Configure a Wireguard interface (wg): Difference between revisions

From Alpine Linux
(Helpful hint about IFUP requiring BASH package to work correctly (found by following instructions using Proxmox with Alpine 3.10 LXC container))
(Add peer setup which is missing from this guide)
 
(16 intermediate revisions by 13 users not shown)
Line 1: Line 1:
Wireguard is a very promising VPN technology and available since Alpine 3.10 in the community repository.
{{TOC right}}


apk add wireguard-vanilla (or wireguard-virt)
WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10. WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required.


The official documents from wireguard will show examples of how to setup an interface with the use of wg-quick.
== Install required packages ==
In this howto we are not going to use this utility but are going to use plain wg command and busybox ifupdown.


apk add wireguard-tools-wg
The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>.


Now that you have all the tools installed we can setup the interface.
Install wireguard-tools, iptables, and sysctl:
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].


After you have finished setting up your wgX interface config you can add it to your /etc/network/interfaces:
apk add wireguard-tools-wg-quick
apk add iptables
apk add sysctl


auto wg0
== Create Server Keys and Interface Config ==
iface wg0 inet static
    address x.x.x.x
    netmask 255.255.255.0
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add x.x.x.x/24 dev wg0
    post-down ip link delete dev wg0


This config will do:
Create a server private and public key:
 
wg genkey | tee server.privatekey | wg pubkey > server.publickey
 
Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using these new keys:
 
[Interface]
Address = 192.168.2.1/24
ListenPort = 45340
PrivateKey = <server private key value> # the key from the previously generated privatekey file
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
   
   
* bring the wireguard interface up
[Peer]
* assign a config to this interface (which you have previously created)
PublicKey = <client public key value> # obtained from client device via wireguard connection setup process
* setup the interface address and netmask
AllowedIPs = 192.168.2.2/32
* add the route ones the interface is up
 
* remove the interface when it goes down
The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0.
 
Refer to [https://github.com/pirate/wireguard-docs#user-content-config-reference this WireGuard documentation] for information on adding peers to the config file.
 
Bring up the new wg0 interface:
,
wg-quick up wg0
 
To take it down, we can use <code>wg-quick down wg0</code> which will clean up the interface and remove the iptables rules.
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces.
 
== Enable IP Forwarding ==
 
With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding.
 
Edit the file <code>/etc/sysctl.conf</code> (or a <code>.conf</code> file under <code>/etc/sysctl.d/</code>) and add the following line:
 
net.ipv4.ip_forward = 1
 
Add the sysctl service to run at boot:
 
rc-update add sysctl
 
Then either reboot or run <code>sysctl -p /etc/sysctl.conf</code> to reload the settings. To ensure forwarding is turned on, run <code>sysctl -a | grep ip_forward</code> and ensure <code>net.ipv4.ip_forward</code> is set to <code>1</code>.
 
== Running with modloop ==
 
If you are running from a RAM disk, you can't modify the modloop.


To start the interface and stop it you can execute:
You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.


  ifup wg0
  #!/bin/sh
  ifdown wg0
  apk add squashfs-tools # install squashfs tools to unpack modloop
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir
umount /.modloop # unmount existing modloop
mount /root/squash/ /.modloop/ # mount unpacked modloop
apk del wireguard-lts # uninstall previous WireGuard install
apk add wireguard-lts
apk add wireguard-tools


If <code>ifup wg0</code> fails silently, verify that the <code>bash</code> package is installed.
You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.


[[Category:Networking]]
[[Category:Networking]]

Latest revision as of 05:33, 26 December 2023

WireGuard has become a nearly ubiquitous vpn solution for multiple platform and is available in the community repository since Alpine 3.10. WireGuard itself is now integrated into the linux kernel since v5.6. Only the userland configuration tools are required.

Install required packages

The most straightforward method, and the one recommended in WireGuard documentation, is to use wg-quick.

Install wireguard-tools, iptables, and sysctl:

apk add wireguard-tools-wg-quick
apk add iptables
apk add sysctl

Create Server Keys and Interface Config

Create a server private and public key:

wg genkey | tee server.privatekey | wg pubkey > server.publickey

Then, we create a new config file /etc/wireguard/wg0.conf using these new keys:

[Interface]
Address = 192.168.2.1/24
ListenPort = 45340
PrivateKey = <server private key value> # the key from the previously generated privatekey file
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT

[Peer]
PublicKey = <client public key value> # obtained from client device via wireguard connection setup process
AllowedIPs = 192.168.2.2/32

The PostUp and PostDown iptable rules forward traffic from the wg0 subnet (192.168.2.1/24) to the lan subnet on interface eth0.

Refer to this WireGuard documentation for information on adding peers to the config file.

Bring up the new wg0 interface: ,

wg-quick up wg0

To take it down, we can use wg-quick down wg0 which will clean up the interface and remove the iptables rules. Note: If running in a Docker container, you will need to run with --cap-add=NET_ADMIN to modify your interfaces.

Enable IP Forwarding

With a NAT destination rule in place on your router, you should be able connect to the wireguard instance and access the host. However, if you intend for peers to be able to access external resources (including the internet), you will need to enable ip forwarding.

Edit the file /etc/sysctl.conf (or a .conf file under /etc/sysctl.d/) and add the following line:

net.ipv4.ip_forward = 1

Add the sysctl service to run at boot:

rc-update add sysctl 

Then either reboot or run sysctl -p /etc/sysctl.conf to reload the settings. To ensure forwarding is turned on, run sysctl -a | grep ip_forward and ensure net.ipv4.ip_forward is set to 1.

Running with modloop

If you are running from a RAM disk, you can't modify the modloop.

You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.

#!/bin/sh
apk add squashfs-tools # install squashfs tools to unpack modloop
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir
umount /.modloop # unmount existing modloop
mount /root/squash/ /.modloop/ # mount unpacked modloop
apk del wireguard-lts # uninstall previous WireGuard install
apk add wireguard-lts
apk add wireguard-tools

You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.