Configure a Wireguard interface (wg): Difference between revisions
(Add a reminder to reboot before modprobe) |
(Update procedure for wg now integrated in kernel, add ip_forward, add notes about ip forwarding.) |
||
Line 1: | Line 1: | ||
{{TOC left}} | {{TOC left}} | ||
WireGuard is | WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10. | ||
WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required. | |||
== Install required packages == | |||
== | |||
The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>. | The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>. | ||
Install wireguard-tools | Install wireguard-tools, iptables, and sysctl: | ||
apk add wireguard-tools | apk add wireguard-tools-wg-quick | ||
apk add iptables | |||
apk add sysctl | |||
== Create Server Keys and Interface Config == | |||
Create a server private and public key: | |||
wg genkey | tee server.privatekey | wg pubkey > server.publickey | |||
Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using these new keys: | |||
Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using | |||
[Interface] | [Interface] | ||
Address = | Address = 192.168.2.1/24 | ||
ListenPort = 45340 | ListenPort = 45340 | ||
PrivateKey = | PrivateKey = <server private key value> # the key from the previously generated privatekey file | ||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT | PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT | ||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT | PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT | ||
The PostUp and PostDown | The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0. | ||
Refer to [https://github.com/pirate/wireguard-docs#user-content-config-reference this WireGuard documentation] for information on adding peers to the config file. | |||
Bring up the new wg0 interface: | |||
wg-quick up wg0 | wg-quick up wg0 | ||
Line 48: | Line 41: | ||
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces. | Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces. | ||
== | == Enable IP Forwarding == | ||
With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding. | |||
Edit the file <code>/etc/sysctl.conf</code> (or a <code>.conf</code> file under <code>/etc/sysctl.d/</code>) and add the following line: | |||
net.ipv4.ip_forward = 1 | |||
Add the sysctl service to run at boot: | |||
rc-update add sysctl | |||
Then either reboot or run <code>sysctl -p /etc/sysctl.conf</code> to reload the settings. To ensure forwarding is turned on, run <code>sysctl -a | grep ip_forward</code> and ensure <code>net.ipv4.ip_forward</code> is set to <code>1</code>. | |||
== Running with modloop == | == Running with modloop == |
Revision as of 15:55, 25 July 2023
WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10.
WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required.
Install required packages
The most straightforward method, and the one recommended in WireGuard documentation, is to use wg-quick
.
Install wireguard-tools, iptables, and sysctl:
apk add wireguard-tools-wg-quick apk add iptables apk add sysctl
Create Server Keys and Interface Config
Create a server private and public key:
wg genkey | tee server.privatekey | wg pubkey > server.publickey
Then, we create a new config file /etc/wireguard/wg0.conf
using these new keys:
[Interface] Address = 192.168.2.1/24 ListenPort = 45340 PrivateKey = <server private key value> # the key from the previously generated privatekey file PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0.
Refer to this WireGuard documentation for information on adding peers to the config file.
Bring up the new wg0 interface:
wg-quick up wg0
To take it down, we can use wg-quick down wg0
which will clean up the interface and remove the iptables rules.
Note: If running in a Docker container, you will need to run with --cap-add=NET_ADMIN
to modify your interfaces.
Enable IP Forwarding
With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding.
Edit the file /etc/sysctl.conf
(or a .conf
file under /etc/sysctl.d/
) and add the following line:
net.ipv4.ip_forward = 1
Add the sysctl service to run at boot:
rc-update add sysctl
Then either reboot or run sysctl -p /etc/sysctl.conf
to reload the settings. To ensure forwarding is turned on, run sysctl -a | grep ip_forward
and ensure net.ipv4.ip_forward
is set to 1
.
Running with modloop
If you are running from a RAM disk, you can't modify the modloop.
You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.
#!/bin/sh apk add squashfs-tools # install squashfs tools to unpack modloop unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir umount /.modloop # unmount existing modloop mount /root/squash/ /.modloop/ # mount unpacked modloop apk del wireguard-lts # uninstall previous WireGuard install apk add wireguard-lts apk add wireguard-tools
You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.