Wireguard installation failure, causing openHAB to be unreachable

  • Platform information:
    • Hardware:Pi4b 1GB RAM, USB SSD for influxdb data.
    • OS: openhabian 1.6.3 zram enabled
    • Java Runtime Environment: default
    • openHAB version: 3 stable, static IP

TL;DR Has anyone successfully setup wireguard via openhabian?

  • Issue of the topic: After setting up a new openHAB3 installation on a new Pi4b and new 16GB card I thought I would try the wireguard VPN. I ran through the process which seemed to run fine and added the config to the client using the QR code. I tried to connect but it failed. I then realised openHAB and SSH/putty were not responding. The green activity light was still flashing and the network activity light was still flashing but I couldn’t access file shares, openHAB or SSH. I don’t currently have a monitor connection so tried a power cycle.

This didn’t go well as the Pi failed to boot. I used the SD card that I’d setup for mirror backup and booted into that. Copied back the system to the original 16GB card and booted. Tried the setup again and afterwards, took the following code details.

2021-03-21_10:32:41_GMT [openHABian] Checking for root privileges... OK
2021-03-21_10:32:42_GMT [openHABian] Loading configuration file '/etc/openhabian.conf'... OK
2021-03-21_10:32:42_GMT [openHABian] openHABian configuration tool version: [openHAB3]patchday-20210316-1251(9334918)
2021-03-21_10:32:42_GMT [openHABian] Checking for changes in origin branch openHAB3... OK
2021-03-21_10:32:47_GMT [openHABian] Switching to branch openHAB3... OK
2021-03-21_10:32:57_GMT [openHABian] Updating Linux package information... OK
2021-03-21_10:32:57_GMT [openHABian] Installing Wireguard and enabling VPN remote access... net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
Created symlink /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service → /lib/systemd/system/wg-quick@.service.
Job for wg-quick@wg0.service failed because the control process exited with error code.
See "systemctl status wg-quick@wg0.service" and "journalctl -xe" for details.
2021-03-21_10:36:32_GMT [openHABian] Generating QR to load config on the client side (download Wireguard app from PlayStore or AppStore)...

So I ran systemctl status wg-quick@wg0.service

enhabian@openhabian:~ $ systemctl status wg-quick@wg0.service
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2021-03-21 10:34:53 GMT; 9min ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 27047 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=1/FAILURE)
 Main PID: 27047 (code=exited, status=1/FAILURE)

Mar 21 10:34:53 openhabian systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Mar 21 10:34:53 openhabian wg-quick[27047]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Mar 21 10:34:53 openhabian systemd[1]: wg-quick@wg0.service: Main process exited, code=exited, status=1/FAILURE
Mar 21 10:34:53 openhabian systemd[1]: wg-quick@wg0.service: Failed with result 'exit-code'.
Mar 21 10:34:53 openhabian systemd[1]: Failed to start WireGuard via wg-quick(8) for wg0.

I then tried systemctl start wg-quick@wg0.service incase that might help and openHAB was not reachable again.

I left it running for 15mins and again all activity lights seemed to indicate the system was fine but openHAB was unreachable. A network scan didn’t show any other devices on the network indicating that the IP address had changed and openhabian:8080 didn’t connect either. Due to me pulling the power to try a restart, I’d possibly caused issues with the original and backup cards, so I coudn’t get either to boot. I ended up starting with a fresh install of openhabian 1.6.4 on a new 16GB card and reloading my backed up .item/.thing etc text files. I’m holding off trying wireguard again through fear of more issues.

Is it a Java program that requires a different version?
Perhaps it requires packages not present in the openHABian image.

The openHABian developers are rather clear that they designed the image for systems running only openHAB.

Wireguard is an installation option from within openhabian-config. In theory all requirements are dealt with by openhabian?

1 Like

Sorry, I was not aware of that. The developers should be along shortly.

I would assume that the mentioned conf file is required to setup wireguard as keys are required to define the secure connection.

In a rush to get my system back up, I stupidly only did a quick check of the files while the SD card plugged in to a Windows computer. The wireguard directory was there at /etc/wireguard and I’m sure the config file was there but I didn’t go any further to look at the contents of the /etc/wireguard/wg0.conf file.

I checked the removed, non booting SD card this morning in my windows computer and can see the files in /etc/wireguard, so they were definitely created. I’ll look to get an adaptor soon so I can plug a monitor in and see what shows at boot.

I can post the contents of /etc/wireguard/wg0.conf if needed?

I have now connected a monitor and can see the Pi is booting and openHAB/openhabian is loading, bringing up the login and loading the fireMOTD info. ifconfig -a shows the eth0 IP as the static IP I was expecting but I can’t get any access to SSH, webUI, tail logging etc.

I think I had setup wireguard incorrectly and had set the 3 octal IP address to 192.168.1. Maybe this had locked up the network? Don’t know. Anyway, I edited the wg0.conf file to 192.168.66 and restarted the Pi. (I am now running the previously setup SD card from my Pi 4 in a Pi 3 so I can play around without effecting my main openhabian system).

I can now access all parts of openhabian via its IP address but I can’t re-add or remove wireguard via the openhabian-config. I think the script is trying to stop the service but systemctl status wg-quick@wg0.service reports the service can’t be found.

I think I’m just going to start with a fresh installation of openhabian and try the wireguard setup again using a diffent IP range. Unless anyone can suggest anything else to test?

Just to close this thread, I removed the wireguard service and wireguard-tools using SSH connection and deleted the wireguard directory.

After a reboot I set up wireguard using openhabian-config again but used 192.168.66 for the VPN IP address instead of 192.168.1. I had the same failure as per the original post saying that it failed to start, but I still had SSH access.

After another reboot, the wireguard system says it has now started and I am able to connect to the VPN.

I can’t seem to get any traffic to flow and I had to manually set net.ipv4.ip_forward = 1 from GitHub - adrianmihalko/raspberrypiwireguard: Install and configure WireGuard on Raspberry Pi (and others) but wireguard does install.

That should not have been needed: