Edited 1/25/2023 - Now have it working!
Hello, I currently have a raspberry pi that connects to a VPN via wireguard, and then shares that connection with dumb hosts (like Rokus) via a VLAN and a dhcp server on it that forwards all traffic to the VPN. To do this I first set up a standard wireguard connection with the VPN on wg0, then set up the vlan with
and forwarded traffic with
And lastly set up the dhcp server with dnsmasq and
To migrate this setup to a LXC container running on proxmox with a guest configured vlan I did the following
On the proxmox host I made vmbr0 vlan aware so my /etc/network/interfaces looks like
I created a LXC container (ID 103) with an Ubuntu 20.04 template and to make TUN device available for wireguard added to /etc/pve/lxc/103.conf
In the container I installed wireguard and defined an interface named sb.
Next is to make a vlan and bind all traffic to the wireguard tunnel. I edited /etc/systemd/network/eth0.network to include
I then added /etc/systemd/network/eth0.100.netdev
and /etc/systemd/network/eth0.100.network
To get it going I ran
To forward traffic from the vlan to the wireguard tunnel I ran
Lastly for DHCP
Hello, I currently have a raspberry pi that connects to a VPN via wireguard, and then shares that connection with dumb hosts (like Rokus) via a VLAN and a dhcp server on it that forwards all traffic to the VPN. To do this I first set up a standard wireguard connection with the VPN on wg0, then set up the vlan with
Code:
/etc/network/interfaces.d/vlans
auto eth0.2
iface eth0.2 inet manual
vlan-raw-device eth0
Code:
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
sudo iptables -A FORWARD -i wg0 -o eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
Code:
sudo nano /etc/dnsmasq.conf
interface=eth0.2
dhcp-range=172.16.0.50,172.16.0.150,12h
server=1.1.1.1
server=8.8.8.8
server=8.8.4.4To migrate this setup to a LXC container running on proxmox with a guest configured vlan I did the following
On the proxmox host I made vmbr0 vlan aware so my /etc/network/interfaces looks like
Code:
auto lo
iface lo inet loopback
iface enp1s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.1.150/24
gateway 192.168.1.1
bridge-ports enp1s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094I created a LXC container (ID 103) with an Ubuntu 20.04 template and to make TUN device available for wireguard added to /etc/pve/lxc/103.conf
Code:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dirIn the container I installed wireguard and defined an interface named sb.
sudo wg-quick up sb works, so I ran sudo systemctl enable wg-quick@sb.service , which also works. To test the link I ran traceroute www.google.com --resolve-hostnames and saw that the traffic was exiting the VPN.Next is to make a vlan and bind all traffic to the wireguard tunnel. I edited /etc/systemd/network/eth0.network to include
VLAN=eth0.100 in the Network section and ran sudo touch /etc/systemd/network/.pve-ignore.eth0.network to keep it from being overwritten by proxmox.I then added /etc/systemd/network/eth0.100.netdev
Code:
[NetDev]
Name=eth0.100
Kind=vlan
[VLAN]
Id=100
Code:
[Match]
Name=eth0.100
[Address]
Address=172.16.1.1/24sudo systemctl restart systemd-networkd.serviceTo forward traffic from the vlan to the wireguard tunnel I ran
Code:
sudo iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
sudo iptables -A FORWARD -i sb -o eth0.100 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o sb -j MASQUERADE
#And to keep the rules after reboot
sudo apt install iptables-persistent
sudo netfilter-persistent saveLastly for DHCP
sudo apt install dnsmasq and sudo nano /etc/dnsmasq.conf
Code:
#To avoid conflicts with systemd-resolvd uncomment the following line
bind-interfaces
interface=eth0.100
dhcp-range=172.16.1.2,172.16.1.254,12h
server=1.1.1.1
server=8.8.8.8
server=8.8.4.4
Last edited: