Bug 1981025 - Wireguard with Pre-shared key not working
Summary: Wireguard with Pre-shared key not working
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: network-manager-applet
Version: 34
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2021-07-10 16:23 UTC by Afox
Modified: 2021-08-06 15:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug

Attachments (Terms of Use)
networkmanager logs (2.61 MB, text/plain)
2021-07-15 01:12 UTC, fabian.quintanar.crx
no flags Details

Description Afox 2021-07-10 16:23:10 UTC
Description of problem: When trying to establish a wireguard connection including a pre-shared key, the connection will not be enabled.

Version-Release number of selected component (if applicable): nmcli 1.30.4-1.fc34

Steps to Reproduce:
1. Open a terminal window as unpriviledged user and type "nm-connection-editor"
2. Add a new wireguard connection wg0 including a pre-shared key choosing only to save the Pre-shared key and the Private key for the current user.
3. Bring the connection up using "nmcli connection up wg0"

Actual results: The connection will not become active.

Expected results: The connection should become active.

Comment 1 Thomas Haller 2021-07-11 14:51:37 UTC
please provide a level=TRACE log.

Read https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/contrib/fedora/rpm/NetworkManager.conf#L27 for hints about logging and how about to get logs. Note also the comments about private sensitive data in the logs and take care of that.

Comment 2 Afox 2021-07-12 09:06:21 UTC
The PSK doesn´t get saved to the GNOME-keyring. preshared-key-flags=1 is set in the config file. That´s all I can provide at the moment.

Comment 3 Thomas Haller 2021-07-12 15:09:02 UTC
Without looking deeper into this:

gnome-shell does not support WireGuard yet ([1]). So it would be expected that it is unable to store the WireGuard secret.

[1] https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2989

Comment 4 Afox 2021-07-12 16:53:37 UTC
The private key gets stored in the GNOME-keyring though.

Comment 5 fabian.quintanar.crx 2021-07-15 01:12:57 UTC
Created attachment 1801697 [details]
networkmanager logs

I can reproduce the issue in fedora 34 KDE and changed the log level to trace and attached it.

Comment 6 Beniamino Galvani 2021-08-03 08:38:30 UTC
(In reply to Afox from comment #4)
> The private key gets stored in the GNOME-keyring though.

The private key is a standard property, while the preshared-key is a key in an array of dictionaries (the peers) and must be handled specially by secret agents (GNOME Applet, GNOME Shell or KDE Applet).

This adds support to the GNOME Applet: 


Comment 7 Afox 2021-08-05 13:01:11 UTC
Will this fix find its way to Fedora 34? Thank you

Comment 8 Beniamino Galvani 2021-08-06 15:19:06 UTC
Yes, probably when there is the next upstream release. But from what I understood you are using GNOME-Shell while that fix was for the nm-applet, so it doesn't affect you.

Comment 9 Afox 2021-08-06 15:35:13 UTC
If I understood correctly there currently is no wireguard implementation in GNOME-Shell so if using "nm-connection-editor" means using the nm-applet it affects and fixes it for me. Best regards

Comment 10 Beniamino Galvani 2021-08-06 15:42:04 UTC
> so if using "nm-connection-editor" means using the nm-applet 

While "nm-connection-editor" and "nm-applet" are part of the same project, they are different binaries. Probably you can run "nm-applet" from GNOME, but the applet icon will not appear anywhere; however it should be able to fetch secrets from the keyring.

Note You need to log in before you can comment on or make changes to this bug.