Rc.local file does not exist error setting up wg-quick

So I’m setting up a VPN VM using the walkthru provided by the folks at Mullvad

It’s all setup, everything works right, wg-quick connects and networking is flawless. I’m feeling pretty proud of my damn self except this one thing. The script will not auto run when the VM starts.

Here’s a little info about my build. I’m on the 4.2.0 rc1 I’m using the fedora-38 template.
After searing the forums I put a little echo test > /home/user/log line into the rc.local that runs just fine and writes to the home directory np, but when the VM boots wg-quick fails saying the conf file does not exist.

Jun 16 23:57:20 MullvadVPN systemd[1]: Starting qubes-misc-post.service - Qubes misc post-boot actions...
Jun 16 23:57:21 MullvadVPN misc-post.sh[621]: wg-quick: `/home/user/se-sto-wg-008.conf' does not exist
Jun 16 23:57:21 MullvadVPN systemd[1]: qubes-misc-post.service: Main process exited, code=exited, status=1/FAILURE
Jun 16 23:57:21 MullvadVPN systemd[1]: qubes-misc-post.service: Failed with result 'exit-code'.
Jun 16 23:57:21 MullvadVPN systemd[1]: Failed to start qubes-misc-post.service - Qubes misc post-boot actions.

My rc.local looks like:


# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.

# Example for overriding the whole CUPS configuration:
#  rm -rf /etc/cups
#  ln -s /rw/config/cups /etc/cups
#  systemctl --no-block restart cups
wg-quick up /home/user/se-sto-wg-008.conf

Ive tried pointing the command to /rw/home/user/se-sto-wg-008.conf and tried several other conf files with no positive result. But as soon as boot is complete the command will launch the wg tunnel right away.
I feel like I’m missing something super simple. If rc.local can write to the /home/user dir, then wtf cant it seem to read the files present there?
Any help would be appreciated.

EDIT: interesting to note… I made a launcher on the DOM0 desktop that runs:

qvm-run MullvadVPN sudo wg-quick up /home/user/se-sto-wg-008.conf

Which launches the qube and connects wg without ANY issue.

You can save the output from stdout and errout to a file, it’s might give you an better idea of why it doesn’t work.

thanks for your reply… I gave that a spin hoping perhaps I could get a little more info so I edited the command in rc.local to:

wg-quick up /home/user/se-sto-wg-008.conf &>> /home/user/wgerrlog

Unfortunately rebooting the qube gives me the following output in the target file:

wg-quick: `/home/user/se-sto-wg-008.conf' does not exist

But …

[user@MullvadVPN ~]$ ls /home/user
Desktop    Public              se-sto-wg-002.conf  se-sto-wg-007.conf
Documents  QubesIncoming       se-sto-wg-003.conf  se-sto-wg-008.conf
Downloads  Templates           se-sto-wg-004.conf  se-sto-wg-009.conf
Music      Videos              se-sto-wg-005.conf  wgerrlog
Pictures   se-sto-wg-001.conf  se-sto-wg-006.conf
[user@MullvadVPN ~]$ 

So I am still scratching my head here… this SHOULD be working right?

Maybe selinux is blocking access to file?

Maybe some process started by wg-quick doesn’t have permissions to read /home/user, you could try and move the file to directory with global access and see if you get the same error.

1 Like

I hadn’t considered that, but I had originally assumed a permissions issue (isnt it almost always a permissions issue) but I had dismissed that because permissions usually respond with an access denied error. I’m going to have to dig into selinux a bit, I dont know much about how it operates tbh. Thanks for the tip.

so wg-quick is installed in the template as part of the wireguard-tools package. the file is running from /usr/bin.
the conf file is usually just run from the users home folder, and under every circumstance its running fine, EXCEPT when called from rc.local

Could you recommend another location in the AppVM that is persistent that would fit the bill… I’m down to try anything really. Do you think there would be a benefit from placing the conf file into the template?

Maybe try to place it in /rw/config.

1 Like

You sir are BRILLIANT!!!
FIXXED… wg tunnel connects automatically on boot now!

So weird that /rw/config worked but pointing to /rw/home/user did not…
maybe this was a permissions issue after all.

Putting the configuration file in /rw/config didn’t work for me, it just spits out permission errors (despite having permission). Below is what finally worked for me:

setenforce 0
wg-quick up /home/user/wg.conf
setenforce 1

This temporarily sets SELinux to passive mode and then back to enforcing mode, so I suppose it has some security implications.

This method worked for me. I wish someone like @unman with security impact knowledge would weigh in on this approach. And recommend a better solution if this is a security compromise.