Anybody tried wireguard in a LXD container? A tutorial on this would be nice.
@bmullan will have some info on this
just follow a standard wg tutorial. It is simple.
Just install a standard ubuntu container then follow this
I think that the LXD-specific instruction is to setup the wireguard containers to require the Wireguard kernel module, so that it refuses to run if it cannot find it.
On all setups, Wireguard must be installed on the host, and in the container you just need the client package.
Apart from that, it is an issue to come up with specific useful scenarios that make sense with LXD use.
I think one very specific scenario is LXD to LXD communication over Wireguard (and not TLS).
I’ve been running a WG server inside LXD for months now. Works great. The only custom line in my config is:
There are a lot of good ideas here also…
Works for me even without any custom configs.
LXD host: Ubuntu 20.04
LXD (snap) version: 5.0+
Ubuntu server: 20.04
Ubuntu client: Ubuntu 20.04
I’ve just implemented wireguard in a container. Early days, but seems to work - testing with the android app on my phone.
I already had a “gateway” container on a server where I control access between internet and a few vlans. I just added a vpn (wireguard) interface to it and a couple of firewall rules. All seems to be fine. Because of my existing setup, there may be things you need that aren’t covered here (such as enabling kernel port forwarding).
My container is essentially
wireguard-tools, extracted from Alpine, and not a lot else. I’m using
192.168.24.0/24 for the vpn peers and running the vpn on the standard port 51820. I called the vpn interface
vpn and, in the example below, I let it connect to the
lan123 interface which is
Here’s my config
[Interface] PrivateKey = aaa...zzz ListenPort = 51820 [Peer] # Phone PublicKey = zzz...aaa AllowedIPs = 192.168.24.2/32
iface vpn inet static address 192.168.24.1 netmask 255.255.255.0 pre-up ip link add $IFACE type wireguard pre-up wg setconf $IFACE /etc/wireguard.conf post-down ip link del $IFACE
Plus two new iptables rules
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT -A FORWARD -i vpn -o lan123 -j ACCEPT
On my phone I have
- address 192.168.24.2/24
- dns 192.168.21.4
- endpoint 220.127.116.11:51820
- allowed ips 192.168.20.0/23
The only other thing, is on my internet router, I allow the public address 18.104.22.168 to forward port 51820 to the “gateway” container that the above is configured in.
- I did not use
wg-quick. It’s a wrapper around
wgthat provides additional options however they rely on the host being setup in a certain way (e.g. having
- I avoided complexities of using network managers becasue I have the simple busybox network setup which is sufficient for my needs.
- I did not to the masquerading / nat that a lot of other tutorials seem to use. For me, it just wasn’t necessary.
- the allowed ip setting defines CIDR blocks of addresses that can enter/leave the tunnel. You need to define those correctly at both ends of the tunnel (you can use
0.0.0.0/0to send everything and receive anything if you really want to)
A couple of things that caught me out
- my dns is pi-hole and its default config won’t respond to non-local networks (which the clients will be), it just doesn’t respond (leading me for a while thinking I had an iptables rule blocking it!)
- multicast / broadcast doesn’t work ( so I can’t use UPnP / DLNA from device over vpn )
- Wireguard lacks the “server push” functionality that OpenVPN gives you (for routes, dns, etc)
A couple of things that might be useful…
- see this screencast for a basic example https://www.wireguard.com/talks/talk-demo-screencast.mp4 to understand the minimum you need
tcpdumpto the container
tcpdump -i internet src <peer public ip>to see the traffic carrying the vpn (here,
internetis the netork interface inside the container connected to outside)
tcpdump -i vpnto see the traffic inside the vpn
Read here for some more troubleshooting tips: Four Ways to View WireGuard Logs | Pro Custodibus
Hope that’s of some use
I appologize since my comment isn’t about this, but just letting you know there is a juju charm for wireguard. You might want to check it out: Deploy wireguard-sub using Charmhub - The Open Operator Collection
Nice - just looking up how to bootstrap some juju hybrid-cloud models with wireguard/ looking to try this thank you!
Just let me know if you need some help and how the charm works. If you run into problems, let me know.