Correct setup to run wireguard in a linux container

I’d like to have a linux container that does nothing but run an internet-facing wireguard interface for my VPN needs. I have the kernel module on the host currently, but am confused over how to go about setup.

Should I bring up wg0 on the host and somehow map it in my container config file or should I just have the kernel module loaded on the host and bring up wg0 in the container once it starts?

My container config:

lxc.rootfs.path = /var/lib/lxc/wg/rootfs = wg
lxc.arch = aarch64
lxc.include = /usr/share/lxc/config/archlinux.common.conf

## network = veth = eth0 = up = br0 = 00:1a:06:13:29:a3

EDIT: I tried using wg-quick up wg0 from within the container and wg0 is created without errors but I am unable to connect to it. In contrast, I can connect to it on the host just fine so I’m thinking I need some extra configuration in /var/lib/lxc/wg/config to get this working. Thanks!

I must have misconfigured something. I created a fresh container, setup UFW, setup the forwarding policy, and used the very same container config as well as wireguard config and everything works as expected.

To recap: install the wireguard kernel module and on the host, only the tools are needed in the container/run the interface in the container.

Could you post your forwarding policy?

Also, in the container you mean install wireguard-tools
right ?

Which file would you like to see (ie the forwarding policy)? Within /etc/default/ufw I have:


Yes, wireguard-tools is installed in the container.

@darksky - Did you configure any iptables entries or ip rules for directing traffic to or from the VPN Tunnel End Point (TEP)… In wireguard’s case that would be the wg0 interface