https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&feedformat=atom&user=AnianzAlpine Linux - User contributions [en]2026-05-06T13:17:04ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Talk:Configure_a_Wireguard_interface_(wg)&diff=18752Talk:Configure a Wireguard interface (wg)2021-04-05T13:11:48Z<p>Anianz: Created page with "== Bringing up an interface using wg-tools == ''Then load the module'' modprobe wireguard ''Add it to <code>/etc/modules</code> to automatically load it on boot.'' This d..."</p>
<hr />
<div>== Bringing up an interface using wg-tools ==<br />
<br />
''Then load the module''<br />
<br />
modprobe wireguard<br />
<br />
''Add it to <code>/etc/modules</code> to automatically load it on boot.''<br />
<br />
This does not seem to be necessary (any more)?<br />
<br />
[[User:Anianz|Anianz]] ([[User talk:Anianz|talk]])</div>Anianzhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=18751Configure a Wireguard interface (wg)2021-04-05T12:49:46Z<p>Anianz: The example for the ifupdown section caused a RTNETLINK answers: File exists an could be simplified since the introduction of ifupdown-ng in alpine 3.13.0 which has a wireguard executor</p>
<hr />
<div>WireGuard is a very promising VPN technology and available since Alpine 3.10 in the community repository.<br />
<br />
There are several ways to install and configure an interface.<br />
<br />
In order to load the wireguard kernel module, you need a compatible kernel:<br />
<br />
* linux-lts<br />
* linux-virt<br />
<br />
== Bringing up an interface using wg-tools ==<br />
<br />
The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>.<br />
<br />
Install wireguard-tools<br />
<br />
apk add wireguard-tools<br />
<br />
Then load the module<br />
<br />
modprobe wireguard<br />
<br />
Add it to <code>/etc/modules</code> to automatically load it on boot.<br />
<br />
Then we need to create a private and public key<br />
<br />
wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
Then we create a new config file <code>/etc/wireguard/wg0.conf</code> using those keys<br />
<br />
[Interface]<br />
Address = 10.123.0.1/24<br />
ListenPort = 45340<br />
PrivateKey = SG1nXk2+kAAKnMkL5aX3NSFPaGjf9SQI/wWwFj9l9U4= # the key from the previously generated privatekey file<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT<br />
<br />
The PostUp and PostDown steps are there to ensure the interface wg0 will accept and forward traffic to eth0. The postrouting and forward to %i is not required but it will enable "VPN mode" where users can access the internet through this server if desired. Reference this WireGuard documentation for information on adding Peers to the config file.<br />
<br />
To bring up the new interface we can just use <br />
<br />
wg-quick up wg0<br />
<br />
To bring it down we can use <code>wg-quick down wg0</code> which will clean up the interface and remove the ip table rules. <br />
Note that if running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify interfaces.<br />
<br />
== Bringing up an interface using ifupdown-ng ==<br />
<br />
The official documents from wireguard will show examples of how to setup an interface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use plain wg command and [https://github.com/ifupdown-ng/ifupdown-ng/blob/master/doc/interfaces-wireguard.scd ifupdown-ng].<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/network/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
requires eth0<br />
use wireguard<br />
address 192.168.42.1<br />
<br />
This config automatically will:<br />
<br />
* bring the wireguard interface up after the eth0 interface<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down<br />
<br />
To start the interface and stop it you can execute:<br />
<br />
ifup wg0<br />
ifdown wg0<br />
<br />
If your interface config is not stored under <code>/etc/wireguard</code> you need to specify a <code>wireguard-config-path</code> as well.<br />
<br />
== Running with modloop ==<br />
If you are running from a RAM disk you can't modify the modloop.<br />
<br />
You can get around it by unpacking the modloop, mount the unpacked modules folder and then installing wireguard.<br />
<br />
#!/bin/sh<br />
apk add squashfs-tools # install squashfs tools to unpack modloop<br />
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir<br />
umount /.modloop # unmount existing modloop<br />
mount /root/squash/ /.modloop/ # mount unpacked modloop<br />
apk del wireguard-lts # uninstall previous wireguard install<br />
apk add wireguard-lts<br />
apk add wireguard-tools<br />
<br />
Now you could repack the squash filesystem or put this script in the /etc/local.d/ path so it runs on boot.<br />
<br />
[[Category:Networking]]</div>Anianz