Wireguard in LXC

gusto · Dec 25, 2023

When I had Proxmox 7.x, I also used Wireguard in LXC. I always set it accordingly. In the summer of 2023, I switched to Proxmox 8.x and forgot to do this setting, and Wireguard still works in LXC. Is it necessary to do this setting only for OpenVPN, or also for Wireguard? Someone answered on redit that this step must not be taken.
Quote

lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.cgroup2.devices.allow: c 10:200 rwm

Please don't do this. Giving full access to the group 10:200 allows the LXC container access, and change to *all* the tunnel devices on the host. This is a potential major security issue unless you need the LXC to have management access to interfaces on the host or other containers and understand what you are doing.

leesteken · Dec 25, 2023

I run Wireguard in unprivileged containers, both on 7.4 and 8.1, and I don't need those kind of settings. I only needed that back in the days when using OpenVPN.

avalos · Jan 6, 2024

I'm trying to expose my Proxmox 8 to the internet using an existing WireGuard server that I have, and I'm using an unprivileged LXC container for that. I've been trying for hours with no luck. The client is able to establish a handshake with the server, but it can't connect to the internet from the container, and Proxmox is not accessible from the VPN.

I'm using a Debian 12 container, with wireguard-tools installed, firewall disabled, and IPv4 forwarding enabled.

This is my WireGuard client config:

Code:

[Interface]
Address = 192.168.2.12/24
ListenPort = 21841
PrivateKey = <private_key>

[Peer]
PublicKey = <public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = <server>:51820
PersistentKeepAlive = 25

And this is my WireGuard server config:

Code:

[Interface]
Address = 192.168.2.1
PrivateKey = <private_key>
ListenPort = 51820

[Peer]
PublicKey = <public_key>
AllowedIPs = 192.168.2.12/32

However, when I try to ping to the internet, I get no response:

Code:

root@wireguard:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.

Any ideas on how to get it working?

UPDATE: I tried installing WireGuard directly to Proxmox and using a VM, but no luck. No internet connection.

gusto · Jan 7, 2024

Does the LXC itself have access to the Internet? Or. try the masquerade.
OR

Code:

PreUp = iptables -I FORWARD -i wg0 -s 192.168.2.12/32 -d 0.0.0.0/0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -s 192.168.2.12/32 -d 0.0.0.0/0 -j ACCEPT

avalos · Jan 8, 2024

Sorry! After hours of figuring out, it ended up being an issue with the server. The fix?

Code:

wg-quick down wg0
wg-quick up wg0

Thanks for your help, anyway. I really appreciate it.

aurelagep · Sep 15, 2024

Hello,
I succeed to configure wireguard in LXC unprivileged container without tweak the LXC tun/tap configuration.
I have written a small script that can be used in LXC to install and add user.
Cheers

Proxmox 8.4

My lxc.conf

Code:

cat /etc/pve/lxc/xxx.conf
arch: amd64
cores: 2
features: nesting=1
hostname: vpn
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.0.1,hwaddr=BC:24:11:XX:XX:XXX,ip=192.168.0.2/24,type=veth
onboot: 1
ostype: debian
rootfs: local:XXX/vm-XXX-disk-0.raw,size=32G
swap: 2048

The script
https://github.com/pandamasta/dotfiles/blob/master/scripts/wireguard/wireguard.sh

Hope this help

Regards

gusto · Sep 15, 2024

I haven't tried your script. However, I found an excellent wg webadmin, which works great. I use it as docker nested in LXC

jpfeifer90 · Feb 26, 2025

im trying to understand where i put some of these config files i have seen in this forum. i can get the wireguard up and running. then connect to my iphone through the wireguard app. it sees everything but i cant access the internet or local applications. i can ping it using the tools in wireguard gui on in web browser. it shows it alive. then i went into the shell and i was able to ping google.com with no issues. came back with a response. seems like the peer is where im hung up. not sure if im missing a setting. i setup my server as static ip and open the port as well. if the port wasnt open then i wouldnt be able to connect. any ideas.

gusto · Feb 26, 2025

What do you need to achieve?

Code:

iphone <---internet---> wg_server <---internet --->

Do you want your iPhone to connect to the Internet via the wg server?

jpfeifer90 · Feb 27, 2025

i want to be able to access internet via wg server from my iphone. i also want to be able to login to applications. like setting up vault warden for password manager. i want to access that over vpn as well.

jpfeifer90 · Feb 27, 2025

gusto said:
What do you need to achieve?

Code:

iphone <---internet---> wg_server <---internet --->

Do you want your iPhone to connect to the Internet via the wg server?

i want to be able to access internet via wg server from my iphone. i also want to be able to login to applications. like setting up vault warden for password manager. i want to access that over vpn as well.

gusto · Feb 27, 2025

Show your configuration file wgx.conf on wg servers and also on iphone (sensitive data in conf *******).
I would consider installing wireguard_webadmin.
It works fine in docker (in LXC)

BobhWasatch · Feb 27, 2025

If your wg_server is behind a normal ISP router it isn't going to be reachable from the Internet without making some configuration changes there, like enabling a port forward.

gusto · Feb 27, 2025

See to post #8

jpfeifer90 · Feb 27, 2025

gusto said:
Show your configuration file wgx.conf on wg servers and also on iphone (sensitive data in conf *******).
I would consider installing wireguard_webadmin.
It works fine in docker (in LXC)

Ok. I’ll see about that. Does helper scripts have the default settings with config file. Or should I have put it in there after the install.

jpfeifer90 · Feb 27, 2025

BobhWasatch said:
If your wg_server is behind a normal ISP router it isn't going to be reachable from the Internet without making some configuration changes there, like enabling a port forward.

It is behind my router. I have enabled the port. I can connect to the server just don’t get internet connection.

gusto · Feb 28, 2025

If no one knows the above configuration, no one can help.
You can find the relevant blog articles at Pro Custodibus.

jpfeifer90 · Mar 1, 2025

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
ListenPort = 51820

[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/32

here is the .conf file i have

the one thing i notice that it doesnt have my public ip address as endpoint. but when i change it to that i still cant get any internet

gusto · Mar 1, 2025

Try this

Code:

[Peer]
PublicKey = ***************************************
AllowedIPs = 0.0.0.0/0
Endpoint = ip_wg_server_or_domain_name:port
PersistentKeepalive = 25

Wireguard in LXC

Well-Known Member

Distinguished Member

New Member

Well-Known Member

New Member

Member

Well-Known Member

New Member

Well-Known Member

New Member

New Member

Well-Known Member

Famous Member

Well-Known Member

New Member

New Member

Well-Known Member

New Member

Well-Known Member

We value your privacy