{"id":14235739,"url":"https://github.com/r-pufky/wireguard-initramfs","last_synced_at":"2026-05-27T17:01:45.423Z","repository":{"id":41885766,"uuid":"382758672","full_name":"r-pufky/wireguard-initramfs","owner":"r-pufky","description":"Use dropbear over wireguard.","archived":false,"fork":false,"pushed_at":"2025-04-07T21:00:12.000Z","size":77,"stargazers_count":312,"open_issues_count":4,"forks_count":32,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-08-11T00:39:05.426Z","etag":null,"topics":["debian","dropbear","initramfs","wireguard"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/r-pufky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-07-04T04:05:15.000Z","updated_at":"2025-08-09T01:42:25.000Z","dependencies_parsed_at":"2022-08-11T20:10:38.238Z","dependency_job_id":"7402cd9c-2ce4-4d36-b954-01bea6980a09","html_url":"https://github.com/r-pufky/wireguard-initramfs","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/r-pufky/wireguard-initramfs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-pufky%2Fwireguard-initramfs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-pufky%2Fwireguard-initramfs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-pufky%2Fwireguard-initramfs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-pufky%2Fwireguard-initramfs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/r-pufky","download_url":"https://codeload.github.com/r-pufky/wireguard-initramfs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/r-pufky%2Fwireguard-initramfs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33575520,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","dropbear","initramfs","wireguard"],"created_at":"2024-08-20T21:02:18.697Z","updated_at":"2026-05-27T17:01:45.404Z","avatar_url":"https://github.com/r-pufky.png","language":"Shell","funding_links":[],"categories":["Shell","debian"],"sub_categories":[],"readme":"# wireguard-initramfs\n\nUse dropbear over wireguard.\n\nEnables wireguard networking during kernel boot, before encrypted partitions\nare mounted. Combined with [dropbear](https://github.com/mkj/dropbear) this\ncan enable FULLY ENCRYPTED remote booting without storing key material or\nexposing ports on the remote network. An Internet connection simply needs to\nexist that can reach the wireguard server endpoint.\n\nNormal dropbear connections and DNS resolution can be used to find wireguard\nendpoints.\nThis essentially enables the creation of a fully encrypted remote-managed\nnode, with the ability to prevent all local access.\n\n## Requirements\n\nWorking knowledge of Linux. Understanding of networking and Wireguard.\n\n1. [Debian Bullseye/Bookworm](https://debian.org) (any version with wireguard\n   support should work, but untested).\n2. [Wireguard](https://www.wireguard.com/) installed, configured and in a\n   \"known working\" state.\n\n## Getting started\n\nInstallation is supported via make.\nDownload, extract and configure contents, and install on target machine.\n\n### Download\n\nGrab the latest release, untarball.\n\n```bash\nRELEASE=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/r-pufky/wireguard-initramfs/releases/latest | tr \"/\" \"\\n\" | tail -n 1)\nwget https://github.com/r-pufky/wireguard-initramfs/archive/refs/tags/\"${RELEASE}\".tar.gz\ntar xvf \"${RELEASE}\".tar.gz\ncd wireguard-initramfs-\"${RELEASE}\"\n```\n\n### Configure\n\n`configs/initramfs` file contains variables based on your working wireguard\nconnection. Refer to\n[wg set man page](https://man7.org/linux/man-pages/man8/wg.8.html) for\nadditional information.\n\n### Installation\n\n```bash\nmake install\n```\n\n:warning:\n\nMost installs do not currently encrypt `/boot`; and therefore the client\nprivate key should be considered **untrusted/compromised**. It is highly\nrecommended that a separate point-to-point wireguard network with proper\nport blocking is used for remote unlocking.\n\nRebuild initramfs to use using any of these methods:\n\n```bash\nmake build_initramfs  # Debian\nmake build_initramfs_rpi  # Raspberry Pi\nupdate-initramfs -u -k all \u0026\u0026 update-grub  # Manual build\nreboot\n```\n\nAny static errors will abort the build. Mis-configurations will not be caught.\nBe sure to test while you still have physical access to the machine.\n\n## Dropbear\n\n`wireguard-initramfs` can be combined with dropbear to enable remote system\nunlocking without needing control over the remote network, or knowing what the\npublic IP of that system is. It also creates an encrypted no-trust tunnel\nbefore SSH connections are attempted.\n\n### Requirements\n\n1. [Dropbear](https://github.com/mkj/dropbear) installed, configured and in a\n   \"known working\" state.\n\n### Configure\n\nSet dropbear to use *all* network interfaces to ensure remote unlocks work over\nwireguard first. Then restrict to the wireguard network once it is working:\n\n`/etc/dropbear/initramfs/config`\n\n```bash\nDROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'\n```\n\n## Legacy compatibility (Migration)\n\nIf you are a user using a previous release, such as the one dated\n2023-10-21, you can update your current projects by running:\n\n```bash\nsudo bash scripts/migrate_project_structure.sh\nmake install\nmake build_initramfs\n```\n\nAdapter configuration is located in `/etc/wireguard/initramfs.conf` and\ninitramfs configuration is located in `/etc/wireguard/initramfs`.\n\nThis should keep your project structure and contents intact; however manual\n**validation** is required as full wireguard adapter configs are now supported.\n\n## Bug / Patches / Contributions?\n\nAll are welcome, please submit a pull request or open a bug!\n\nKnow debian packaging? Create a .deb package for this!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr-pufky%2Fwireguard-initramfs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fr-pufky%2Fwireguard-initramfs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fr-pufky%2Fwireguard-initramfs/lists"}