Correct setup to run wireguard in a linux container

I’d like to have a linux container that does nothing but run an internet-facing wireguard interface for my VPN needs. I have the kernel module on the host currently, but am confused over how to go about setup.

Should I bring up wg0 on the host and somehow map it in my container config file or should I just have the kernel module loaded on the host and bring up wg0 in the container once it starts?

My container config:

lxc.rootfs.path = /var/lib/lxc/wg/rootfs
lxc.uts.name = wg
lxc.arch = aarch64
lxc.include = /usr/share/lxc/config/archlinux.common.conf

## network
lxc.net.0.type = veth
lxc.net.0.name = eth0
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.hwaddr = 00:1a:06:13:29:a3

EDIT: I tried using wg-quick up wg0 from within the container and wg0 is created without errors but I am unable to connect to it. In contrast, I can connect to it on the host just fine so I’m thinking I need some extra configuration in /var/lib/lxc/wg/config to get this working. Thanks!

I must have misconfigured something. I created a fresh container, setup UFW, setup the forwarding policy, and used the very same container config as well as wireguard config and everything works as expected.

To recap: install the wireguard kernel module and on the host, only the tools are needed in the container/run the interface in the container.

Could you post your forwarding policy?

Also, in the container you mean install wireguard-tools
right ?

Which file would you like to see (ie the forwarding policy)? Within /etc/default/ufw I have:

DEFAULT_INPUT_POLICY="DROP"
DEFAULT_OUTPUT_POLICY="ACCEPT"
DEFAULT_FORWARD_POLICY="DROP"
DEFAULT_APPLICATION_POLICY="SKIP"

Yes, wireguard-tools is installed in the container.

@darksky - Did you configure any iptables entries or ip rules for directing traffic to or from the VPN Tunnel End Point (TEP)… In wireguard’s case that would be the wg0 interface

No, just UFW config for the udp port on which WG runs. See this for more.