Configure a Wireguard interface (wg): Difference between revisions
No edit summary |
(Updated instructions to reflect current release packages (3.20).) |
||
(20 intermediate revisions by 16 users not shown) | |||
Line 1: | Line 1: | ||
{{TOC right}} | |||
WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10. WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required. | |||
== Install required packages == | |||
The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>. | |||
Install wireguard-tools, iptables, and sysctl: | |||
apk add wireguard-tools-wg-quick | |||
apk add iptables | |||
== Create Server Keys and Interface Config == | |||
Create a server private and public key: | |||
wg genkey | tee server.privatekey | wg pubkey > server.publickey | |||
Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using these new keys: | |||
[Interface] | |||
Address = 192.168.2.1/24 | |||
ListenPort = 45340 | |||
PrivateKey = <server private key value> # the key from the previously generated privatekey file | |||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT | |||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT | |||
[Peer] | |||
PublicKey = <client public key value> # obtained from client device via wireguard connection setup process | |||
AllowedIPs = 192.168.2.2/32 | |||
The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0. | |||
Refer to [https://github.com/pirate/wireguard-docs#user-content-config-reference this WireGuard documentation] for information on adding peers to the config file. | |||
Bring up the new wg0 interface: | |||
, | |||
wg-quick up wg0 | |||
To take it down, we can use <code>wg-quick down wg0</code> which will clean up the interface and remove the iptables rules. | |||
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces. | |||
== Use with network interfaces == | |||
To enable connecting with Wireguard on boot, open your <code>/etc/network/interfaces</code> and add this information after your auto other network interfaces: | |||
<pre> | |||
auto wg0 | |||
iface wg0 inet static | |||
pre-up wg-quick up /etc/wireguard/wg0.conf | |||
</pre> | |||
== As OpenRC service == | |||
Since Alpine 3.20, there is wireguard-tools-openrc, which provides an OpenRC initd service file. First install the package: | |||
<pre> | |||
apk add wireguard-tools-openrc | |||
</pre> | |||
To use the WireGuard OpenRC script, you then need to create a symbolic link to it with the configuration name, like this: | |||
<pre> | |||
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0 | |||
# Add it to the default runlevel: | |||
rc-update add wg-quick.wg0 | |||
# Finally, start the service: | |||
rc-service wg-quick.wg0 start | |||
</pre> | |||
== Enable IP Forwarding == | |||
With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding. | |||
Edit the file <code>/etc/sysctl.conf</code> (or a <code>.conf</code> file under <code>/etc/sysctl.d/</code>) and add the following line: | |||
net.ipv4.ip_forward = 1 | |||
Add the sysctl service to run at boot: | |||
rc-update add sysctl | |||
Then either reboot or run <code>sysctl -p /etc/sysctl.conf</code> to reload the settings. To ensure forwarding is turned on, run <code>sysctl -a | grep ip_forward</code> and ensure <code>net.ipv4.ip_forward</code> is set to <code>1</code>. | |||
== Running with modloop == | |||
If you are running from a RAM disk, you can't modify the modloop. | |||
You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard. | |||
#!/bin/sh | |||
apk add squashfs-tools # install squashfs tools to unpack modloop | |||
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir | |||
umount /.modloop # unmount existing modloop | |||
mount /root/squash/ /.modloop/ # mount unpacked modloop | |||
apk del wireguard-lts # uninstall previous WireGuard install | |||
apk add wireguard-lts | |||
apk add wireguard-tools | |||
You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up. | |||
[[Category:Networking]] | [[Category:Networking]] |
Latest revision as of 03:33, 28 June 2024
WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10. WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required.
Install required packages
The most straightforward method, and the one recommended in WireGuard documentation, is to use wg-quick
.
Install wireguard-tools, iptables, and sysctl:
apk add wireguard-tools-wg-quick apk add iptables
Create Server Keys and Interface Config
Create a server private and public key:
wg genkey | tee server.privatekey | wg pubkey > server.publickey
Then, we create a new config file /etc/wireguard/wg0.conf
using these new keys:
[Interface] Address = 192.168.2.1/24 ListenPort = 45340 PrivateKey = <server private key value> # the key from the previously generated privatekey file PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT [Peer] PublicKey = <client public key value> # obtained from client device via wireguard connection setup process AllowedIPs = 192.168.2.2/32
The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0.
Refer to this WireGuard documentation for information on adding peers to the config file.
Bring up the new wg0 interface: ,
wg-quick up wg0
To take it down, we can use wg-quick down wg0
which will clean up the interface and remove the iptables rules.
Note: If running in a Docker container, you will need to run with --cap-add=NET_ADMIN
to modify your interfaces.
Use with network interfaces
To enable connecting with Wireguard on boot, open your /etc/network/interfaces
and add this information after your auto other network interfaces:
auto wg0 iface wg0 inet static pre-up wg-quick up /etc/wireguard/wg0.conf
As OpenRC service
Since Alpine 3.20, there is wireguard-tools-openrc, which provides an OpenRC initd service file. First install the package:
apk add wireguard-tools-openrc
To use the WireGuard OpenRC script, you then need to create a symbolic link to it with the configuration name, like this:
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0 # Add it to the default runlevel: rc-update add wg-quick.wg0 # Finally, start the service: rc-service wg-quick.wg0 start
Enable IP Forwarding
With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding.
Edit the file /etc/sysctl.conf
(or a .conf
file under /etc/sysctl.d/
) and add the following line:
net.ipv4.ip_forward = 1
Add the sysctl service to run at boot:
rc-update add sysctl
Then either reboot or run sysctl -p /etc/sysctl.conf
to reload the settings. To ensure forwarding is turned on, run sysctl -a | grep ip_forward
and ensure net.ipv4.ip_forward
is set to 1
.
Running with modloop
If you are running from a RAM disk, you can't modify the modloop.
You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.
#!/bin/sh apk add squashfs-tools # install squashfs tools to unpack modloop unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir umount /.modloop # unmount existing modloop mount /root/squash/ /.modloop/ # mount unpacked modloop apk del wireguard-lts # uninstall previous WireGuard install apk add wireguard-lts apk add wireguard-tools
You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.