I have a couple of lxc containers whose only function is to serve my personal cloud. Their only clients will be half a dozen of my devices via wireguard. I set them up with lxc-create to use veth. Once I had working systems, I set up wireguard on the host and each container, with separate wg endpoints using each the local virtual eth0.
This works beautifully.
But what I would really like is a single wg endpoint on the host, which then provides a lone wg interface within each container. Wireguard supports this - see Routing & Network Namespaces - WireGuard - but it would be ideal if the config file and creation process could handle the hard work for me. The WG examples are for docker, and I don’t see any lxc/lxd documentation on this. If I have missed it, then please point me the right way.
- Has anyone got a recipe for setting this up easily?
- To be clear, “easily” means “not seeing the details of netns”.
- Are there plans for LXC to support WG as a first-class citizen alongside veth etc?
- Ideally emitting a client WG config file for use as a QR code.
A single endpoint eliminates veth (and DHCP) and simplifies both firewalling and the WG client config. It hides information from an attacker (e.g. how many containers I have and their usage patterns).
It would be nice to have a hook where the host spins up a container only when the first client authenticates a VPN enabled connection, and then spins it down again after the last connection has gone away.
I’d expect that the per-container config would look like:
lxc.net.0.type = wireguard
lxc.net.0.endpoint = 12.34.56.78:31415 # Defaults to the host's single endpoint
lxc.net.0.name = wg0
lxc.net.0.pubkey = XXXXX...XXXXX=