How to connect to WireGuard during initrd?

Hello @everybody!

I‘m currently experimenting with Fedora (currently Fedora Server 37) as guest in virtual machines to get used to it and see if it can fit my needs. Ultimately I want to switch my servers to Fedora CoreOS.

One aspect I‘m trying to evaluate is to do a full disk encryption with NBDE using Clevis and Tang. As two servers are located at remote sites I‘d like to connect them via WireGuard to my main site, respectively the Tang server. Therefore I’m trying to bring up the WireGuard connection in initrd phase. I‘ve imported the wg connection config into NetworkManager (works fine), added „rd.neednet=1“ to my kernel cmdline and added the WireGuard Module to a custom dracut.conf.d file.
When I interrupt the booting to drop to an initrd shell I can see the both „physical“ interfaces being brought up just fine but the wg connection is not showing up.
Can anybody give me some advice on how to achieve a working WireGuard connection during initrd phase?
Thanks in advance,

I’ve never done it, but I would guess that you’d need to include /usr/bin/wg, build dracut with --add systemd-networkd, and add some systemd-networkd configuration files under /etc/systemd/network that will bring your wireguard interface up.

1 Like

You will have to include your NetworkManager configuration in the initrd via rpm-ostree initramfs-etc --track=...

Thanks for the comments so far!

@glb Currently I’m using NetworkManager to configure the networking on the base system. I’m also using the dracut module 35network-manager, which should actually import all connections in the directories
as far as I understood…

That’s why I have imported my wg.conf file with nmcli on the base system:

nmcli connection import type wireguard file /etc/wireguard/wg0.conf

which created the respective profile as /etc/NetworkManager/system-connections/wg0.nmconnection

But after running dracut -fv, rebooting and dropping into initrd shell, nmcli doesn’t list the wg0 connection…

@siosm I’m currently still on Fedora Server 37, not on FCOS so rpm-ostree isn’t installed…

Oh, indeed, my bad.

You’ll need something to enable your Wireguard connection in NetworkManager.

I now remember that setting it to auto-connect does not work: Auto-connect to VPN fails for WireGuard link (#205) · Issues · NetworkManager / NetworkManager · GitLab

Writing a systemd unit to do a call to nmcli connection up wg0 and ordering it before clang/tevis should do it.

Hm, not sure if I understand that correctly… I think currently I’m stuck in prior step…
What I currently have is a working WireGuard connection on my base system which I have created by importing the config file into Network Manager: nmcli connection import type wireguard file /etc/wireguard/wg0.conf
This produces the following profile: /etc/NetworkManager/system-connections/wg0.nmconnection
Autostart of this connection is working perfectly fine in my base system…

Afterwards I ran dracut -fv to create a new initrd image, which I had hoped to include the WireGuard connection. At least that’s what I had understood that the dracut module 35network-manager would do…

When I now interrupt the boot process with rd.break in the cmdline and drop to a shell in initrd, I can’t find any hint of the WireGuard connection. The two interfaces, which are connected to the virtual machine, are showing up however, and I can ping another host just fine (added ping to the initrd with dracut --install 'ping')…

Is there anything that I’m completely missing or do I need to take a totally different approach?

you have an encryted disk that requires a key from tang
To get to tang you bring up a wg interface needs a key that will be in the clear on the VM initrd image.
Which all means the disk can be decrypted by an attacker?

Fair point. My thinking was that I could at least stop the wireguard connection to a possibly compromised host at the WireGuard and Tang server side… But that of course would mean that I’d have to know that a host is compromised :thinking:
The scenario is that I have a mailserver running at a hoster, which handles mail accounts for myself, family and friends, as well as a backup server, which is running at a different datacenter from the same hoster. With the current setup patching/updating with restart required means that I have to type the encryption key at boot, which means that I am doing this less often than I should and also unattended patches are not possible…

But currently I’m just experimenting with this in a Virtual Machine setup, to learn… And obviously I’m stuck way up in the whole process as I can’t get the WireGuard connection working :frowning:

Besides that I really want to understand how to handle the WireGuard connection in initrd, I’m more than happy to discuss any better suggestions to handle the disk encryption at a remote server…

1 Like