Wireguard tutorial

Anybody tried wireguard in a LXD container? A tutorial on this would be nice.

@bmullan will have some info on this

just follow a standard wg tutorial. It is simple.
Just install a standard ubuntu container then follow this


I think that the LXD-specific instruction is to setup the wireguard containers to require the Wireguard kernel module, so that it refuses to run if it cannot find it.

On all setups, Wireguard must be installed on the host, and in the container you just need the client package.

Apart from that, it is an issue to come up with specific useful scenarios that make sense with LXD use.

I think one very specific scenario is LXD to LXD communication over Wireguard (and not TLS).


I’ve been running a WG server inside LXD for months now. Works great. The only custom line in my config is:

  linux.kernel_modules: wireguard

There are a lot of good ideas here also…


1 Like

Works for me even without any custom configs.

LXD host: Ubuntu 20.04
LXD (snap) version: 5.0+
Ubuntu server: 20.04
Ubuntu client: Ubuntu 20.04


I’ve just implemented wireguard in a container. Early days, but seems to work - testing with the android app on my phone.

I already had a “gateway” container on a server where I control access between internet and a few vlans. I just added a vpn (wireguard) interface to it and a couple of firewall rules. All seems to be fine. Because of my existing setup, there may be things you need that aren’t covered here (such as enabling kernel port forwarding).

My container is essentially busybox and wireguard-tools, extracted from Alpine, and not a lot else. I’m using for the vpn peers and running the vpn on the standard port 51820. I called the vpn interface vpn and, in the example below, I let it connect to the lan123 interface which is

Here’s my config /etc/wireguard.conf

PrivateKey = aaa...zzz
ListenPort = 51820

# Phone
PublicKey = zzz...aaa
AllowedIPs =

and /etc/network/interfaces

iface vpn inet static
  pre-up ip link add $IFACE type wireguard
  pre-up wg setconf $IFACE /etc/wireguard.conf
  post-down ip link del $IFACE

Plus two new iptables rules

-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A FORWARD -i vpn -o lan123 -j ACCEPT

On my phone I have

  • address
  • dns
  • endpoint
  • allowed ips

The only other thing, is on my internet router, I allow the public address to forward port 51820 to the “gateway” container that the above is configured in.


  • I did not use wg-quick. It’s a wrapper around wg that provides additional options however they rely on the host being setup in a certain way (e.g. having resolvconf and bash).
  • I avoided complexities of using network managers becasue I have the simple busybox network setup which is sufficient for my needs.
  • I did not to the masquerading / nat that a lot of other tutorials seem to use. For me, it just wasn’t necessary.
  • the allowed ip setting defines CIDR blocks of addresses that can enter/leave the tunnel. You need to define those correctly at both ends of the tunnel (you can use to send everything and receive anything if you really want to)

A couple of things that caught me out

  • my dns is pi-hole and its default config won’t respond to non-local networks (which the clients will be), it just doesn’t respond (leading me for a while thinking I had an iptables rule blocking it!)
  • multicast / broadcast doesn’t work ( so I can’t use UPnP / DLNA from device over vpn )
  • Wireguard lacks the “server push” functionality that OpenVPN gives you (for routes, dns, etc)

A couple of things that might be useful…

  • see this screencast for a basic example https://www.wireguard.com/talks/talk-demo-screencast.mp4 to understand the minimum you need
  • add tcpdump to the container
  • use tcpdump -i internet src <peer public ip> to see the traffic carrying the vpn (here, internet is the netork interface inside the container connected to outside)
  • use tcpdump -i vpn to see the traffic inside the vpn

Read here for some more troubleshooting tips: Four Ways to View WireGuard Logs | Pro Custodibus

Hope that’s of some use :slight_smile:


I appologize since my comment isn’t about this, but just letting you know there is a juju charm for wireguard. You might want to check it out: Deploy wireguard-sub using Charmhub - The Open Operator Collection

1 Like

Nice - just looking up how to bootstrap some juju hybrid-cloud models with wireguard/ looking to try this thank you!

1 Like

Just let me know if you need some help and how the charm works. If you run into problems, let me know.