Easy wireguard set up via config file / lxc-create?

I have a couple of lxc containers whose only function is to serve my personal cloud. Their only clients will be half a dozen of my devices via wireguard. I set them up with lxc-create to use veth. Once I had working systems, I set up wireguard on the host and each container, with separate wg endpoints using each the local virtual eth0.

This works beautifully.

But what I would really like is a single wg endpoint on the host, which then provides a lone wg interface within each container. Wireguard supports this - see Routing & Network Namespaces - WireGuard - but it would be ideal if the config file and creation process could handle the hard work for me. The WG examples are for docker, and I don’t see any lxc/lxd documentation on this. If I have missed it, then please point me the right way.

  • Has anyone got a recipe for setting this up easily?
    • To be clear, “easily” means “not seeing the details of netns”.
  • Are there plans for LXC to support WG as a first-class citizen alongside veth etc?
    • Ideally emitting a client WG config file for use as a QR code.

A single endpoint eliminates veth (and DHCP) and simplifies both firewalling and the WG client config. It hides information from an attacker (e.g. how many containers I have and their usage patterns).

It would be nice to have a hook where the host spins up a container only when the first client authenticates a VPN enabled connection, and then spins it down again after the last connection has gone away.

I’d expect that the per-container config would look like:

lxc.net.0.type = wireguard
lxc.net.0.endpoint = # Defaults to the host's single endpoint
lxc.net.0.name = wg0
lxc.net.0.pubkey = XXXXX...XXXXX=

You could precreate the wireguard interface on the host and have lxc move it from the host into the container using the phys nic type in lxc config.