How to disable the Wireguard NIC in a Full VM

#1

Every VM deployed on the ThreeFold network is equipped with at least one virtual network interface (NIC). We usually call this the “Wireguard” interface because it can be used for communication in WireGuard private networks between VMs or for users to connect to the VM. But this interface also plays an important role in VMs that don’t have a public IP assigned to them—it serves as the gateway to the public internet as the default route.

When a public IP is assigned to a VM and there’s no need for communication over Wireguard, then this default interface is just something extra. While that normally causes no issues, we have received some questions from users about whether it’s possible to deploy a VM without it because this causes an inconvenience with the use of certain software inside the VM.

It’s not possible to remove the interface entirely, and I’d rather not pursue this as a feature in Zos and our interfaces due to the additional complexity it would add. But with just a bit of knowledge about how our full VMs handle network config, it is possible to disable the extra interface such that it shouldn’t get in the way.

Get yourself a full VM with public IP

This method is only applicable to full VMs (Ubuntu for this example), and if you want your VM to retain access to the public internet, it will need a public IP. Ideally you equip the VM with both IPv4 and IPv6 addresses if the node you are deploying on supports it. Otherwise you might lose IPv6 capability via this method.

In a default configuration, the network configuration cascades like this at the first boot of the VM:

  1. cloud-init reads the network config supplied by Zos via a small attached virtual disk
  2. cloud-init then outputs a netplan config
  3. netplan ultimately supplies a configuration to systemd-networkd which manages the NICs

On each subsequent boot, only the third step is performed. That means that by editing the netplan config, we can permanently change how the system sets up its networking.

Edit the netplan config

Using your editor of choice, open the netplan config generated by cloud-init. For example:

nano /etc/netplan/50-cloud-init.yaml

Here’s what it might look like right after deployment, with the Wireguard interface at eth0:

# This file is generated from information provided by the datasource.  Changes
# to it will not persist across an instance reboot.  To disable cloud-init's
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        eth0:
            addresses:
            - 10.20.4.2/24
            - fd57:5564:6964:4::2/64
            dhcp4: false
            gateway4: 10.20.4.1
            match:
                macaddress: e6:f9:aa:71:e3:79
            nameservers:
                addresses:
                - 8.8.8.8
                - 1.1.1.1
                - 2001:4860:4860::8888
            routes:
            -   to: 10.20.0.0/16
                via: 10.20.4.1
            -   to: 100.64.0.0/16
                via: 10.20.4.1
        eth1:
            addresses:
            - 185.206.122.147/24
            - 2a10:b600:1:0:c23:eeff:fe83:a236/64
            dhcp4: false
            gateway4: 185.206.122.1
            gateway6: fe80::2e0:ecff:fe7b:7a67
            match:
                macaddress: 0e:23:ee:83:a2:36

I will make two changes to this file. First, I will move the name server block from eth0 down to eth1, to make sure that DNS continues to work. Then I will remove the eth0 block entirely. Here’s the result:

network:
    ethernets:
        eth1:
            addresses:
            - 185.206.122.147/24
            - 2a10:b600:1:0:c23:eeff:fe83:a236/64
            dhcp4: false
            gateway4: 185.206.122.1
            gateway6: fe80::2e0:ecff:fe7b:7a67
            match:
                macaddress: 0e:23:ee:83:a2:36
            nameservers:
                addresses:
                - 8.8.8.8
                - 1.1.1.1
                - 2001:4860:4860::8888

If you have Yggdrasil or Mycelium active on the VM, there will be additional network interfaces below eth1. Just leave those as they are if that’s the case.

Reboot and check

Now you can reboot the VM, and when it comes back eth0 (it’s been renamed to ens3) should be in a down and non configured state:

image
image1265×438 29.1 KB

It would be good to verify that you still have internet access by running some command that depends on it, like apt update.

Now if you’re sharp, you will have noticed there is a comment in the netplan config file that says that changes are not persisted across reboots. In my experience that was not the case, but your mileage may vary. If you want to be extra safe, or if you happen to notice that that the config has reverted in your case, just follow the instructions given to prevent cloud-init from performing network config again.

Conclusion

Today we saw how just a bit of knowledge about how the network configuration is happening on ThreeFold VMs can help to achieve the desire outcome in this case. I hope this helps!

1 Like