Public bug reported: Hi,
there's two different methods to get wireguard tunnels up: - wg-quick and the systemd service template for it - as a systemd netdev device ( see man systemd.netdev ) The latter has some advantages, e.g. better integration into systemd and the ability to read the secret key from a file instead of directly entering the key into the file. And, since systemd version 256 (unfortunately, ubuntu 24.04 comes with 255) it can have secret en- and decrypted by systemd, optionally using the TPM. But the systemd method requires both the /etc/wireguard directory and the key files (usually in this directory) to be readable for the systemd-network. Therefore, /etc/wireguard should be set to group systemd-network and mode 2750 (set gid to automatically make files readabyle for networkd _if_ , and I do stress, _if_ it is supposed to work with systemd.netdev under ubuntu. Opening file permissions always can weaken security. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: wireguard 1.0.20210914-1ubuntu4 ProcVersionSignature: Ubuntu 6.8.0-50.51-generic 6.8.12 Uname: Linux 6.8.0-50-generic x86_64 ApportVersion: 2.28.1-0ubuntu3.3 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudID: hetzner CloudName: hetzner CloudPlatform: hetzner CloudSubPlatform: metadata (http://169.254.169.254/hetzner/v1/metadata) Date: Wed Dec 18 01:51:07 2024 PackageArchitecture: all SourcePackage: wireguard UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: wireguard (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091987 Title: group and mode of /etc/wireguard incompatibly with sysytemd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/2091987/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
