systemd-networkd#

NOTE: available with vpn-server-node >= 3.2.0

NOTE: see Compatibility if you are not running on Debian >= 13, or Enterprise Linux >= 10.

By default wg-quick is used to manage the WireGuard network interface on the VPN node(s). It is possible to switch to systemd-networkd. This is useful in case you are already using systemd-networkd to manage your other network interfaces, or want to switch to it.

Debian >= 12 and Ubuntu use systemd-networkd in their cloud images through Netplan.

An additional benefit is that with systemd-networkd you can let the VPN server software manage your interface, but at the same time override (part of) the configuration depending on your local situation. An example of where this is useful is given in the Policy Routing documentation.

Switching#

Make sure you have systemd-networkd installed, activated on boot, and running:

On Debian and Ubuntu:

$ sudo apt -y install systemd-networkd
$ sudo systemctl enable --now systemd-networkd

On Fedora and Enterprise Linux:

$ sudo dnf -y install systemd-networkd
$ sudo systemctl enable --now systemd-networkd

Modify /etc/vpn-server-node/config.php and add (or set) the networkBackend configuration option with value systemd-networkd, i.e.:

<?php

return [

    // existing configuration...

    'networkBackend' => 'systemd-networkd',
];

Then “Apply Changes” to disable wg-quick and enable systemd-networkd:

$ sudo vpn-maint-apply-changes

You can verify the wg0 interface is now managed by systemd-networkd using the networkctl command:

$ networkctl 
IDX LINK   TYPE      OPERATIONAL SETUP     
  1 lo     loopback  carrier     unmanaged
  2 enp1s0 ether     routable    configured
  4 wg0    wireguard routable    configured

3 links listed.

Other Interfaces#

You can also switch your other interface(s) to be managed by systemd-networkd. For example, if the interface enp1s0 is the interface connecting to the Internet, you can create the file /etc/systemd/network/50-enp1s0.network with the following content:

[Match]
Name = enp1s0

[Network]
Address = 192.0.2.5/24
Address = 2001:db8::5/64
Gateway = 192.0.2.1
Gateway = 2001:db8::1
IPv6AcceptRA = no
IPv4Forwarding = yes
IPv6Forwarding = yes
DNS = 9.9.9.9
DNS = 2620:fe::fe

Make sure you update the Address and Gateway for your situation. You may also want to install (and enable) systemd-resolved for local DNS resolving.

If you are on Debian (or Ubuntu), converted your interface(s) to systemd-networkd and were using ifupdown, you can remove /etc/network/interfaces and any files in /etc/network/interfaces.d.

If you were using NetworkManager on Fedora or Enterprise Linux, you may want to delete the files in /etc/NetworkManager/system-connections for the interfaces that you migrated.

Apply the changes:

$ sudo networkctl reload
$ sudo networkctl reconfigure enp1s0

You can check the output of networkctl status and make sure everything is correct.

The VPN server deploy script created the file /etc/sysctl.d/70-vpn.conf that enabled IPv4 and IPv6 forwarding for all interfaces. With systemd-networkd and the configuration above, the forwarding is enabled per interface, so the global configuration is no longer needed, which means you can delete /etc/sysctl.d/70-vpn.conf.

Make sure you reboot your system and verify that everything comes back as expected.

Compatibility#

There is a (minor) compatibility issue with systemd-networkd. We target systemd version >= 256. If you run on an older version of systemd, continue reading for a minor compatibility issue.

In systemd-networkd version 256 the “IP Forwarding” configuration changed. The global IPForward option got replaced by the per interface IPv4Forwarding and IPv6Forwarding options, which we use.

On a version of systemd-networkd which does not support these options yet, they are ignored. This means that you either have to use the global IPForward option in networkd.conf, or not remove the /etc/sysctl.d/70-vpn.conf file as suggested in the previous section when having all your interfaces managed by systemd-networkd.