Routing lxd network traffic through wireguard interfaces

LXD
1

Hi Everyone,

I have a server on which I have a number of lxd networks. I’ve been looking at ways to route traffic from networks through specific interfaces, such that networks can use different VPN servers. I’m currently using WireGuard to connect to the VPN servers, so the setup would look something like the following:

                        |               |                |                  |
                        |               |                |                  |
                        |               |                |                  |
                        |               |                |                  |
                        |               |                |                  |
    +-------------+-----------------------------------------------------------------------------+
                  |     |               |                |                  |
                  |     |               |                |                  |
    +-------------+     |               |                |                  |
    |             | +---+----+      +---+---+        +---+---+         +----+---+
    |   host      | |  eth0  |      |  wg0  |        |  wg1  |         |  wg2   |
    |             | +---^----+      +---^---+        +---^---+         +----^---+
    +-------------+     |               |                |                  |
                  |     |               |                |                  |
                  |     |               |                |                  |
    +-------------+-----------------------------------------------------------------------------+
                        |               |                |                  |
         +--------------+               +                +-----------+      +------------------------+
      lxdbr0                         lxdbr1                        lxdbr2                         lxdbr3

+----------------------+   +------------------------+    +-------------------------+   +---------------------------+
|                      |   |                        |    |                         |   |                           |
|   10.0.0.0/24        |   |   10.0.1.0/24          |    |   10.0.2.0/24           |   |   10.0.3.0/24             |
|                      |   |                        |    |                         |   |                           |
|                      |   |                        |    |                         |   |                           |
|                      |   |                        |    |                         |   |                           |
+----------------------+   +------------------------+    +-------------------------+   +---------------------------+

I’ve tried to implement this using the default private and managed network, and have looked into the other network options, but haven’t yet found a way to get this working using lxd’s builtin functionality. Any help would be greatly appreciated.

P.S.
This is my first post on the forum, and while I have read the instructions to starting a discussion, let me know if I can improve the post, such that others who might be interested might find this useful as well.

2

Multiple options I’ve looked into in the past

One is…

Wireguard is in the Host’s Linux kernel.

LXD containers share the Host’s kernel.

So other than more configuration management complexity you “could” have each container run its own wireguard Tunnel End Point (TEP).

Another is…

Use/include VxLANs and a Routing protocol like BGP

PM me for something I did related to #2
Brian

1 Like
3

Thanks for your response Brian,

using Wireguard in the containers is an option, however it’s a bit awkward given my use case: In some networks I run a Wireguard instance such that I can tunnel into these networks with other devices. I also run a dnsserver so that would require additional configuration.

Yesterday I’ve tried setting the configuration key ipv4.nat.address to the IP address of the interface I’m trying to target, which looks quite promising. I still have to configure my firewall accordingly to know for sure if this is what I need. I’ll post the solution here once I find one.