Can a container be used as a VPN portal for other containers?


I know this question isn’t necessarily LXD specific, but I’m hoping to at least figure out if it’s possible or not. I’d like to have multiple containers use my VPN for connectivity without creating a separate wireguard connection for each one. I was thinking it might make sense to have one container that maintains the VPN connection and maybe routes to an LXD network that’s only for VPN usage?

I’m not sure if this is the right solution so I was hoping for some feedback.

  • Does it even make sense to do routing in a container?
  • Is there some LXD built-in functionality that will do what I want without the need for a virtual router container?
  • Am I just better off creating the wireguard interface on the host and passing it to the containers via a network bridge?
  • If I do implement on the host, since the interface won’t be available at boot will that cause issues with LXD starting up?

Sorry if this is kind of rambling and doesn’t make much sense, but I’d appreciate any advice!


This is actually an interesting question.
There are different ways to solve this issue and I suppose you are interested in the most(ly) elegant one.

I suppose the most elegant solution is to indeed configure wireguard to be setup on the host through systemd and then configure (in systemd) to get LXD to start after wireguard.

I would create a wireguard LXD profile that has the networking configuration relevant to wireguard. It should create in the container a network interface called eth0. By doing so, you can create such containers with

lxc launch ubuntu: mycontainer1 --profile default --profile wireguard

If you have an existing container and you want to make it a wireguard-style container, you can

lxc profile assign myoldcontainer default,wireguard
1 Like