Forward a wireguard interface to a network

Hi everyone,

I’m trying to route all traffic from a network through a wireguard interface on the host. The default interface for the host is the ethernet connection, but if I run
curl --interface wg0
I get the IP address of the wireguard peer I’m connected to. All good so far. Now I’m trying to get a network to use wg0. I’m not looking to install a wireguard client on the guests. I’ve tried the following things:

lxc config device add testinstance eth2 nic nictype=routed parent=wg0

Error: Failed to start device "eth2": Error setting up reverse path filter: Failed adding reverse path filter rules for instance device "zurich_test.eth2" (inet): Failed apply nftables config: Failed to run: nft -f -: exit status 1 (/dev/stdin:5:21-39: Error: Could not process rule: No such file or directory
        iif "veth0be88872" fib saddr . iif oif missing drop

This returns an error and honestly, I’m not familiar enough with the matter to know if this is even the right command.

I’ve also tried setting the nat address of the network to the IP address of the interface, no luck.

I’m a bit at ends now for what to try next, any suggestions would be greatly appreciated!


The routed NIC type will use the host’s routing table to select the default route.

The parent option of the NIC simply controls which interface to add neighbour proxy entries too, which for wireguard won’t work as its not an Ethernet device.

I suspect you should avoid using the parent property entirely and then source based routing rules custom routing tables with the ipv4.host_table option to control the next hop.