[SOLVED] RTNETLINK Operation not supported - ubuntu lxc container

xfroggy

New Member
Jun 18, 2018
3
0
1
34
Hi Everyone!
I'm currently trying to add a Wireguard network interinterface to my ubuntu 18.04 LXC containers (2 of them),

[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
I presume this is something to do with the way the LXC, containers network configuration? I'm unsure.

To note: this works on a fresh install of ubuntu server 18.04 using the ISO

Thanks!
 
You need to install the wireguard kernel module on the host first. There are wireguard-dkms packages in debian unstable you can build. They seem to work fine.
 
You need to install the wireguard kernel module on the host first. There are wireguard-dkms packages in debian unstable you can build. They seem to work fine.
I don't think I am going to install that type of stuff on the host, I like to keep everything fairly containerised. I have installed it on one of my hosts just to test. But it is 'unclean' in my opinion!

For reference, it does work!

Thanks for your help though! I will just install it on a full VM.
 
You need to install the wireguard kernel module on the host first. There are wireguard-dkms packages in debian unstable you can build. They seem to work fine.
I'd like to test this also, very interested in Wireguard, would there be any special LXC setting needed to get this to work?
 
Apart from what I wrote above (installing the kernel module on the host) there shouldn't be. You'll just need the wireguard userspace tools inside the container to configure the interfaces.
 
Thanks for the update! Just wonder if anyone has succesfully tested Wireguard to work in an LXC container within Proxmox. I currently lack the time for full restores if things would go wrong on the host.
 
I don't think I am going to install that type of stuff on the host, I like to keep everything fairly containerised.

Well. There's no way of installing kernel module to container. That's just not how it works. So as you said... VM is way to go if you don't mind slight performance penalty when compared with CT.

But still. I wonder if it poses real security threat to have modules like fuse, openvpn or wireguard installed and accesible from untrusted container...
 
If you're super-duper paranoid about running in the host's kernel, but also don't want to sacrifice the memory for a VM, there are also userspace implementations of Wireguard like wireguard-go or Cloudflare's BoringTun (which supposedly has better performance.) The downside is that no userspace implementation is ever going to be as efficient as running in the kernel, of course. Although I'm not sure what the performance characteristics of the kernal are like in a VM, possibly userspace in a container is still faster than kernelspace in a VM.
 
Userspace wireguard implementations will still need some kind of TUN driver to be accessible from LXC. It's readily available in kernel. But you will probably need to grant permissions to that CT, same way as you do, when using OpenVPN...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!