Alpine Linux - User contributions [en]

Configure a Wireguard interface (wg)

2025-10-03T18:31:28Z

Gratuxri: add ipv6

{{TOC right}}

[https://en.wikipedia.org/wiki/WireGuard WireGuard] multiple platform vpn solution. WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required.

== Installation ==

The most straightforward method to configure WireGuard is to use the tool <code>wg-quick</code> available in the package {{pkg|wireguard-tools-wg-quick}}.

Install the meta package {{pkg|wireguard-tools}} to install the necessary WireGuard packages and {{pkg|iptables}} as follows: {{Cmd|# apk add wireguard-tools iptables}}

== Configuration ==

=== Create Server Keys and Interface Config ===

Create a server private and public key: {{Cmd|<nowiki># wg genkey | tee server.privatekey | wg pubkey > server.publickey</nowiki>}}

Then, we create a new config file {{Path|/etc/wireguard/wg0.conf}} using these new keys as follows:{{Cat|/etc/wireguard/wg0.conf|<nowiki>
[Interface]
Address = 192.168.2.1/24, fddd::ffff/64
ListenPort = 45340
PrivateKey = <server private key value> # the key from the previously generated privatekey file
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;ip6tables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;ip6tables -D FORWARD -o %i -j ACCEPT

[Peer]
PublicKey = <client public key value> # obtained from client device via wireguard connection setup process
AllowedIPs = 192.168.2.2/32, fddd::1/128</nowiki>}}

The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0. Refer to [https://github.com/pirate/wireguard-docs#user-content-config-reference this WireGuard documentation] for information on adding peers to the config file.

Bring up the new {{ic|wg0}} interface:{{Cmd|# wg-quick up wg0}}

To take it down, we can use <code>wg-quick down wg0</code> which will clean up the interface and remove the iptables rules.

{{Note|If running in a Docker container, you will need to run with <code>--cap-add{{=}}NET_ADMIN</code> to modify your interfaces.}}

=== Use with network interfaces ===

To enable connecting with Wireguard on boot, open your {{Path|/etc/network/interfaces}} and add this information after your auto other network interfaces as follows:{{Cat|/etc/network/interfaces|<nowiki>...
auto wg0
iface wg0 inet static
pre-up wg-quick up /etc/wireguard/wg0.conf</nowiki>}}

=== Service configuration ===

Since Alpine 3.20, {{pkg|wireguard-tools-openrc}} package provides an OpenRC initd service file.

To use this, install the package:{{Cmd|# apk add wireguard-tools-openrc }}

To use the WireGuard OpenRC script with {{ic|wg-quick.wg0}}, create a symbolic link to it with the configuration name as follows:{{Cmd|# ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0}}

Add the {{ic|wg-quick.wg0}} service to the default runlevel:{{Cmd|# rc-update add wg-quick.wg0}}
To start|stop|restart the [[OpenRC]] service:{{Cmd|# rc-service wg-quick.wg0 start}}

=== Enable IP Forwarding ===

With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding.

Edit the file {{Path|/etc/sysctl.conf}} or a <code>.conf</code> file under {{Path|/etc/sysctl.d/}} folder add the following line as follows:{{Cat|/etc/sysctl.conf|
net.ipv4.ip_forward {{=}} 1
net.ipv6.conf.all.forwarding {{=}} 1
net.ipv6.conf.default.forwarding {{=}} 1}}

Add the sysctl service to run at boot:{{Cmd|# rc-update add sysctl}}

Then either reboot or run {{ic|# sysctl -p /etc/sysctl.conf}} to reload the settings. To ensure forwarding is turned on, run {{ic|# sysctl -a | grep ip_forward}} and ensure <Code>net.ipv4.ip_forward</code> is set to <code>1</code>.

In the file {{Path|/etc/conf.d/iptables}}, Change the setting as follows:{{Cat|/etc/conf.d/iptables|...
IPFORWARD{{=}}"yes"}}

== Running with modloop ==

If you are running [[Diskless Mode]] i.e from a RAM disk, you can't modify the modloop.

You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.

#!/bin/sh
apk add squashfs-tools # install squashfs tools to unpack modloop
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir
umount /.modloop # unmount existing modloop
mount /root/squash/ /.modloop/ # mount unpacked modloop
apk del wireguard-lts # uninstall previous WireGuard install
apk add wireguard-lts
apk add wireguard-tools

You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.

== See also ==

* [https://github.com/pirate/wireguard-docs WireGuard documentation]

[[Category:Networking]]

Alpine Linux in a chroot

2017-06-06T17:23:54Z

Gratuxri:

This document explains how to set up an Alpine build environment in a chroot under a different Linux distro, such as Arch, Debian, Fedora, Gentoo, or Ubuntu. Once inside the chroot environment, you can build, debug, and run alpine packages. The guide can also be used to install Alpine Linux from a non-Alpine Linux livecd such as Ubuntu or System rescue CD.

This example installation of Alpine Linux in a chroot will work with the lastest release. But it's also possible to make a chroot with '''[[Edge|edge]]''' or older releases of Alpine Linux to test backports.

You can also use script [https://github.com/alpinelinux/alpine-chroot-install/ alpine-chroot-install] that simplifies this process to just two commands. This script is useful especially on CI environment (e.g. Travis CI).

== Requirements ==
For the base Alpine Linux you will only need around 6MB of free space; though to build packages you'll need at least 500 MB.

== Prerequisites ==
The variables below:

*'''${chroot_dir}''' = Should point to the chroot directory where you
*'''${mirror}''' = Should be replaced with [http://nl.alpinelinux.org/alpine/MIRRORS.txt one of the available Alpine Linux mirrors].

== Set up APK ==

{{Tip|In the command below, replace x86_64 with x86 if running on a 32 bit installation}}

{{Warning|You will need Kernel version 2.6.22 or later to use apk-tools-static}}

Download the latest apk static package (replace <tt>${version}</tt> with actual version):

{{Cmd|wget ${mirror}/latest-stable/main/x86_64/apk-tools-static-${version}.apk}}

.apk packages are just gzipped tarballs, unpack using:
{{Cmd|tar -xzf apk-tools-static-*.apk}}

== Install the alpine base installation onto the chroot ==

{{Cmd|./sbin/apk.static -X ${mirror}/latest-stable/main -U --allow-untrusted --root ${chroot_dir} --initdb add alpine-base}}

== Set up the chroot ==

Set up some devices in the chroot
{{Tip|Manually creating devices is not needed if you choose to mount /dev of the hosts in the chroot described later.}}

{{Cmd|mknod -m 666 ${chroot_dir}/dev/full c 1 7
mknod -m 666 ${chroot_dir}/dev/ptmx c 5 2
mknod -m 644 ${chroot_dir}/dev/random c 1 8
mknod -m 644 ${chroot_dir}/dev/urandom c 1 9
mknod -m 666 ${chroot_dir}/dev/zero c 1 5
mknod -m 666 ${chroot_dir}/dev/tty c 5 0}}

If you need SCSI disc access:

{{Cmd|mknod -m 666 ${chroot_dir}/dev/sda b 8 0
mknod -m 666 ${chroot_dir}/dev/sda1 b 8 1
mknod -m 666 ${chroot_dir}/dev/sda2 b 8 2
mknod -m 666 ${chroot_dir}/dev/sda3 b 8 3
mknod -m 666 ${chroot_dir}/dev/sda4 b 8 4
mknod -m 666 ${chroot_dir}/dev/sda5 b 8 5
mknod -m 666 ${chroot_dir}/dev/sda6 b 8 6
mknod -m 666 ${chroot_dir}/dev/sdb b 8 16
mknod -m 666 ${chroot_dir}/dev/sdb1 b 8 17
mknod -m 666 ${chroot_dir}/dev/sdb2 b 8 18
mknod -m 666 ${chroot_dir}/dev/sdb3 b 8 19
mknod -m 666 ${chroot_dir}/dev/sdb4 b 8 20
mknod -m 666 ${chroot_dir}/dev/sdb5 b 8 21
mknod -m 666 ${chroot_dir}/dev/sdb6 b 8 22}}

A resolv.conf is needed for name resolution:

{{Cmd|cp /etc/resolv.conf ${chroot_dir}/etc/
mkdir -p ${chroot_dir}/root}}

If you don't want to copy the resolv.conf from the local machine, you can create a new one using OpenDNS servers (or any other):
{{Cmd|echo -e 'nameserver 208.67.222.222\nnameserver 2620:0:ccc::2' > ${chroot_dir}/etc/resolv.conf}}

Set up APK mirror (replace <tt>${branch}</tt> with the latest stable branch name, e.g. v3.3):

{{Cmd|mkdir -p ${chroot_dir}/etc/apk
echo "${mirror}/${branch}/main" > ${chroot_dir}/etc/apk/repositories}}

== Entering your chroot ==
At this point, Alpine has been succesfully installed onto the chroot directory. Before you chroot in you
will probably want to mount /proc and /sys in the chroot:

{{Cmd|mount -t proc none ${chroot_dir}/proc
mount -o bind /sys ${chroot_dir}/sys}}

If you don't want to create special device files yourself, mount the hosts device directory onto the chroot:
{{Cmd|mount -o bind /dev ${chroot_dir}/dev}}

You can now chroot:
{{Cmd|chroot ${chroot_dir} /bin/sh -l}}

To make the system actually bootable, we need to add some initscripts to appropriate runlevels:
{{Cmd|rc-update add devfs sysinit
rc-update add dmesg sysinit
rc-update add mdev sysinit

rc-update add hwclock boot
rc-update add modules boot
rc-update add sysctl boot
rc-update add hostname boot
rc-update add bootmisc boot
rc-update add syslog boot

rc-update add mount-ro shutdown
rc-update add killprocs shutdown
rc-update add savecache shutdown}}

Alpine Linux has a great meta-package for building Alpine packages from source available called alpine-sdk. To install, run:
{{Cmd|apk add alpine-sdk}}

If you are using Alpine as a Native build system you will have to make sure that chroot can run chmod. Add following to /etc/sysctl.conf

kernel.grsecurity.chroot_deny_chmod = 0

Then run the following command

{{Cmd|sysctl -p}}

== Alpine Linux in a chroot on Fedora ==

If you want to generate a chroot on a Fedora based system, you can use this [http://git.alpinelinux.org/cgit/user/fab/scripts/tree/alpine-chroot.sh script].

{{Note|Maybe you are able to use this script on other distribution but this is not tested.}}

= Troubleshooting =
== WARNING: Ignoring APKINDEX.xxxx.tar.gz ==
Make sure <tt>${chroot_dir}/etc/apk/repositories</tt> is valid and inside the chroot run:
{{Cmd|apk update}}

[[Category:Installation]]