dowerx/www
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a34bfa758b
www/docs/projects/posts/systemd-networkd.md

5.2 KiB
Raw Blame History

date tags
created
2024-12-06
systemd
networking
linux
vpn
wireguard
openvpn

How to configure systemd-networkd

These are some tipps I learned while setting up networking for my desktop and some VMs.

!!! info "Sadly, I don't know about any extensions or manager software for WiFi and systemd-networkd, so these only apply to wired connections. You could set up your links using networkd but then you would neet to use wpa_supplicant or something similar to connect to any networks."

1. Install it

apt install systemd-networkd systemd-resolved
systemctl enable --now systemd-networkd systemd-resolved

!!! warning "DNS resolution won't work until we configure networkd. Make sure you don't need it until then!"

2. Disable NetworkManager

By default, desktop installs of Debian use NetworkManager, we won't be needing it. 🫡

systemctl disable NetworkManager
systemctl stop NetworkManager

3. Configure the physical interface

3.1. Link

We will change the name of the interface so we can reference it later.

# /etc/systemd/network/10-lan0.link
[Match]
MACAddress=40:b0:76:7b:62:59

[Link]
Name=lan0
WakeOnLan=magic

!!! note "WakeOnLan is used to turn on the device remotely with a magic packet if it is in standby and connected to the network."

3.2. Bridge network

Later on we will create a bridge interface for running VMs. We need to tell the physical interface which bridge to forward traffic to.

# /etc/systemd/network/20-lan0.network
[Match]
Name=lan0

[Network]
Bridge=br0

4. Configure a bridge interface

4.1. The device

We first define the bridge:

# /etc/systemd/network/30-br.netdev
[NetDev]
Name=br0
Kind=bridge
MACAddress=none

!!! note "We set MACAddress to none so that the interface copies the MAC of it's first slace interface (in this case lan0's)."

4.2. Bridge Link

We need this for the MAC configuration.

# /etc/systemd/network/40-br0.link
[Match]
OriginalName=br0

[Link]
MACAddressPolicy=none

4.3. Bridge network

We can choose to configure a static IP or use DHCP. For servers I recommend going with static IPs.

4.3.1. Static IP

# /etc/systemd/network/50-br0.network
[Match]
Name=br0

[Network]
Address=192.168.11.128/24
Gateway=192.168.11.1
DNS=1.1.1.3#family.cloudflare-dns.com
DNS=1.0.0.3#family.cloudflare-dns.com
DNSOverTLS=yes

!!! note "I configured it to use DNSOverTLS so my DNS querys are encrypted. You don't need to do this but it is more secure. If you choose regular DNS leave out the #family.cloudflare-dns.com part and set DNSOverTLS to no"

4.3.2. DHCP

# /etc/systemd/network/50-br0.network
[Match]
Name=br0

[Network]
DHCP=yes

4.3.3. Custom static routes

You may need to configure static routes. You can do this by adding a [Route] section to your bridge's network configuration.

# /etc/systemd/network/50-br0.network
...
[Route]
Gateway=192.168.11.232
Destination=192.168.50.0/24
GatewayOnLink=yes
...

5. Wireguard

Wireguard is an opensource VPN protocol running in a kernel module. Here is how you can configure a client peer for it.

5.1. Install Wireguard

apt install wireguard

5.2. Place your keys

Place your preshared key in /etc/systemd/network/wg0.key and your private key in /etc/systemd/network/wg0.privkey

You need to make sure these keys are not readable by anybody but the root user.

chown root:systemd-network /etc/systemd/network/wg0.*
chmod 640 /etc/systemd/network/wg0.*

5.3. Wireguard NetDev

# /etc/systemd/network/60-wg0.netdev
[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKeyFile=/etc/systemd/network/wg0.privkey

[WireGuardPeer]
PublicKey=eeno6ac4thicaixeeceibee5Phoh9Eetheimapa9boo=
PresharedKeyFile=/etc/systemd/network/wg0.key
Endpoint=example.org:51820
AllowedIPs=192.168.24.0/24
PersistentKeepalive=10

5.4. Wireguard network

# /etc/systemd/network/60-wg0.netdev
[Match]
Name=wg0

[Network]
Unmanaged=yes
Address=192.168.24.3/24
DNS=192.168.24.1

[Route]
Gateway=192.168.24.1
Destination=192.168.24.0/24
GatewayOnLink=yes

6. OpenVPN

OpenVPN is another VPN protocol. It sadly can't be configured with networkd but can run as a systemd service, the second best thing.

6.1. Install OpenVPN

apt install openvpn

6.2. Place config

Move your configuration files to /etc/openvpn/client. Change the extension of the .ovpn file to .conf.

6.3. Start the service

systemctl start openvpn-client@${CONFIG_NAME}

Replace ${CONFIG_NAME} with the name of your .conf file without the extension.

You can disconnect by stopping it.

systemctl start openvpn-client@${CONFIG_NAME}

!!! note "You can configure this service to start at boot by enabeling it. #!sh systemctl enable openvpn-client@${CONFIG_NAME}"

!!! warning "OpenVPN pulls its routes from the server, even if they conflict with you local network. This means that you may loose connection to your local gateway because OpenVPN tries to route your LAN traffic through the VPN. You can drop a specific route from the pulled list by setting a pull filter in you .conf file: pull-filter ignore "route 192.168.11.""