Cannot start a wireguard interface in an unprivileged container

I have lxc installed on an OpenWrt host. I cannot bring up a wireguard interface in an unprivileged container and am wondering why. From reading it seems that CAP_NET_ADMIN needs to be given to the container but I am unsure how to do it. If I understand correctly, lxc.cap.drop = will grant all capabilities to the container yet it is not working:

# wg-quick up outside
[#] ip link add outside type wireguard
[#] wg setconf outside /dev/fd/63
[#] ip -4 address add 10.xxx.xxx.xxx/32 dev outside
[#] ip link set mtu 1320 up dev outside
[#] resolvconf -a outside -m 0 -x
[#] wg set outside fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev outside table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.10 (legacy): iptables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[#] resolvconf -d outside -f
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev outside

In searching I found this thread but in my case, I have the wireguard module loaded on the host. Could the issue be with my container config?

# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = aarch64

# Container specific configuration
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.cap.drop =

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br-lan
lxc.net.0.veth.vlan.id = 10
lxc.net.0.ipv4.address = 10.9.8.252/24
lxc.net.0.ipv4.gateway = 10.9.8.1
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:a8:3f:4a
## mounts
lxc.mount.entry = /mnt/data/lxc/shared-pkg-cache var/cache/pacman/pkg none bind 0 0
lxc.mount.entry = /mnt/data/incoming incoming none bind 0 0
lxc.rootfs.path = overlay:/mnt/data/lxc/base/rootfs:/mnt/data/lxc/libre/overlay/delta
lxc.uts.name = libre

The error isn’t about the wireguard module, it’s about access to the raw netfilter table, the module for that likely isn’t already loaded on the host.

1 Like

Thanks for the reply @stgraber. That was the problem. I found that I could totally omit the lxc.cap.drop = line after loading iptable_raw.ko on the host. Is that to be expected with an unprivileged container?