I recently ran several time into a very nasty problem on my laptop. After some sleep time, without much specific reason, the system clock would jump hundreds of years in the future. This is probably due either by a bios bug, or other CRT clock issue, but I’m not an expert in the matter, and there are no fixes available for my bios.
Apart from the annoyance itself (all TLS certificate checks fail instantly), it’s not big deal, a quick `sudo systemctl restart systemd-timesyncd.service' solves the problem.
However, there is one very specific case, when it leads to super annoying situation: if I had a wireguard connection up before the sleep, and the connection was still up during the time jump, then Wireguard just break and you lose all connectivity. This is because of the anti-replay protection of wireguard. To fix that, one must have access to the wireguard server and restart it to drop any information related to previously connected peers. That’s far from ideal (I doubt Mullvad admins would love to get dozens of email per days because we don’t know how to get our laptop to behave correctly).
That’s why I went for a more stupid solution to prevent the wireguard issue (as I cannot fix my bios, and I’m not even sure of the origin of the problem). The idea is to hook just before the sleep to ensure my wireguard connection is down. Like that, if the system clock goes mad when it wakes up, at least I won’t corrupt my wireguard profile.
To do so, it’s fairly simple as systemd already provides the hook endpoint with the `sleep.target' stage. I created a new service file named `/etc/systemd/system/down-connection-before-sleep@.service'. I wanted it to be generic in order to allow me to shut down several connection if needed. I put the following content in it:
[Unit] Description=Ensure connection %i is down before suspend Before=sleep.target [Service] Type=oneshot # If connection is already down, avoid to fail when starting (hence the - # before the command line to mute errors) ExecStart=-/usr/bin/nmcli connection down %i # Artificially wait a little to ensure it’s really down. ExecStartPost=/usr/bin/sleep 1 [Install] WantedBy=sleep.target
Then, I just have to enable it, giving the name of the watched connection in the service name. You can find the name of your connection in the `nmcli connection' output, in the column `NAME' (first one).
sudo systemctl enable down-connection-before-sleep@CONNECTIONNAME
Now, each time I put my laptop in sleep mode, my wireguard connection will be shut down automatically if I forget to do so before. I don’t have to worry any more about poisonned wireguard profile.
--
📅 mercredi 6 mars 2024 à 22:01
📝 Étienne Pflieger with GNU/Emacs 29.4 (Org mode 9.7.11)