Hello,
So I’m setting up a VPN VM using the walkthru provided by the folks at Mullvad
It’s all setup, everything works right, wg-quick connects and networking is flawless. I’m feeling pretty proud of my damn self except this one thing. The script will not auto run when the VM starts.
Here’s a little info about my build. I’m on the 4.2.0 rc1 I’m using the fedora-38 template.
After searing the forums I put a little echo test > /home/user/log line into the rc.local that runs just fine and writes to the home directory np, but when the VM boots wg-quick fails saying the conf file does not exist.
Jun 16 23:57:20 MullvadVPN systemd[1]: Starting qubes-misc-post.service - Qubes misc post-boot actions...
Jun 16 23:57:21 MullvadVPN misc-post.sh[621]: wg-quick: `/home/user/se-sto-wg-008.conf' does not exist
Jun 16 23:57:21 MullvadVPN systemd[1]: qubes-misc-post.service: Main process exited, code=exited, status=1/FAILURE
Jun 16 23:57:21 MullvadVPN systemd[1]: qubes-misc-post.service: Failed with result 'exit-code'.
Jun 16 23:57:21 MullvadVPN systemd[1]: Failed to start qubes-misc-post.service - Qubes misc post-boot actions.
My rc.local looks like:
#!/bin/sh
# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.
# Example for overriding the whole CUPS configuration:
# rm -rf /etc/cups
# ln -s /rw/config/cups /etc/cups
# systemctl --no-block restart cups
wg-quick up /home/user/se-sto-wg-008.conf
Ive tried pointing the command to /rw/home/user/se-sto-wg-008.conf and tried several other conf files with no positive result. But as soon as boot is complete the command will launch the wg tunnel right away.
I feel like I’m missing something super simple. If rc.local can write to the /home/user dir, then wtf cant it seem to read the files present there?
Any help would be appreciated.
EDIT: interesting to note… I made a launcher on the DOM0 desktop that runs:
qvm-run MullvadVPN sudo wg-quick up /home/user/se-sto-wg-008.conf
Which launches the qube and connects wg without ANY issue.
Maybe some process started by wg-quick doesn’t have permissions to read /home/user, you could try and move the file to directory with global access and see if you get the same error.
I hadn’t considered that, but I had originally assumed a permissions issue (isnt it almost always a permissions issue) but I had dismissed that because permissions usually respond with an access denied error. I’m going to have to dig into selinux a bit, I dont know much about how it operates tbh. Thanks for the tip.
so wg-quick is installed in the template as part of the wireguard-tools package. the file is running from /usr/bin.
the conf file is usually just run from the users home folder, and under every circumstance its running fine, EXCEPT when called from rc.local
Could you recommend another location in the AppVM that is persistent that would fit the bill… I’m down to try anything really. Do you think there would be a benefit from placing the conf file into the template?
Putting the configuration file in /rw/config didn’t work for me, it just spits out permission errors (despite having permission). Below is what finally worked for me:
setenforce 0
wg-quick up /home/user/wg.conf
setenforce 1
This temporarily sets SELinux to passive mode and then back to enforcing mode, so I suppose it has some security implications.
This method worked for me. I wish someone like @unman with security impact knowledge would weigh in on this approach. And recommend a better solution if this is a security compromise.