Configure Persistent Wireguard Network Interface on Alpine Linux

alpineipwireguard

I have configured Wireguard VPN on Alpine Linux 3.16.2. Manual server and client configuration works fine.

uname -mrs
# Linux 5.15.60-0-virt aarch64

ip link add dev wg0 type wireguard
ip address add dev wg0 10.0.0.4/8
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set up dev wg0
wg
# interface: wg0
#   public key: 9nEynT6g.....
#   private key: (hidden)
#   listening port: 31194
# peer: A2zDuhbX6....
#   allowed ips: 10.0.0.5/32

but when I reboot the system device wg0 disappears. How to do it persistent?

I followed the instruction Alpine Linux set up WireGuard VPN server but it seems a bit outdated.

When adding interface to /etc/network/interfaces I faced the following problems.
They do not add new entries to this file directly because NOTE: /sbin/assemble-interfaces rewrites this file. Edit files in /etc/network/interfaces.d/ to persist any customizations.

If I add new config file with interface description it does not load after reboot:

nano /etc/network/interfaces.d/wg0

The content of /etc/network/interfaces.d/wg0

auto wg0
iface wg0 inet static
    address 10.0.0.4/8
    gateway 10.0.0.1
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-down ip link delete wg0

Manual configuration is working. I can establish VPN connection from remote client to server, ssh to server using private address 10.0.0.4 and access Internet.
So how configure this interface to up at boot time on Alpine Linux 3.16.2]1?

Best Answer

That /sbin/assemble-interfaces script (and the /etc/network/interfaces.d/ directory) is not a standard part of Alpine Linux. It's probably part of some other networking package you added, and you likely have to run it manually every time you make any changes in your /etc/network/interface.d/ directory.

Normally you would add interface definitions directly to /etc/network/interfaces, and run rc-service networking restart to apply your changes (see Alpine's Configure Networking documentation).

Another option would be to use wg-quick to manage your WireGuard interface. To do so, add the interface's address to your /etc/wireguard/wg0.conf file:

[Interface]
PrivateKey = ABC123...
Address = 10.0.0.4/8
...

Then set up an OpenRC service for it, with an init script like this at /etc/init.d/wg-quick:

#!/sbin/openrc-run

description="WireGuard Quick"

depend() {
    need localmount
    need net
}

start() {
    wg-quick up wg0
}

stop() {
    wg-quick down wg0
}

You can use the rc-service wg-quick start and rc-service wg-quick stop commands to start up and shut down this service; and you can enable it at boot with the following command:

rc-update add wg-quick default

Related Solutions

Wireguard VPN – Can’t Access Internet and LAN

Needed PostUp and PostDown lines in wireguard.conf:

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp2s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <MY_KEY>

[Peer]
PublicKey = <MY_PUB_KEY>
AllowedIPs = 10.0.0.2/32

Limit Connections to Private Network with firewalld and Wireguard

Finally I found the answer my self. The feature allowing routing and filtering with firewalld is called policies and was introduced later. This great post from Pro Custodibus also explains different scenarios using wireguard and firewalld.

With policies it is possible to route traffic from one zone to another and to set a specific rule set for the traffic passing through.

To archive the separation between my wireguard interfaces/connections for admins/clients and routing into the private network the wireguard server we:

split up the wireguard interfaces into separate zones
added a zone were the traffic is forwared
added two policies which connecting the wireguard zones with the forward zone
added rules to the policies to filter the wireguard traffic

Zones:

$ firewall-cmd --info=zone=wg_clients
wg_clients (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: wg_clients
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

$ firewall-cmd --info=zone=wg_admins
wg_admins (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: wg_admins
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

$ firewall-cmd --info=zone=forward
forward (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 10.10.10.0/24
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Policies:

$ firewall-cmd --info-policy=wg_clients2forward
wg_clients2forward (active)
  priority: -1
  target: REJECT
  ingress-zones: wg_clients
  egress-zones: forward
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" destination address="10.10.10.203" service name="dns" accept
        rule family="ipv4" source address="10.42.42.3/32" destination address="10.10.10.133" service name="https" accept
        rule family="ipv4" source address="10.42.42.2/32" destination address="10.10.10.209" service name="https" accept

$ firewall-cmd --info-policy=wg_admins2forward
wg_admins2forward (active)
  priority: -1
  target: REJECT
  ingress-zones: wg_admins
  egress-zones: forward
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" destination address="10.10.10.0/24" accept