev/fd/63
[#] ip -4 address add 10.6.0.2/24 dev charlao
[#] ip link set mtu 1420 up dev charlao
[#] resolvconf -a charlao -m 0 -x
/usr/bin/wg-quick: line 32: resolvconf: command not found
[#] ip link delete dev charlao
So it may be related to the fact that resolvectl doesn't resolve names
in my system. I get this error:
google.com: resolve call failed: Unit dbus-org.freedesktop.resolve1.service not found.
Or maybe it's really a dependency problem. Btw installing resolvconf solved
the problem.
If you need more information, feel free to contact me.
Cheers,
Charles
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages wireguard-tools depends on:
ii libc6 2.31-3
Versions of packages wireguard-tools recommends:
ii iptables 1.8.5-2
ii linux-image-amd64 [wireguard-modules] 5.7.10-1
Versions of packages wireguard-tools suggests:
ii resolvconf 1.82
Version: 1.0.20200513-1
Severity: normal
X-Debbugs-Cc: charle...@outlook.com
Hi,
I've installed wireguard and when I used wg-quick up an error occurred (see
below).
[#] ip link add charlao type wireguard
[#] wg setconf charlao /dev/fd/63
[#] ip -4 address add 10.6.0.2/24 dev charlao
[#] ip link set mtu 1420 up dev charlao
[#] resolvconf -a charlao -m 0 -x
/usr/bin/wg-quick: line 32: resolvconf: command not found
[#] ip link delete dev charlao
So it may be related to the fact that resolvectl doesn't resolve names
in my system. I get this error:
google.com: resolve call failed: Unit dbus-org.freedesktop.resolve1.service not found.
Or maybe it's really a dependency problem. Btw installing resolvconf solved
the problem.
If you need more information, feel free to contact me.
Cheers,
Charles
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages wireguard-tools depends on:
ii libc6 2.31-3
Versions of packages wireguard-tools recommends:
ii iptables 1.8.5-2
ii linux-image-amd64 [wireguard-modules] 5.7.10-1
Versions of packages wireguard-tools suggests:
ii resolvconf 1.82
Mathias Behrle
Oct 12, 2023, 5:20:05 AM10/12/23
to
Package: wireguard-tools
Version: 1.0.20210914-1+b1
Followup-For: Bug #968683
Dear Maintainer,
I also ran into this problem, a resolvconf command is required for wg-quick
wg-quick[2798751]: [#] resolvconf -a tun.wg0 -m 0 -x
Please promote the Suggests for the resolvers to at least Recommends.
Thanks
Mathias
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500,
'oldoldstable') Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE not set
Versions of packages wireguard-tools recommends:
ii iptables 1.8.9-2
ii linux-image-amd64 [wireguard-modules] 6.5.3-1
Versions of packages wireguard-tools suggests:
ii systemd-resolved [resolvconf] 254.5-1
-- no debconf information
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
Version: 1.0.20210914-1+b1
Followup-For: Bug #968683
Dear Maintainer,
I also ran into this problem, a resolvconf command is required for wg-quick
wg-quick[2798751]: [#] resolvconf -a tun.wg0 -m 0 -x
Please promote the Suggests for the resolvers to at least Recommends.
Thanks
Mathias
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (800, 'testing'), (700, 'unstable'), (600, 'experimental'), (500,
'oldoldstable') Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages wireguard-tools depends on:
ii libc6 2.37-12
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages wireguard-tools depends on:
Versions of packages wireguard-tools recommends:
ii linux-image-amd64 [wireguard-modules] 6.5.3-1
Versions of packages wireguard-tools suggests:
-- no debconf information
--
Mathias Behrle
PGP/GnuPG key availabable from any keyserver, ID: 0xD6D09BE48405BBF6
AC29 7E5C 46B9 D0B6 1C71 7681 D6D0 9BE4 8405 BBF6
Daniel Gröber
Oct 12, 2023, 6:20:06 AM10/12/23
to
Hi Mathias,
On Thu, Oct 12, 2023 at 11:14:58AM +0200, Mathias Behrle wrote:
> I also ran into this problem, a resolvconf command is required for
> wg-quick
Saying that resolvconf is _required_ for wg-quick is a bit of a stretch,
it's only needed when a DNS= line is present in the config.
> Please promote the Suggests for the resolvers to at least Recommends.
The problem I see with a recommends is that wireguard is frequently used on
servers/routers but openresolv/resolvconf have various problems on such
systems.
I've personally had problems with them breaking an unbound server, but
#761050 "openresolv sets local bind to always forward requests, even when
local bind is authoritative" discusses a similar problem with BIND.
What is your exact use-case? I assume it's for a desktop VPN, in which case
adding systemd-resolved support to wg-quick might be less
problematic.
--Daniel
On Thu, Oct 12, 2023 at 11:14:58AM +0200, Mathias Behrle wrote:
> I also ran into this problem, a resolvconf command is required for
> wg-quick
it's only needed when a DNS= line is present in the config.
> Please promote the Suggests for the resolvers to at least Recommends.
servers/routers but openresolv/resolvconf have various problems on such
systems.
I've personally had problems with them breaking an unbound server, but
#761050 "openresolv sets local bind to always forward requests, even when
local bind is authoritative" discusses a similar problem with BIND.
What is your exact use-case? I assume it's for a desktop VPN, in which case
adding systemd-resolved support to wg-quick might be less
problematic.
--Daniel
Mathias Behrle
Oct 16, 2023, 3:40:05 AM10/16/23
to
On Thu, 12 Oct 2023 12:12:18 +0200 Daniel =?utf-8?Q?Gr=C3=B6ber?=
<dx...@darkboxed.org> wrote:
Hi Daniel,
Yes, indeed my use case is a desktop VPN.
FWIW both resolvconf and systemd-resolved broke immediately my DNS, while
openresolv worked.
I don't know for which reasons Recommends for the resolve tools were dropped to
Suggests. The issue for me is that
1) First the description in control
This package contains command-line tools to interact with the
WireGuard kernel module. Currently, it provides only a single tool:
.
wg: set and retrieve configuration of WireGuard interfaces
is no more appropriate. It ships now wg-quick, too.
2) The decision to downgrade resolve tools to Suggests may perhaps date back to
a time where wg was indeed the only binary shipped in the package?
At least with wg-quick included things are different.
Let me depict the example that led me here:
Not a wireguard user so far I got a sample wireguard config _with DNS entry_
included. Now wg-quick failed from the beginning which is a major annoyance and
a really bad user experience. I think it could be a very common use case to use
wireguard configurations with DNS entries. Thus the package should work
out-of-the-box in a default Debian installation.
3) FWIW I tried with the three commonly suggested resolvconf tools.
- systemd-resolved and resolvconf immediately broke my DNS.
- Only openresolv worked out of the box.
So for me the state as in
https://salsa.debian.org/debian/wireguard/-/blob/debian/master/debian/control
with Suggests: openresolv | resolvconf
is the right one, only that for my use case they should be rather in
Recommends, just like nftables|iptables in
https://salsa.debian.org/debian/wireguard/-/commit/3c3c505a8e4008bffa78f6649854ffe4b1712557
As a thought: if it makes substantial problems to install by default a resolv
conf tool on servers would it perhaps improve things a little bit, if wg-quick
would be phased out into a separate package?
Finally, if that all is yet not applicable for you then please document the
current situation in README.Debian where my next source of information for the
package is when I run into problems. It would have helped me lot ;)
Thanks,
Mathias
<dx...@darkboxed.org> wrote:
Hi Daniel,
FWIW both resolvconf and systemd-resolved broke immediately my DNS, while
openresolv worked.
I don't know for which reasons Recommends for the resolve tools were dropped to
Suggests. The issue for me is that
1) First the description in control
This package contains command-line tools to interact with the
WireGuard kernel module. Currently, it provides only a single tool:
.
wg: set and retrieve configuration of WireGuard interfaces
is no more appropriate. It ships now wg-quick, too.
2) The decision to downgrade resolve tools to Suggests may perhaps date back to
a time where wg was indeed the only binary shipped in the package?
At least with wg-quick included things are different.
Let me depict the example that led me here:
Not a wireguard user so far I got a sample wireguard config _with DNS entry_
included. Now wg-quick failed from the beginning which is a major annoyance and
a really bad user experience. I think it could be a very common use case to use
wireguard configurations with DNS entries. Thus the package should work
out-of-the-box in a default Debian installation.
3) FWIW I tried with the three commonly suggested resolvconf tools.
- systemd-resolved and resolvconf immediately broke my DNS.
- Only openresolv worked out of the box.
So for me the state as in
https://salsa.debian.org/debian/wireguard/-/blob/debian/master/debian/control
with Suggests: openresolv | resolvconf
is the right one, only that for my use case they should be rather in
Recommends, just like nftables|iptables in
https://salsa.debian.org/debian/wireguard/-/commit/3c3c505a8e4008bffa78f6649854ffe4b1712557
As a thought: if it makes substantial problems to install by default a resolv
conf tool on servers would it perhaps improve things a little bit, if wg-quick
would be phased out into a separate package?
Finally, if that all is yet not applicable for you then please document the
current situation in README.Debian where my next source of information for the
package is when I run into problems. It would have helped me lot ;)
Thanks,
Mathias
Daniel Gröber
Oct 17, 2023, 12:00:05 PM10/17/23
to
Hi Mathias,
On Mon, Oct 16, 2023 at 09:33:14AM +0200, Mathias Behrle wrote:
> > What is your exact use-case? I assume it's for a desktop VPN, in which case
> > adding systemd-resolved support to wg-quick might be less
> > problematic.
>
> Yes, indeed my use case is a desktop VPN.
>
> FWIW both resolvconf and systemd-resolved broke immediately my DNS, while
> openresolv worked.
Right, so there's the real root-cause. I think we should take the time to
debug and fix your systemd-resolved problem instead of bypassing it.
In case you're not aware systemd-resolved has a resolvconf compatibility
interface[1] now, so this will actually fix your wg-quick problem too. We
should likely do a push to get all openresolv|resolvconf dependencies
updated to add systemd-resolvd across Debian.
[1]: https://github.com/systemd/systemd/issues/7202
Unlike openresolv/resolvconf systemd-resolved actually has a data/config
model that has the potential to work for all use-cases I'm aware of without
hacks, so as much as I lament relying on yet another thing from under the
systemd umbrella it's the only reasonably modern solution capable of being
the default I'm aware of.
> I don't know for which reasons Recommends for the resolve tools were
> dropped to Suggests.
Unit 193, any explaination?
commit 324d375b79fab138f0c83af022bbe9e795d5e696
Author: Unit 193 <uni...@unit193.net>
Date: Fri May 15 18:32:09 2020 -0400
d/control: Lower 'openresolv | resolvconf' to suggests.
diff --git a/debian/control b/debian/control
index 09513a2..9093d4b 100644
--- a/debian/control
+++ b/debian/control
@@ -40,8 +40,8 @@ Depends:
${shlibs:Depends},
Recommends:
nftables | iptables,
- openresolv | resolvconf,
wireguard-modules (>= 0.0.20171001) | wireguard-dkms (>= 0.0.20191219),
+Suggests: openresolv | resolvconf,
Description: fast, modern, secure kernel VPN tunnel (userland utilities)
WireGuard is a novel VPN that runs inside the Linux Kernel and uses
state-of-the-art cryptography (the "Noise" protocol). It aims to be
> The issue for me is that
>
> 1) First the description in control
>
> This package contains command-line tools to interact with the
> WireGuard kernel module. Currently, it provides only a single tool:
> .
> wg: set and retrieve configuration of WireGuard interfaces
>
> is no more appropriate. It ships now wg-quick, too.
That's unrelated open a seperate bug for that please.
> 2) The decision to downgrade resolve tools to Suggests may perhaps date back to
> a time where wg was indeed the only binary shipped in the package?
I doubt it wg-quick has existed for a good long while. My guess is the
recommends was demoted because of DNS problems with openresolv/resolvconf ;)
> Now wg-quick failed from the beginning which is a major annoyance and a
> really bad user experience.
Right, but you have to admit that by using a commandline tool you're
already well into poweruser territory so IMO you (or anyone doing that) is
expected to be able to debug this.
See I would expect most desktop users to deploy their wg VPN tunnels using
NetworkManager integration or some such. If DNS is broken in that case I'd
consider that a big problem as, say, my mum can't be expected to debug
this, haha.
> I think it could be a very common use case to use wireguard
> configurations with DNS entries. Thus the package should work
> out-of-the-box in a default Debian installation.
It's just not that clear-cut due to the brokenness of the
openresolv/resolvconf approach. I would agree if there were no known
downsides to installing them but alas..
> As a thought: if it makes substantial problems to install by default a resolv
> conf tool on servers would it perhaps improve things a little bit, if wg-quick
> would be phased out into a separate package?
Unfortunately the firewall functionality of wg-quick is still important on
servers. There just aren't any easy solutions here. To move things forward
we have to do the (hard) work of debugging why systemd-resolvd is broken in
your case and fixing it. I'm happy to help with that tho.
> Finally, if that all is yet not applicable for you then please document the
> current situation in README.Debian where my next source of information for the
> package is when I run into problems. It would have helped me lot ;)
Was there not a reasonable error message pointing at the missing
resolvconf? If so I think we may want to patch wg-quick to make the problem
a bit more verbose.
--Daniel
On Mon, Oct 16, 2023 at 09:33:14AM +0200, Mathias Behrle wrote:
> > What is your exact use-case? I assume it's for a desktop VPN, in which case
> > adding systemd-resolved support to wg-quick might be less
> > problematic.
>
> Yes, indeed my use case is a desktop VPN.
>
> FWIW both resolvconf and systemd-resolved broke immediately my DNS, while
> openresolv worked.
debug and fix your systemd-resolved problem instead of bypassing it.
In case you're not aware systemd-resolved has a resolvconf compatibility
interface[1] now, so this will actually fix your wg-quick problem too. We
should likely do a push to get all openresolv|resolvconf dependencies
updated to add systemd-resolvd across Debian.
[1]: https://github.com/systemd/systemd/issues/7202
Unlike openresolv/resolvconf systemd-resolved actually has a data/config
model that has the potential to work for all use-cases I'm aware of without
hacks, so as much as I lament relying on yet another thing from under the
systemd umbrella it's the only reasonably modern solution capable of being
the default I'm aware of.
> I don't know for which reasons Recommends for the resolve tools were
> dropped to Suggests.
commit 324d375b79fab138f0c83af022bbe9e795d5e696
Author: Unit 193 <uni...@unit193.net>
Date: Fri May 15 18:32:09 2020 -0400
d/control: Lower 'openresolv | resolvconf' to suggests.
diff --git a/debian/control b/debian/control
index 09513a2..9093d4b 100644
--- a/debian/control
+++ b/debian/control
@@ -40,8 +40,8 @@ Depends:
${shlibs:Depends},
Recommends:
nftables | iptables,
- openresolv | resolvconf,
wireguard-modules (>= 0.0.20171001) | wireguard-dkms (>= 0.0.20191219),
+Suggests: openresolv | resolvconf,
Description: fast, modern, secure kernel VPN tunnel (userland utilities)
WireGuard is a novel VPN that runs inside the Linux Kernel and uses
state-of-the-art cryptography (the "Noise" protocol). It aims to be
> The issue for me is that
>
> 1) First the description in control
>
> This package contains command-line tools to interact with the
> WireGuard kernel module. Currently, it provides only a single tool:
> .
> wg: set and retrieve configuration of WireGuard interfaces
>
> is no more appropriate. It ships now wg-quick, too.
> 2) The decision to downgrade resolve tools to Suggests may perhaps date back to
> a time where wg was indeed the only binary shipped in the package?
recommends was demoted because of DNS problems with openresolv/resolvconf ;)
> Now wg-quick failed from the beginning which is a major annoyance and a
> really bad user experience.
already well into poweruser territory so IMO you (or anyone doing that) is
expected to be able to debug this.
See I would expect most desktop users to deploy their wg VPN tunnels using
NetworkManager integration or some such. If DNS is broken in that case I'd
consider that a big problem as, say, my mum can't be expected to debug
this, haha.
> I think it could be a very common use case to use wireguard
> configurations with DNS entries. Thus the package should work
> out-of-the-box in a default Debian installation.
openresolv/resolvconf approach. I would agree if there were no known
downsides to installing them but alas..
> As a thought: if it makes substantial problems to install by default a resolv
> conf tool on servers would it perhaps improve things a little bit, if wg-quick
> would be phased out into a separate package?
servers. There just aren't any easy solutions here. To move things forward
we have to do the (hard) work of debugging why systemd-resolvd is broken in
your case and fixing it. I'm happy to help with that tho.
> Finally, if that all is yet not applicable for you then please document the
> current situation in README.Debian where my next source of information for the
> package is when I run into problems. It would have helped me lot ;)
resolvconf? If so I think we may want to patch wg-quick to make the problem
a bit more verbose.
--Daniel
0 new messages