3.0.1 wireguard iface in unprivileged container?

Hi,

anyone managed to bring up a wireguard interface in an unpriviliged container? Thus far been only ending up with

warning: wg0: pre-up cmd ‘ip link add wg0 type wireguard’ failed: returned 2 (RTNETLINK answers: Operation not supported

Yes, I have used wireguard in an unprivileged container running OpenWrt. Is the wireguard module loaded on the host? You may want to insert it manually if it isn’t already loaded. (On my system it’s loaded automatically when a container executes ‘ip link add wg0 type wireguard’ anyway.)

1 Like

Revomed WG from the container and installed it on the host and the WG iface in the container gets up.
But then there are no wg-tools inside the container and if needed it requires installation of its dependencies as well

* dkms
* linux-headers-x
* linux-headers-x-generic
* linux-headers-generic
* wireguard-dkms

The kernel module (wireguard.ko) needs to be installed on the host. The container should only need the user space tools, such as “wg”.

But then there are no wg-tools inside the container and if needed it requires installation of its dependencies as well

Those packages aren’t required by wireguard-utils, at least not in the ubuntu ppa I’m using. They are recommended, and by default recommended packages are installed but it can be changed for example with --no-install-recommends.

2 Likes

Note that you can set linux.kernel_modules=wireguard to have LXD load that module for you when the container starts.

1 Like

Wow, that is just great! Works like a charm (also on LXC) :smirk:

ppa:wireguard/wireguard

Thanks for that great tip (--no-install-recommends), saved 257 MB :+1: :relieved: