Configure a Wireguard interface (wg): Difference between revisions

From Alpine Linux
(fix spelling, add link to documentation)
(Updated instructions to reflect current release packages (3.20).)
 
(11 intermediate revisions by 9 users not shown)
Line 1: Line 1:
WireGuard is a very promising VPN technology available in the community repository since Alpine 3.10.
{{TOC right}}


There are several ways to install and configure an interface.
WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10. WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required.


In order to load the WireGuard kernel module, you need a compatible kernel:
== Install required packages ==
 
* linux-lts
* linux-virt
 
== Bringing up an interface using wg-tools ==


The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>.
The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>.


Install wireguard-tools
Install wireguard-tools, iptables, and sysctl:


  apk add wireguard-tools
  apk add wireguard-tools-wg-quick
apk add iptables


Then load the module
== Create Server Keys and Interface Config ==


modprobe wireguard
Create a server private and public key:


Add it to <code>/etc/modules</code> to automatically load it on boot.
wg genkey | tee server.privatekey | wg pubkey > server.publickey


Then, we need to create a private and a public key:
Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using these new keys:
 
wg genkey | tee privatekey | wg pubkey > publickey
 
Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using those keys:


  [Interface]
  [Interface]
  Address = 10.123.0.1/24
  Address = 192.168.2.1/24
  ListenPort = 45340
  ListenPort = 45340
  PrivateKey = SG1nXk2+kAAKnMkL5aX3NSFPaGjf9SQI/wWwFj9l9U4= # the key from the previously generated privatekey file
  PrivateKey = <server private key value> # the key from the previously generated privatekey file
  PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
  PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
  PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
  PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
[Peer]
PublicKey = <client public key value> # obtained from client device via wireguard connection setup process
AllowedIPs = 192.168.2.2/32


The PostUp and PostDown steps are there to ensure the interface wg0 will accept and forward traffic to eth0. The postrouting and forward to %i is not required, but it will enable "VPN mode" where users can access the internet via this server if desired. Reference [this WireGuard documentation](https://github.com/pirate/wireguard-docs#user-content-config-reference) for information on adding peers to the config file.
The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0.


To bring up the new interface we use:
Refer to [https://github.com/pirate/wireguard-docs#user-content-config-reference this WireGuard documentation] for information on adding peers to the config file.


Bring up the new wg0 interface:
,
  wg-quick up wg0
  wg-quick up wg0


Line 44: Line 42:
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces.
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces.


== Bringing up an interface using ifupdown-ng ==
== Use with network interfaces ==


The official documents from WireGuard show examples of how to set up an interface with the use of wg-quick.
To enable connecting with Wireguard on boot, open your <code>/etc/network/interfaces</code>  and add this information after your auto other network interfaces:
In this how-to, we are not going to use that utility. We'll use the plain wg command and [https://github.com/ifupdown-ng/ifupdown-ng/blob/master/doc/interfaces-wireguard.scd ifupdown-ng].


apk add wireguard-tools-wg
<pre>
auto wg0
iface wg0 inet static
pre-up wg-quick up /etc/wireguard/wg0.conf
</pre>


Now that all the tools are installed, you can setup the interface.
== As OpenRC service ==
The setup of your interface config is out of the scope of this document. You should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].


After you have finished setting up your wgX interface config, you can add it to your <code>/etc/network/interfaces</code>:
Since Alpine 3.20, there is wireguard-tools-openrc, which provides an OpenRC initd service file. First install the package:


auto wg0
<pre>
iface wg0 inet static
apk add wireguard-tools-openrc
        requires eth0
</pre>
        use wireguard
        address 192.168.42.1


This config will automatically:
To use the WireGuard OpenRC script, you then need to create a symbolic link to it with the configuration name, like this:


* bring the WireGuard interface up after the eth0 interface
<pre>
* assign a config to this interface (which you have previously created)
ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
* setup the interface address and netmask
# Add it to the default runlevel:
* add the route once the interface is up
rc-update add wg-quick.wg0
* remove the interface when it goes down
# Finally, start the service:
rc-service wg-quick.wg0 start
</pre>


To start and stop the interface, you execute:
== Enable IP Forwarding ==


ifup wg0
With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding.
ifdown wg0


If your interface config is not stored under <code>/etc/wireguard</code> you need to specify a <code>wireguard-config-path</code> as well.
Edit the file <code>/etc/sysctl.conf</code> (or a <code>.conf</code> file under <code>/etc/sysctl.d/</code>) and add the following line:
 
net.ipv4.ip_forward = 1
 
Add the sysctl service to run at boot:
 
rc-update add sysctl
 
Then either reboot or run <code>sysctl -p /etc/sysctl.conf</code> to reload the settings. To ensure forwarding is turned on, run <code>sysctl -a | grep ip_forward</code> and ensure <code>net.ipv4.ip_forward</code> is set to <code>1</code>.


== Running with modloop ==
== Running with modloop ==
If you are running from a RAM disk, you can't modify the modloop.
If you are running from a RAM disk, you can't modify the modloop.



Latest revision as of 03:33, 28 June 2024

WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10. WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required.

Install required packages

The most straightforward method, and the one recommended in WireGuard documentation, is to use wg-quick.

Install wireguard-tools, iptables, and sysctl:

apk add wireguard-tools-wg-quick
apk add iptables

Create Server Keys and Interface Config

Create a server private and public key:

wg genkey | tee server.privatekey | wg pubkey > server.publickey

Then, we create a new config file /etc/wireguard/wg0.conf using these new keys:

[Interface]
Address = 192.168.2.1/24
ListenPort = 45340
PrivateKey = <server private key value> # the key from the previously generated privatekey file
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT

[Peer]
PublicKey = <client public key value> # obtained from client device via wireguard connection setup process
AllowedIPs = 192.168.2.2/32

The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0.

Refer to this WireGuard documentation for information on adding peers to the config file.

Bring up the new wg0 interface: ,

wg-quick up wg0

To take it down, we can use wg-quick down wg0 which will clean up the interface and remove the iptables rules. Note: If running in a Docker container, you will need to run with --cap-add=NET_ADMIN to modify your interfaces.

Use with network interfaces

To enable connecting with Wireguard on boot, open your /etc/network/interfaces and add this information after your auto other network interfaces:

auto wg0
iface wg0 inet static
pre-up wg-quick up /etc/wireguard/wg0.conf

As OpenRC service

Since Alpine 3.20, there is wireguard-tools-openrc, which provides an OpenRC initd service file. First install the package:

apk add wireguard-tools-openrc

To use the WireGuard OpenRC script, you then need to create a symbolic link to it with the configuration name, like this:

ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
# Add it to the default runlevel:
rc-update add wg-quick.wg0
# Finally, start the service:
rc-service wg-quick.wg0 start

Enable IP Forwarding

With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding.

Edit the file /etc/sysctl.conf (or a .conf file under /etc/sysctl.d/) and add the following line:

net.ipv4.ip_forward = 1

Add the sysctl service to run at boot:

rc-update add sysctl 

Then either reboot or run sysctl -p /etc/sysctl.conf to reload the settings. To ensure forwarding is turned on, run sysctl -a | grep ip_forward and ensure net.ipv4.ip_forward is set to 1.

Running with modloop

If you are running from a RAM disk, you can't modify the modloop.

You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.

#!/bin/sh
apk add squashfs-tools # install squashfs tools to unpack modloop
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir
umount /.modloop # unmount existing modloop
mount /root/squash/ /.modloop/ # mount unpacked modloop
apk del wireguard-lts # uninstall previous WireGuard install
apk add wireguard-lts
apk add wireguard-tools

You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.