Share Wireguard on Host with LXC container

r0nmlt · November 29, 2025, 1:38pm

I have a host PC with a bridge to the wired Ethernet for general use Internet and a Wireguard client to a off-site server to access the LAN at the off-site.

From the host PC I can connect to the internet and the off-site LAN.

From inside the unprivileged lxc containers I can connect to the internet since I shared the bridge with the container using:

lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.net.0.name = eth0

How would I go about sharing also the Wireguard connection.

this is the output from nmcli:

NAME                 UUID                                  TYPE       DEVICE
br0                  ab860abc-3202-4400-aa5e-725ab5efdd71  bridge     br0
Malital              a1a5c64a-4c9c-4d43-b3f2-11d5bca21e23  wireguard  Malital
bridge-slave-enp1s0  2e3b78b5-c473-4d7d-a061-92284e22aa61  ethernet   enp1s0
lo                   0784ee26-0ec5-453a-8171-edceb4fb3c6e  loopback   lo
Sienja               dc6bf384-aa95-4028-b6aa-77142da227b5  vpn        --
Simar                4a657a69-95a9-4258-813e-fa6e95d05e63  vpn        --
Wired Connection     16813991-938d-45cb-9002-5a25219f4cba  ethernet   --

I have tried adding the wireguard connection to br0 but that didn’t work.

I tried creating a new bridge (br1) and adding the wireguard connection to it and sharing this second bridge with the container. I could then ping the second bridge, the wireguard client ip but not the off-site clients.

I tried directly sharing the wireguard connection with the LXC but the container doesn’t even start.

I know I can install wireguard inside the client and that is the solution I am currently using but I have 3 containers accessing the off-site and it seems silly to have 3 tunnels in lxc + 1 tunnel on host fired up.

Thanks.

pm3787 · November 29, 2025, 3:06pm

One solution is to enable routing and nat on the pc and add a static route in the container pointing to host pc

r0nmlt · November 29, 2025, 5:32pm

Thanks for you reply. I am under the impression that all packets from the container hit the bridge br0 and if I tcpdump from the host the br0 interface I can see the packets. Both those intended for the internet and the wg0. But they stop there and are not forwarded to the wg0.

Packets from the host intended to the wg0 are routed correctly.

How do I get to forward the packets arriving at br0 intended for wg0 to be routed accordingly.

pm3787 · November 29, 2025, 6:15pm

Sorry for the formatting. Adapted from AI answer. Make sure you research and understand why and how these commands are needed and used before adapting them to your setup. Firewall rules can also be added but for lan setup the nat rule probably is sufficient.

Host side:

Enable IP forwarding (temporarily)

sysctl -w net.ipv4.ip_forward=1

Make it permanent

echo “net.ipv4.ip_forward=1” >> /etc/sysctl.conf
sysctl -p

Add NAT/Masquerade rule so container traffic appears to come from the host

(traffic leaving via wg0)

iptables -t nat -A POSTROUTING -s container_ip -d offsite_lan_range -o Malital -j MASQUERADE

If you use nftables instead of iptables, equivalent:

nft add rule nat postrouting oifname “Malital” ip saddr container_ip ip daddr offsite_lan_range masquerade

Allow forwarding between br0 and wg0

iptables -A FORWARD -i br0 -o Malital -j ACCEPT
iptables -A FORWARD -i Malital -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Container side:

ip ro add offsite_lan_range via hostpc_br0_ip

r0nmlt · November 30, 2025, 9:28am

Thank you. This worked flawlessly. For reference these are the steps I did and are sufficient:

On the host PC

echo “net.ipv4.ip_forward=1” >> /etc/sysctl.conf
sysctl -p

sudo iptables -t nat -A POSTROUTING -s 192.168.11.115 -d 192.168.48.0/20 -o Malital -j MASQUERADE

In the container

added

[Route]
Destination=192.168.48.0/20
Gateway=192.168.11.22

to /etc/systemd/network/eth0.network to make it permanent.