1

I'm running wg-quick.service on system startup to establish a VPN tunnel:

root@db ~ # cat /usr/lib/systemd/system/[email protected]
[Unit]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity

[Install]
WantedBy=multi-user.target

I want postgresql to listen on the wireguard address - 10.100.0.107:

root@db ~ # cat /etc/postgresql/13/main/conf.d/db1.conf | grep listen
listen_addresses = '127.0.0.1,10.100.0.107' # what IP address(es) to listen on;

After reboot I got following errors in my postgresql log:

2021-06-23 19:44:26.389 UTC [831] LOG:  starting PostgreSQL 13.3 (Ubuntu 13.3-1.pgdg20.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0, 64-bit
2021-06-23 19:44:26.389 UTC [831] LOG:  listening on IPv4 address "127.0.0.1", port 5432
2021-06-23 19:44:26.395 UTC [831] LOG:  could not bind IPv4 address "10.100.0.107": Cannot assign requested address
2021-06-23 19:44:26.395 UTC [831] HINT:  Is another postmaster already running on port 5432? If not, wait a few seconds and retry.
2021-06-23 19:44:26.395 UTC [831] WARNING:  could not create listen socket for "10.100.0.107"
2021-06-23 19:44:26.395 UTC [831] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2021-06-23 19:44:26.411 UTC [880] LOG:  database system was shut down at 2021-06-23 19:43:14 UTC
2021-06-23 19:44:26.422 UTC [831] LOG:  database system is ready to accept connections

Sadly, postgresql does not accept connections at 10.100.0.107.

Restart of postgresql after server reboot helps. Also set listen_addresses='*' helps too.

But I would like to accept connections to only the specified addresses: 127.0.0.1, 10.100.0.107. How can I start a postgresql service after successfully initializing the wg-quick service?

Thanks!

Improve this question
2
  • 1
    Modify the database service to start After=wg-quick.target Commented Jun 24, 2021 at 14:30
  • @Panki I done that. The problem remains. Commented Jun 24, 2021 at 14:32

1 Answer 1

Reset to default
1

There is a race-condition between postgresql service start and the configuration of your wireguard tunnel device.

There are a few ways to deal with this issue:

  1. Drop-in After=/Wants= dependency to your postgres service
  2. Bind Postgres to any IP address (i.e. by adding 0.0.0.0 or :: or * to listen_addresses) and only rely on your firewall/packet-filter restricting Postgres access to your wireguard address/interface (and localhost).
  3. Enable nonlocal binds.

Configuring systemd dependencies is tedious and error-prone for this use case and also depends on your distribution/systemd version. In the end one can't even be sure that a wireguard related service reliably signals being started only after the wireguard device has its IP address assigned, or not.

Unfortunately, Postgres doesn't seem to support a bind-retry feature, i.e. to simply retry to bind to a specified address after a few minutes in case the interface is only temporarily gone.

Linux nonlocal bind support is disabled, by default - but can be configured with a sysctl, e.g.:

sysctl net.ipv4.ip_nonlocal_bind=1

(cf. /etc/sysctl.d/ for a persistent configuration)

After that, Postgres bind operations during startup always succeed, even when the wireguard device isn't configured yet.

To test:

networkctl down wg0
ip -o a
systemctl restart postgresql.service
networkctl up wg0
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.