[solved] Wireguard in macvlan container on Ubuntu 18.04

networking

(Nathan Bass) #1

First I’ll start with I have read the entire threads for both Wireguard on LXD and 3.0.1 wireguard iface in unprivileged container?.

I’m running lxc inside an Ubuntu 18.04 server with both a macvlan and standard bridge network profile. I’m trying to setup wireguard using the macvlan so that I have direct access control to it at the router. The container config is as follows.

architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 18.04 LTS amd64 (release) (20190320)
  image.label: release
  image.os: ubuntu
  image.release: bionic
  image.serial: "20190320"
  image.version: "18.04"
  linux.kernel_modules: wireguard
  security.privileged: "true"
  volatile.base_image: 6700bee14eb3034ba4bd0c3d0165f938faa161d2690e919465aab2946490689b
  volatile.eth0.hwaddr: 00:16:3e:6f:7e:01
  volatile.idmap.base: "0"
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
devices: {}
ephemeral: false
profiles:
- default
stateful: false
description: ""

I have wireguard installed within the host and wireguard-tools installed in the container but I still get the dreaded RTNETLINK answers: Operation not supported error whenever I try to create a wireguard interface inside the container.

I’m bringing up specifically the macvlan because so far as I can tell it’s the only thing not mentioned in the previous threads, for knowledge the profile config is as follows:

config: {}
description: Default LXD profile
devices:
  eth0:
    name: eth0
    nictype: macvlan
    parent: eno1
    type: nic
  root:
    path: /
    pool: lxd
    type: disk
name: default
used_by:
- /1.0/containers/dns
- /1.0/containers/wireguard

Edit: I almost forgot the actual question… Am I missing something or is this a wireguard rather than lxc issue?


(Stéphane Graber) #2

Can you try using a temporary LXD bridge to see if it’s indeed macvlan related?


(Nathan Bass) #3

Actually I think it’s complete use-error at this point I went through the complete process again today (starting with a new container) and it’s working… I’m not really sure what I did wrong the first time but meh (I was logging on here to mark this as solved…).


#4

Can you give a walkthrough on this?
How did you get the wireguard kernel module since the Ubuntu kernels do not have it yet?
Also, you can mark as solved if you press the appropriate button at the correct reply


(Nathan Bass) #5

@simos to be entirely honest I have been insanely busy and while I managed to get passed the RTNETLINK answers: Operation not supported error I have not had to chance to setup a client… That said here are the steps to get what I believe at least should be a working “server”…

on ubuntu 18.04 host with lxd installed and a macvlan connection configured following @simos macvlan write up (yep :stuck_out_tongue:)

add-apt-repository ppa:wireguard/wireguard
apt update
apt install wireguard
lxc launch ubuntu:bionic/amd64 wireguard -p macvlan
lxc exec wireguard bash

if you want a static IP address configure it in your router now
(if you did not set a static address skip this)

ip addr flush dev eth0
dhclient -r; dhclient
ip a
add-apt-repository ppa:wireguard/wireguard
apt update
apt install wireguard-tools
exit
lxc stop wireguard
lxc config edit wireguard

I’m aware it’s possible to add the security privs with
lxc config set wireguard security.privileged true
however was unable to figure out how to do this without editing the config, to that
end I did both at once, inserting them directly under the image version
as shown below

architecture: x86_64
config:
  image.architecture: amd64
  image.description: ubuntu 18.04 LTS amd64 (release) (20190320)
  image.label: release
  image.os: ubuntu
  image.release: bionic
  image.serial: "20190320"
  image.version: "18.04"
  linux.kernel_modules: wireguard
  security.privileged: "true"
  volatile.base_image: 6700bee14eb3034ba4bd0c3d0165f938faa161d2690e919465aab2946490689b
  volatile.eth0.hwaddr: 00:16:3e:17:03:c2
  volatile.idmap.base: "0"
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false$
  volatile.last_state.power: STOPPED
devices: {}
ephemeral: false
profiles:
- macvlan
stateful: false
description: ""
lxc start wireguard
lxc exec wireguard bash
ip link add wg0 type wireguard
ip link

should result in something like the following

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/none 
13: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:17:03:c2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
ip addr add 10.0.0.1/24 dev wg0
wg genkey > private
wg set wg0 private-key ./private
ip link set wg0 up

confirmed, just ran through the setup of a second container wiretest using the same config but at 10.0.0.2 following https://www.wireguard.com/quickstart/ and it is working fully.