Tatsujin
commented
3 months ago Also, I appear to be having trouble with using systemd-networkd to setup the Wireguard tunnel, is there anything obvious I am doing wrong?
# cat /etc/issue
Ubuntu 24.04 LTS \n \l
# cat /etc/systemd/network/wgpia0.netdev /etc/systemd/network/wgpia0.network
[NetDev]
Name=wgpia0
Kind=wireguard
[WireGuard]
PrivateKey=PRIVATEKEY
[WireGuardPeer]
PublicKey=PUBLICKEY
AllowedIPs=0.0.0.0/0
Endpoint=212.102.35.31:1337
PersistentKeepalive=25
[Match]
Name=wgpia0
Type=wireguard
[Network]
Address=10.1.249.42/32
DNS=10.0.0.243%wgpia0
DNS=10.0.0.242%wgpia0
[Route]
Destination=0.0.0.0/0
Gateway=10.1.128.1
GatewayOnLink=yes
[Route]
Destination=10.1.128.1/32
Scope=link
[Route]
Destination=10.0.0.243/32
Gateway=10.1.128.1
[Route]
Destination=10.0.0.242/32
Gateway=10.1.128.1
# ip r
default via GATEWAY dev enp0s3 proto dhcp src IP metric 100
DNS2 via 192.168.1.1 dev enp0s3 proto dhcp src IP metric 100
NETWORK/CIDR dev enp0s3 proto kernel scope link src IP metric 100
GATEWAY dev enp0s3 proto dhcp scope link src IP metric 100
DNS1 dev enp0s3 proto dhcp scope link src IP metric 100
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:70:9d:08 brd ff:ff:ff:ff:ff:ff
inet IP/CIDR metric 100 brd BROADCAST scope global dynamic enp0s3
valid_lft 86112sec preferred_lft 86112sec
inet6 fe80::a00:27ff:fe70:9d08/64 scope link
valid_lft forever preferred_lft forever
# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: DNS1
DNS Servers: DNS1 DNS2
DNS Domain: DOMAIN
# curl -4 icanhazip.com
PUBLIC_IP
# resolvectl query google.com
google.com: 2607:f8b0:4009:802::200e -- link: enp0s3
142.250.190.14 -- link: enp0s3
-- Information acquired via protocol DNS in 31.6ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
# systemctl daemon-reload
# systemctl restart systemd-networkd
# ip r
default via 10.1.128.1 dev wgpia0 proto static onlink
default via GATEWAY dev enp0s3 proto dhcp src IP metric 100
DNS1 via GATEWAY dev enp0s3 proto dhcp src IP metric 100
10.0.0.243 via 10.1.128.1 dev wgpia0 proto static
10.0.0.242 via 10.1.128.1 dev wgpia0 proto static
10.1.128.1 dev wgpia0 proto static scope link
NETWORK/CIDR dev enp0s3 proto kernel scope link src IP metric 100
GATEWAY dev enp0s3 proto dhcp scope link src IP metric 100
DNS2 dev enp0s3 proto dhcp scope link src IP metric 100
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:70:9d:08 brd ff:ff:ff:ff:ff:ff
inet IP/CIDR metric 100 brd BROADCAST scope global dynamic enp0s3
valid_lft 86322sec preferred_lft 86322sec
inet6 fe80::a00:27ff:fe70:9d08/64 scope link
valid_lft forever preferred_lft forever
3: wgpia0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.1.249.42/32 scope global wgpia0
valid_lft forever preferred_lft forever
# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s3)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: DNS1 DNS2
DNS Domain: DOMAIN
Link 3 (wgpia0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 10.0.0.243 10.0.0.242
# curl -4 icanhazip.com
curl: (28) Failed to connect to icanhazip.com port 80 after 268850 ms: Couldn't connect to server
# resolvectl query google.com
google.com: 2607:f8b0:4009:802::200e -- link: enp0s3
142.250.190.142 -- link: enp0s3
-- Information acquired via protocol DNS in 31.2ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
jdelkins
Greetings,
Thanks again for this repository. I was testing it on Ubuntu 24.04 LTS and ran into an issue where pia-listregions was returning 'N/A' for all regions, so the pia-setup-tunnel command would pick a random endpoint and fail to setup the tunnel. I did some research, and confirmed the reason is that a recent Linux OS packet capture change (getcap/setcap) no longer allows unprivileged pings to be sent. This is addressed in pro-bing:
https://github.com/prometheus-community/pro-bing?tab=readme-ov-file#linux
For now, I have made the required sysctl change. If possible, please update the code to use pro-bing instead of go-ping as a dependency. pro-bing is a Prometheus community module (commonly used for monitoring/metrics gathering). The link above explains the recommend workarounds to give the binary full access to send ICMP packets, but if that is not possible, the end-user can use sysctl themselves.