From 330c801e43c13cf50982b449dea41d735baaf0a0 Mon Sep 17 00:00:00 2001 From: Zuckerberg Date: Mon, 16 Oct 2023 20:19:34 -0600 Subject: [PATCH] Fix issue where wg vpn starts slightly too early for internet access --- common/network/pia-wireguard.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/common/network/pia-wireguard.nix b/common/network/pia-wireguard.nix index 0232dfb..73ec59f 100644 --- a/common/network/pia-wireguard.nix +++ b/common/network/pia-wireguard.nix @@ -11,6 +11,7 @@ # TODO implement this module such that the wireguard VPN doesn't have to live in a container # TODO don't add forward rules if the PIA port is the same as cfg.forwardedPort # TODO verify signatures of PIA responses +# TODO `RuntimeMaxSec = "30d";` for pia-vpn-wireguard-init isn't allowed per the systemd logs. Find alternative. with builtins; with lib; @@ -143,14 +144,14 @@ in systemd.services.pia-vpn-wireguard-init = { description = "Creates PIA VPN Wireguard Interface"; - requires = [ "network-online.target" ]; + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; before = [ containerServiceName ]; requiredBy = [ containerServiceName ]; partOf = [ containerServiceName ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ wireguard-tools jq curl iproute ]; + path = with pkgs; [ wireguard-tools jq curl iproute iputils ]; serviceConfig = { Type = "oneshot"; @@ -162,6 +163,11 @@ in }; script = '' + echo Waiting for internet... + while ! ping -c 1 -W 1 1.1.1.1; do + sleep 1 + done + # Prepare to connect by generating wg secrets and auth'ing with PIA since the container # cannot do without internet to start with. NAT'ing the host's internet would address this # issue but is not ideal because then leaking network outside of the VPN is more likely. @@ -214,7 +220,7 @@ in vpn-container.config.systemd.services.pia-vpn-wireguard = { description = "Initializes the PIA VPN WireGuard Tunnel"; - requires = [ "network-online.target" ]; + wants = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; wantedBy = [ "multi-user.target" ];