Correct setup to run wireguard in a linux container

lxc

#1

I’d like to have a linux container that does nothing but run an internet-facing wireguard interface for my VPN needs. I have the kernel module on the host currently, but am confused over how to go about setup.

Should I bring up wg0 on the host and somehow map it in my container config file or should I just have the kernel module loaded on the host and bring up wg0 in the container once it starts?

My container config:

lxc.rootfs.path = /var/lib/lxc/wg/rootfs
lxc.uts.name = wg
lxc.arch = aarch64
lxc.include = /usr/share/lxc/config/archlinux.common.conf

## network
lxc.net.0.type = veth
lxc.net.0.name = eth0
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.hwaddr = 00:1a:06:13:29:a3

EDIT: I tried using wg-quick up wg0 from within the container and wg0 is created without errors but I am unable to connect to it. In contrast, I can connect to it on the host just fine so I’m thinking I need some extra configuration in /var/lib/lxc/wg/config to get this working. Thanks!


#2

I must have misconfigured something. I created a fresh container, setup UFW, setup the forwarding policy, and used the very same container config as well as wireguard config and everything works as expected.

To recap: install the wireguard kernel module and on the host, only the tools are needed in the container/run the interface in the container.