Home / Articles

WireGuard on Alpine Linux with nftables



This article describes the installation and configuration of WireGuard on Alpine Linux (server) and iOS (client). Part of the setup is done using nftables. Once the setup is complete, the traffic from the client will go through the server before reaching the Internet (also known as "road warrior" setup).

The setup assumes the following:

Network diagram.

Install WireGuard

You need to enable the community repository before installing WireGuard on Alpine Linux. Edit /etc/apk/repositories to enable the repository.

Install the WireGuard packages:

apk update
apk add wireguard-tools-wg

Enable IP forwarding

Enable IP forwarding by running:

sysctl -w net.ipv4.ip_forward=1

To make the settings permanent, create a configuration file under /etc/sysctl.d/. For example, create /etc/sysctl.d/local.conf with the following content:


Configure WireGuard

WireGuard configuration files should be put under the /etc/wireguard/ directory.

mkdir -p /etc/wireguard/

Now create the keypair used by WireGuard on the server:

cd /etc/wireguard/
wg genkey > server.key
chmod 600 server.key
wg pubkey < server.key > server.pub

The server.key contains the server private key and server.pub contains the server public key.

Now create a pre-shared key used by WireGuard on the server and client.

wg genpsk > peer-01.psk

If there are multiple clients, create a pre-shared key for each of the client.

Create the configuration file of WireGuard on the server. Create a file at /etc/wireguard/wg0.conf with the following content:

PrivateKey = AAAAA
ListenPort = 20000

PublicKey = BBBBB
PresharedKey = CCCCC
AllowedIPs =

In the Interface section:

In the Peer section:

Configuure network interface

Update /etc/network/interfaces and add the following:

auto wg0
iface wg0 inet static
  pre-up ip link add dev wg0 type wireguard
  pre-up wg setconf wg0 /etc/wireguard/wg0.conf
  post-down ip link delete dev wg0

Configure nftables

In order for clients to reach the Internet through the server, nftables will be used to configure the source NAT.

If nftables has not been installed, run:

apk add nftables

Add a file /etc/nftables.d/wireguard.nft with the following content:

#!/usr/sbin/nft -f

# Configurations for WireGuard.

table inet filter {
  chain input {
    udp dport 20000 accept

  chain forward {
    iifname "eth0" oifname "wg0" accept;
    iifname "wg0" oifname "eth0" accept;

table ip nat {
  chain PREROUTING {
    type nat hook prerouting priority filter; policy accept;

    type nat hook postrouting priority srcnat; policy accept;
    oifname "eth0" masquerade

Run nft -f /etc/nftables.nft to load the new rules, and then nft list ruleset to check the configurations.

Run rc-update add nftables so that nftables will run and load the configurations when the system starts.

Configure VPN client

In WireGuard for iOS, create a new WireGuard tunnel.

WireGuard for iOS.

In the interface section:

WireGuard for iOS.

In the peer section:

Activate VPN tunnel

Update the PublicKey under the Peer section of /etc/wireguard/wg0.conf on the server, set the value with the public key of the VPN client.

On the server, run ifup wg0 to activate the interface. The client should be able to connect to the server, and all traffic will go through the server. On the client, you can visit website such as https://ifconfig.co/ to verify the IP address is the server's public IP address, instead of the client's public IP address.

You can run wg on the server to see the WireGuard statistics.

When needed, you can run ifdown wg0 on the server to deactivate the WireGuard interface.