Wireguard tutorial

trumee · February 25, 2020, 6:06am

Anybody tried wireguard in a LXD container? A tutorial on this would be nice.

turtle0x1 · February 25, 2020, 8:50am

@bmullan will have some info on this

VERIFIorentino_2018 · February 25, 2020, 11:24am

just follow a standard wg tutorial. It is simple.
Just install a standard ubuntu container then follow this

https://www.stavros.io/posts/how-to-configure-wireguard/

simos · February 25, 2020, 2:57pm

I think that the LXD-specific instruction is to setup the wireguard containers to require the Wireguard kernel module, so that it refuses to run if it cannot find it.

On all setups, Wireguard must be installed on the host, and in the container you just need the client package.

Apart from that, it is an issue to come up with specific useful scenarios that make sense with LXD use.

I think one very specific scenario is LXD to LXD communication over Wireguard (and not TLS).

MrPibb · February 25, 2020, 8:20pm

I’ve been running a WG server inside LXD for months now. Works great. The only custom line in my config is:

  linux.kernel_modules: wireguard

bmullan · February 26, 2020, 10:25am

There are a lot of good ideas here also…

https://www.wireguard.com/netns/

erik_lonroth · August 8, 2022, 1:49pm

Works for me even without any custom configs.

LXD host: Ubuntu 20.04
LXD (snap) version: 5.0+
Ubuntu server: 20.04
Ubuntu client: Ubuntu 20.04

starfry · August 23, 2022, 2:57pm

I’ve just implemented wireguard in a container. Early days, but seems to work - testing with the android app on my phone.

I already had a “gateway” container on a server where I control access between internet and a few vlans. I just added a vpn (wireguard) interface to it and a couple of firewall rules. All seems to be fine. Because of my existing setup, there may be things you need that aren’t covered here (such as enabling kernel port forwarding).

My container is essentially busybox and wireguard-tools, extracted from Alpine, and not a lot else. I’m using 192.168.24.0/24 for the vpn peers and running the vpn on the standard port 51820. I called the vpn interface vpn and, in the example below, I let it connect to the lan123 interface which is 192.168.20.0/23.

Here’s my config /etc/wireguard.conf

[Interface]
PrivateKey = aaa...zzz
ListenPort = 51820

[Peer]
# Phone
PublicKey = zzz...aaa
AllowedIPs = 192.168.24.2/32

and /etc/network/interfaces

iface vpn inet static
  address 192.168.24.1
  netmask 255.255.255.0
  pre-up ip link add $IFACE type wireguard
  pre-up wg setconf $IFACE /etc/wireguard.conf
  post-down ip link del $IFACE

Plus two new iptables rules

-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A FORWARD -i vpn -o lan123 -j ACCEPT

On my phone I have

address 192.168.24.2/24
dns 192.168.21.4
endpoint 11.22.33.44:51820
allowed ips 192.168.20.0/23

The only other thing, is on my internet router, I allow the public address 11.22.33.44 to forward port 51820 to the “gateway” container that the above is configured in.

Note:

I did not use wg-quick. It’s a wrapper around wg that provides additional options however they rely on the host being setup in a certain way (e.g. having resolvconf and bash).
I avoided complexities of using network managers becasue I have the simple busybox network setup which is sufficient for my needs.
I did not to the masquerading / nat that a lot of other tutorials seem to use. For me, it just wasn’t necessary.
the allowed ip setting defines CIDR blocks of addresses that can enter/leave the tunnel. You need to define those correctly at both ends of the tunnel (you can use 0.0.0.0/0 to send everything and receive anything if you really want to)

A couple of things that caught me out

my dns is pi-hole and its default config won’t respond to non-local networks (which the clients will be), it just doesn’t respond (leading me for a while thinking I had an iptables rule blocking it!)
multicast / broadcast doesn’t work ( so I can’t use UPnP / DLNA from device over vpn )
Wireguard lacks the “server push” functionality that OpenVPN gives you (for routes, dns, etc)

A couple of things that might be useful…

see this screencast for a basic example https://www.wireguard.com/talks/talk-demo-screencast.mp4 to understand the minimum you need
add tcpdump to the container
use tcpdump -i internet src <peer public ip> to see the traffic carrying the vpn (here, internet is the netork interface inside the container connected to outside)
use tcpdump -i vpn to see the traffic inside the vpn

Read here for some more troubleshooting tips: Four Ways to View WireGuard Logs | Pro Custodibus

Hope that’s of some use

erik_lonroth · September 1, 2022, 12:29pm

I appologize since my comment isn’t about this, but just letting you know there is a juju charm for wireguard. You might want to check it out: Deploy wireguard-sub using Charmhub - The Open Operator Collection

macduff23 · January 6, 2023, 3:28am

Nice - just looking up how to bootstrap some juju hybrid-cloud models with wireguard/ looking to try this thank you!

erik_lonroth · May 15, 2023, 1:47pm

Just let me know if you need some help and how the charm works. If you run into problems, let me know.