Hello there,
So for some reason after reinstalling Tumbleweed on a laptop now I am not able to use my wireguard configurations. I have wireguard-tools installed and I have copied my config files to /etc/wireguard/, however when I run sudo systemctl start wg-quick@DE-FRA-440.service nothing happens after I put in my password, unlike before where it would start the VPN connection and the padlock icon showing in the NetworkManager applet. The VPN does however work if I run sudo wg-quick up DE-FRA-440, but I do not want to have to do that every time, I would rather use systemd as I prefer to do it that way.
Here’s what I get if I try to run sudo systemctl status wg-quick@DE-FRA-440.service:
If there really is no fix for this I suppose I will have to resort to wg-quick up but I hope you guys can help me fix this as it does work on all other machines I have Tumbleweed installed so I don’t understand why this isn’t working here.
P.s. I wish to do it via systemd as it is better that way as it allows me to enable the service automatically at boot without having to issue a command every time the machine boots.
~$ sudo systemctl status wg-quick@DE-FRA-440.service
[sudo] password for root:
× wg-quick@DE-FRA-440.service - WireGuard via wg-quick(8) for DE/FRA/440
Loaded: loaded (/usr/lib/systemd/system/wg-quick@.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Fri 2026-03-06 23:04:54 GMT; 4min 34s ago
Invocation: 51ed9e571e81436a9352aaa2566946ed
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 1505 ExecStart=/usr/bin/wg-quick up DE-FRA-440 (code=exited, status=1/FAILURE)
Main PID: 1505 (code=exited, status=1/FAILURE)
CPU: 129ms
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip link add dev DE-FRA-440 type wireguard
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] wg setconf DE-FRA-440 /dev/fd/63
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip -4 address add 10.2.0.2/32 dev DE-FRA-440
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip link set mtu 1420 up dev DE-FRA-440
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] mount `10.2.0.1' /etc/resolv.conf
Mar 06 23:04:54 Hippos-Laptop wg-quick[1699]: unshare: unshare failed: Operation not permitted
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip link delete dev DE-FRA-440
Mar 06 23:04:54 Hippos-Laptop systemd[1]: wg-quick@DE-FRA-440.service: Main process exited, code=exited, status=1/FAILURE
Mar 06 23:04:54 Hippos-Laptop systemd[1]: wg-quick@DE-FRA-440.service: Failed with result 'exit-code'.
Mar 06 23:04:54 Hippos-Laptop systemd[1]: Failed to start WireGuard via wg-quick(8) for DE/FRA/440.
~$ sudo journalctl -eu wg-quick@DE-FRA-440.service --no-pager
Mar 06 23:04:54 Hippos-Laptop systemd[1]: Starting WireGuard via wg-quick(8) for DE/FRA/440...
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip link add dev DE-FRA-440 type wireguard
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] wg setconf DE-FRA-440 /dev/fd/63
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip -4 address add 10.2.0.2/32 dev DE-FRA-440
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip link set mtu 1420 up dev DE-FRA-440
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] mount `10.2.0.1' /etc/resolv.conf
Mar 06 23:04:54 Hippos-Laptop wg-quick[1699]: unshare: unshare failed: Operation not permitted
Mar 06 23:04:54 Hippos-Laptop wg-quick[1505]: [#] ip link delete dev DE-FRA-440
Mar 06 23:04:54 Hippos-Laptop systemd[1]: wg-quick@DE-FRA-440.service: Main process exited, code=exited, status=1/FAILURE
Mar 06 23:04:54 Hippos-Laptop systemd[1]: wg-quick@DE-FRA-440.service: Failed with result 'exit-code'.
Mar 06 23:04:54 Hippos-Laptop systemd[1]: Failed to start WireGuard via wg-quick(8) for DE/FRA/440.
The interesting part of your log is this line just before the failure:
[#] mount `10.2.0.1' /etc/resolv.conf
That happens when wg-quick processes a DNS= entry in the WireGuard config. It tries and fails to create a temporary mount namespace (unshare) so it can adjust /etc/resolv.conf.
I’m out of my depth with going any further with analysis, but as NetworkManager is in use, why not use it to manage the connection natively?
Already tried that but that’s no good. Unfortunately it has to be done via systemd as if I do it via NetworkManager it leaks my DNS queries and my real IPv6 address, while only the IPv4 address shows the one from the VPN and websites immediately recognise my real IP address and geographic location making it impossible to bypass censorship and effectively hide my identity and location better. So in effect doing it via NetworkManager is useless.
If it may help I am using ProtonVPN’s wireguard configuration.
I’ve already contacted ProtonVPN’s customer support about this but we concluded that it must be an openSUSE bug for systemd
