setup-wireguard
setup-wireguard copied to clipboard
egor-tensin
Setup but It's not able to connect to wireguard
I created .conf file. Now using that .cong file I am trying to set up wireguard connect in Github.
- name: Set up WireGuard
uses: egor-tensin/setup-wireguard@v1
with:
endpoint: 18.124.82.43:54321
endpoint_public_key: 9WrjQWqKx0w72RzIsdffjQwjPOpsffRjHMDD4=
ips: 10.50.0.16/32
allowed_ips: 0.0.0.0/0, ::/0
private_key: MMB38wvXwLh0UIU5qjrE6vXwOBQnUSciBgq2xBkG=
preshared_key: kZJdGX8iZNSTY4eUp2cm21wihUGoOyuJhf56xsBzHf=
The step is completed but when I tried to access the URL which can only be accessed when connected to VPN is not accessible.
The input parameters seem OK, which is why I'm asking for the workflow's run output.
@egor-tensin Thanks for the help. It's a private repo so the workflow link won't work. Here are the whole logs for the VPN step.
set -o errexit -o pipefail -o nounset
readonly endpoint='18.124.82.43:54321'
readonly endpoint_public_key='9WrjQWqKx0w72RzIsdffjQwjPOpsffRjHMDD4='
readonly ips='10.50.0.16/32'
readonly allowed_ips='0.0.0.0/0'
readonly private_key='MMB38wvXwLh0UIU5qjrE6vXwOBQnUSciBgq2xBkG='
readonly preshared_key='kZJdGX8iZNSTY4eUp2cm21wihUGoOyuJhf56xsBzHf='
readonly minport=51000
readonly maxport=51999
ifname="wg$( openssl rand -hex 4 )"
readonly ifname
port="$( shuf "--input-range=$minport-$maxport" --head-count=1 )"
readonly port
via_systemd() {
local netdev_path
netdev_path="/etc/systemd/network/$ifname.netdev"
local network_path
network_path="/etc/systemd/network/$ifname.network"
local netdev_contents
netdev_contents="
[NetDev]
Name=$ifname
Kind=wireguard
Description=WireGuard tunnel $ifname
[WireGuard]
ListenPort=$port
PrivateKey=$private_key
[WireGuardPeer]
Endpoint=$endpoint
PublicKey=$endpoint_public_key
AllowedIPs = $allowed_ips"
if [ -n "$preshared_key" ]; then
netdev_contents="$netdev_contents
PresharedKey=$preshared_key"
fi
local network_contents
network_contents="
[Match]
Name=$ifname
[Network]"
local delim=,
local ip
while IFS= read -d "$delim" -r ip; do
network_contents="$network_contents
Address=$ip"
done < <( printf -- "%s$delim\\0" "$ips" )
sudo touch -- "$netdev_path"
sudo chown -- root:systemd-network "$netdev_path"
sudo chmod -- 0640 "$netdev_path"
sudo touch -- "$network_path"
echo "$netdev_contents" | sudo tee -- "$netdev_path" > /dev/null
echo "$network_contents" | sudo tee -- "$network_path" > /dev/null
sudo systemctl restart systemd-networkd
sudo systemctl status systemd-networkd
}
install_wg_tools() {
sudo apt-get update
sudo DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends wireguard-tools
}
readonly private_key_path=/tmp/private.key
readonly preshared_key_path=/tmp/preshared.key
wg_tools_cleanup() {
rm -f -- "$private_key_path"
rm -f -- "$preshared_key_path"
}
via_wg_tools() {
install_wg_tools
trap wg_tools_cleanup EXIT
(
set -o errexit -o nounset -o pipefail
umask 0077
echo "$private_key" > "$private_key_path"
if [ -n "$preshared_key" ]; then
echo "$preshared_key" > "$preshared_key_path"
fi
)
sudo ip link add dev "$ifname" type wireguard
local delim=,
local ip
while IFS= read -d "$delim" -r ip; do
sudo ip addr add "$ip" dev "$ifname"
done < <( printf -- "%s$delim\\0" "$ips" )
sudo wg set "$ifname" \
listen-port "$port" \
private-key "$private_key_path"
if [ -z "$preshared_key" ]; then
sudo wg set "$ifname" \
peer "$endpoint_public_key" \
endpoint "$endpoint" \
allowed-ips "$allowed_ips"
else
sudo wg set "$ifname" \
peer "$endpoint_public_key" \
preshared-key "$preshared_key_path" \
endpoint "$endpoint" \
allowed-ips "$allowed_ips"
fi
sudo ip link set "$ifname" up
}
# systemd-networkd greets me with 'Temporary failure in name
# resolution' on Bionic when using a hostname instead of an IP address
# for endpoint. God knows why!
#via_systemd
via_wg_tools
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Get:4 https://packages.microsoft.com/ubuntu/20.04/prod focal InRelease [10.5 kB]
Get:5 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Hit:6 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal InRelease
Get:7 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1509 kB]
Get:8 http://azure.archive.ubuntu.com/ubuntu focal-updates/main Translation-en [296 kB]
Get:9 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [14.7 kB]
Get:10 http://azure.archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [736 kB]
Get:11 http://azure.archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [105 kB]
Get:12 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [893 kB]
Get:13 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [196 kB]
Get:14 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [20.0 kB]
Get:15 https://packages.microsoft.com/ubuntu/20.04/prod focal/main amd64 Packages [122 kB]
Get:16 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [1177 kB]
Get:17 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [210 kB]
Get:18 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [9100 B]
Get:19 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [686 kB]
Get:20 http://security.ubuntu.com/ubuntu focal-security/restricted Translation-en [97.9 kB]
Get:21 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [675 kB]
Get:22 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [13.0 kB]
Fetched 7106 kB in 2s (3490 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Suggested packages:
openresolv | resolvconf
The following NEW packages will be installed:
wireguard-tools
0 upgraded, 1 newly installed, 0 to remove and 40 not upgraded.
Need to get 83.3 kB of archives.
After this operation, 327 kB of additional disk space will be used.
Get:1 http://azure.archive.ubuntu.com/ubuntu focal-updates/universe amd64 wireguard-tools amd64 1.0.20200513-1~20.04.2 [83.3 kB]
Fetched 83.3 kB in 0s (1758 kB/s)
Selecting previously unselected package wireguard-tools.
(Reading database ...
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 235035 files and directories currently installed.)
Preparing to unpack .../wireguard-tools_1.0.20200513-1~20.04.2_amd64.deb ...
Unpacking wireguard-tools (1.0.20200513-1~20.04.2) ...
Setting up wireguard-tools (1.0.20200513-1~20.04.2) ...
wg-quick.target is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.9.1-1) ...
That's weird, it seems OK. Please try removing the space between allowed-ips. If it's a bug, I will fix it in the action. If that's not it, you must have the public key of the GitHub runner not added to the list of allowed-ips on the server.
@egor-tensin I thought this is an issue
wg-quick.target is a disabled or a static unit, not starting it.
Regarding this:
you must have the public key of the GitHub runner not added to the list of allowed-ips on the server: Allowed Ip's on the server is 0.0.0.0/0.
I used this project to set up my wireguard on AWS(I used all default values) https://github.com/isystem-io/wireguard-aws
@genieai-vikas I ran into the same issue and it turns out that this Action doesn't add IP routes on its own, which is resolved in PR #3.
cc: @egor-tensin Would you consider merging that PR? Routes not being added by default caught me by surprise
For now I've added this temporary workaround in my workflow that runs after this action, which fully resolved the issue:
-
name: Add WG route
run: |
ifname=$(ls /sys/class/net/ | grep '^wg')
sudo ip route add ${{ secrets.WG_ALLOWED_IPS }} dev $ifname
The only pitfall with this is that it only works with a single IP in WG_ALLOWED_IPS, it would need to run in a loop if you're providing multiple Allowed IPs.
As a side note note, wg-quick.target is a disabled or a static unit, not starting it. seems to be an unrelated warning and not an error.
After some further investigation, it's worth noting that this issue only occurs when a /32 address is used for the wireguard interface in the ips option.
Offending line seems to be: https://github.com/egor-tensin/setup-wireguard/blob/master/action.yml#L128
The ip utility doesn't automatically create a routing table entry when assigning a /32 address to an interface, which causes connectivity issues unless a route is added manually.
was struggling with the same issue - used @recursiveGecko solution, thanks!
would be good to see the PR for this get merged
Your solution works like a charm, @recursiveGecko, thank you! @egor-tensin Could you please merge PR #3, so that the setup doesn't use the extra step after use of your cool action anymore? Would be much appreciated, thanks!
Sorry, I was in no fit state to deal with my GitHub Actions for the past year. I'll try to keep up in the future.
PR #3 has been merged, so I'm closing this issue.