Alpine Linux - User contributions [en]

Configure a Wireguard interface (wg)

2021-09-06T17:59:53Z

Mb720: fix link syntax

WireGuard is a very promising VPN technology available in the community repository since Alpine 3.10.

There are several ways to install and configure an interface.

In order to load the WireGuard kernel module, you need a compatible kernel:

* linux-lts
* linux-virt

== Bringing up an interface using wg-tools ==

The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>.

Install wireguard-tools

apk add wireguard-tools

Then load the module

modprobe wireguard

Add it to <code>/etc/modules</code> to automatically load it on boot.

Then, we need to create a private and a public key:

wg genkey | tee privatekey | wg pubkey > publickey

Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using those keys:

[Interface]
Address = 10.123.0.1/24
ListenPort = 45340
PrivateKey = SG1nXk2+kAAKnMkL5aX3NSFPaGjf9SQI/wWwFj9l9U4= # the key from the previously generated privatekey file
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT

The PostUp and PostDown steps are there to ensure the interface wg0 will accept and forward traffic to eth0. The postrouting and forward to %i is not required, but it will enable "VPN mode" where users can access the internet via this server if desired. Reference [https://github.com/pirate/wireguard-docs#user-content-config-reference this WireGuard documentation] for information on adding peers to the config file.

To bring up the new interface we use:

wg-quick up wg0

To take it down, we can use <code>wg-quick down wg0</code> which will clean up the interface and remove the iptables rules.
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces.

== Bringing up an interface using ifupdown-ng ==

The official documents from WireGuard show examples of how to set up an interface with the use of wg-quick.
In this how-to, we are not going to use that utility. We'll use the plain wg command and [https://github.com/ifupdown-ng/ifupdown-ng/blob/master/doc/interfaces-wireguard.scd ifupdown-ng].

apk add wireguard-tools-wg

Now that all the tools are installed, you can setup the interface.
The setup of your interface config is out of the scope of this document. You should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].

After you have finished setting up your wgX interface config, you can add it to your <code>/etc/network/interfaces</code>:

auto wg0
iface wg0 inet static
requires eth0
use wireguard
address 192.168.42.1

This config will automatically:

* bring the WireGuard interface up after the eth0 interface
* assign a config to this interface (which you have previously created)
* setup the interface address and netmask
* add the route once the interface is up
* remove the interface when it goes down

To start and stop the interface, you execute:

ifup wg0
ifdown wg0

If your interface config is not stored under <code>/etc/wireguard</code> you need to specify a <code>wireguard-config-path</code> as well.

== Running with modloop ==
If you are running from a RAM disk, you can't modify the modloop.

You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.

#!/bin/sh
apk add squashfs-tools # install squashfs tools to unpack modloop
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir
umount /.modloop # unmount existing modloop
mount /root/squash/ /.modloop/ # mount unpacked modloop
apk del wireguard-lts # uninstall previous WireGuard install
apk add wireguard-lts
apk add wireguard-tools

You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.

[[Category:Networking]]

Configure a Wireguard interface (wg)

2021-09-06T17:58:14Z

Mb720: fix spelling, add link to documentation

WireGuard is a very promising VPN technology available in the community repository since Alpine 3.10.

There are several ways to install and configure an interface.

In order to load the WireGuard kernel module, you need a compatible kernel:

* linux-lts
* linux-virt

== Bringing up an interface using wg-tools ==

The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>.

Install wireguard-tools

apk add wireguard-tools

Then load the module

modprobe wireguard

Add it to <code>/etc/modules</code> to automatically load it on boot.

Then, we need to create a private and a public key:

wg genkey | tee privatekey | wg pubkey > publickey

Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using those keys:

[Interface]
Address = 10.123.0.1/24
ListenPort = 45340
PrivateKey = SG1nXk2+kAAKnMkL5aX3NSFPaGjf9SQI/wWwFj9l9U4= # the key from the previously generated privatekey file
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT

The PostUp and PostDown steps are there to ensure the interface wg0 will accept and forward traffic to eth0. The postrouting and forward to %i is not required, but it will enable "VPN mode" where users can access the internet via this server if desired. Reference [this WireGuard documentation](https://github.com/pirate/wireguard-docs#user-content-config-reference) for information on adding peers to the config file.

To bring up the new interface we use:

wg-quick up wg0

To take it down, we can use <code>wg-quick down wg0</code> which will clean up the interface and remove the iptables rules.
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces.

== Bringing up an interface using ifupdown-ng ==

The official documents from WireGuard show examples of how to set up an interface with the use of wg-quick.
In this how-to, we are not going to use that utility. We'll use the plain wg command and [https://github.com/ifupdown-ng/ifupdown-ng/blob/master/doc/interfaces-wireguard.scd ifupdown-ng].

apk add wireguard-tools-wg

Now that all the tools are installed, you can setup the interface.
The setup of your interface config is out of the scope of this document. You should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].

After you have finished setting up your wgX interface config, you can add it to your <code>/etc/network/interfaces</code>:

auto wg0
iface wg0 inet static
requires eth0
use wireguard
address 192.168.42.1

This config will automatically:

* bring the WireGuard interface up after the eth0 interface
* assign a config to this interface (which you have previously created)
* setup the interface address and netmask
* add the route once the interface is up
* remove the interface when it goes down

To start and stop the interface, you execute:

ifup wg0
ifdown wg0

If your interface config is not stored under <code>/etc/wireguard</code> you need to specify a <code>wireguard-config-path</code> as well.

== Running with modloop ==
If you are running from a RAM disk, you can't modify the modloop.

You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.

#!/bin/sh
apk add squashfs-tools # install squashfs tools to unpack modloop
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir
umount /.modloop # unmount existing modloop
mount /root/squash/ /.modloop/ # mount unpacked modloop
apk del wireguard-lts # uninstall previous WireGuard install
apk add wireguard-lts
apk add wireguard-tools

You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.

[[Category:Networking]]