Re: [leaf-user] Can openresolv.lrp be added to Bering-uClibc to provide resolvconf for wireguard

[LEAF <le...@pa...>]

Hi Erich,

On 1/04/2026 2:35 am, Erich Titl wrote:
>
> Right, so wireguard loads the modules dynamically. I am pretty sure it 
> uses the same kernel modules as shorewall to handle iptables.

Wireguard does try to load the modules it needs. I don't know if 
shorewall loads everything wireguard needs, but I can test this at a 
later time.

>>
>> Of course I needed to add /etc/init.d/wireguard in the local files 
>> list so the changes get saved to configdb.lrp so they survive a reboot.
>> Maybe this change can be made to wireguard.lrp going forward by the 
>> LEAF developers so this isn't necessary for others to do in the future.
>
> I would believe this is an easy modification which will not hurt.
>
This will allow the user to use the init script to start / stop 
wireguard with or without shorewall. (Even though wireguard still won't 
start - see below)

> My experience is/was that it is the safest way to start shorewall in 
> any case.
>
This only became a problem because I set shorewall to not start in 
/etc/shorewall/shorewall.conf and then used shorewall start / stop 
afterwords.
I haven't play with LEAF since 2017 ish, so some lessons have been 
forgotten.

> I still don't understand the openresolv issue. The way I understand it 
> manages resolv.conf and apparently it allows applications to manage 
> /etc/resolv.conf at will.
>
The openresolv issue is actually a "resolvconf" program missing issue.

With the current version of wireguard.lrp you cannot start wireguard 
with the init script, even if all the modules are loaded. This is 
because /etc/init.d/wireguard start() calls "wg-quick", and the 
"wg-quick" script has been updated from around 2020 to now call 
"resolvconf".
The script "resolvconf" is missing, so the process fails and the link is 
deleted.

 From my earlier post (some bits deleted for this post)

    router# /etc/init.d/wireguard restart
    Starting wireguard VPN server on interface wg0
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.2.0.2/32 dev wg0
    [#] ip link set mtu 1420 up dev wg0

    [#] resolvconf -a wg0 -m 0 -x
    /usr/bin/wg-quick: line 32: resolvconf: command not found

    [#] ip link delete dev wg0

So I see there are 3 solutions,

1. Make and openresolv.lrp available
     - this contains the "resolvconf" script and based on what I see in 
the Debian packages, appears to be just scripts, so no compiling to 
worry about. (I'm not a developer, so it could be harder than it looks)

2. Add the script "resolvconf" to the wireguard package
    - though I don't believe "resolvconf" is part of the upstream 
wireguard code base (but I could be wrong) which would then make a bit 
of a mixed package (maybe this isn't a problem, again not a developer)

3. Update the LEAF user manual to show how to set this up without using 
the /etc/init.d/wireguard.
     - while the user manual talks about wireguard itself, there is no 
guidance on how to actually implement it. So it's fair to assume as a 
user, you just run the init script and everything will be sweet.

So as it stands, /etc/init.d/wireguard run() will call wg-quick which 
will fail, because wg-quick wants resolvconf, which doesn't exist.

Hope this explains the problem and why the openresolv package or 
resolvconf program is necessary.

Thanks,
Mark