Home / Articles

WireGuard on Alpine Linux with nftables

2019-10-12T08:09:47.720Z.

Changelog:

This article describes the installation and configuration of WireGuard on Alpine Linux (server) and iOS (client). Part of the setup is done using nftables. Once the setup is complete, the traffic from the client will go through the server before reaching the Internet (also known as "road warrior" setup).

The setup assumes the following:

Network diagram.

Install WireGuard

You need to enable the community repository before installing WireGuard on Alpine Linux. Edit /etc/apk/repositories to enable the repository.

Install the WireGuard packages:


apk update
apk add wireguard-vanilla
# Or install wireguard-virt.
apk add wireguard-tools-wg

Enable IP forwarding

Enable IP forwarding by running:


sysctl -w net.ipv4.ip_forward=1

To make the settings permanent, create a configuration file under /etc/sysctl.d/. For example, create /etc/sysctl.d/local.conf with the following content:


net.ipv4.ip_forward=1

Configure WireGuard

WireGuard configuration files should be put under the /etc/wireguard/ directory.


mkdir -p /etc/wireguard/

Now create the keypair used by WireGuard on the server:


cd /etc/wireguard/
wg genkey > server.key
chmod 600 server.key
wg pubkey < server.key > server.pub

The server.key contains the server private key and server.pub contains the server public key.

Now create a pre-shared key used by WireGuard on the server and client.


wg genpsk > peer-01.psk

If there are multiple clients, create a pre-shared key for each of the client.

Create the configuration file of WireGuard on the server. Create a file at /etc/wireguard/wg0.conf with the following content:


[Interface]
PrivateKey = AAAAA
ListenPort = 20000

[Peer]
PublicKey = BBBBB
PresharedKey = CCCCC
AllowedIPs = 10.0.0.2/32

In the Interface section:

In the Peer section:

Configuure network interface

Update /etc/network/interfaces and add the following:


auto wg0
iface wg0 inet static
  address 10.0.0.1
  netmask 255.255.255.0
  pre-up ip link add dev wg0 type wireguard
  pre-up wg setconf wg0 /etc/wireguard/wg0.conf
  post-down ip link delete dev wg0

Configure nftables

In order for clients to reach the Internet through the server, nftables will be used to configure the source NAT.

If nftables has not been installed, run:


apk add nftables

Run the following to configure the source NAT:


nft add table ip nat
nft add chain ip nat PREROUTING { type nat hook prerouting priority 0 \; }
nft add chain ip nat POSTROUTING { type nat hook postrouting priority 100 \; }
nft add rule ip nat POSTROUTING ip saddr 10.0.0.0/24 oifname "eth0" masquerade

Note:

Run nft list ruleset to check the configurations:


table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority 0; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority 100; policy accept;
                ip saddr 10.0.0.0/24 oifname "eth0" masquerade
        }
}

To make the configurations permanent, run:


rc-service nftables save

The configurations are written to /etc/firewall.nft.

Run rc-update add nftables so that nftables will run and load the configurations when the system starts.

Configure VPN client

In WireGuard for iOS, create a new WireGuard tunnel.

WireGuard for iOS.

In the interface section:

WireGuard for iOS.

In the peer section:

Activate VPN tunnel

Update the PublicKey under the Peer section of /etc/wireguard/wg0.conf on the server, set the value with the public key of the VPN client.

On the server, run ifup wg0 to activate the interface. The client should be able to connect to the server, and all traffic will go through the server. On the client, you can visit website such as https://ifconfig.co/ to verify the IP address is the server's public IP address, instead of the client's public IP address.

You can run wg on the server to see the WireGuard statistics.

When needed, you can run ifdown wg0 on the server to deactivate the WireGuard interface.

References