Wireguard in Proxmox LXC Error ( Running on Hetzner)


Oct 3, 2022

I have been trying to setup Wireguard in an LXC Container on Proxmox using this Guide: Proxmox LXC Wireguard

It would seem though I have issue with Proxmox Networking or FIrewall.

The port ( as described in the guide and as I have configured, 51820) is not available publicly and the Wireguard client continuously fails in initiating Handshake. Even though the internal IP is allocated to my client , I am unable to communicate with any internal service.

The service is running on the LXC Container Level and the port is advertised accordingly but I do not see the port OPEN on the Proxmox host.

I am running my Dedicated Server on the Hetzner service.

My config is shown as below.

# Do not alter the commented lines
# They are used by wireguard-install

Address =
PrivateKey = XXXX
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# BEGIN_PEER AnotherClient
PublicKey = XXX
PresharedKey =XXX
AllowedIPs =
# END_PEER AnotherClient

PublicKey =XXX
PresharedKey = XXX
AllowedIPs =
# END_PEER AnotherClient
root@wireguard:~# cat AnotherClient.conf
Address =
DNS =,
PrivateKey = XXX

PublicKey = XXX
PresharedKey = XXX
AllowedIPs =, ::/0
Endpoint = XXXX.com:51820
PersistentKeepalive = 25

Wireguard LXC Containter Interfaces
root@wireguard:~# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether fa:41:ff:fa:6a:48 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet metric 1024 brd scope global dynamic eth0
       valid_lft 427sec preferred_lft 427sec
    inet6 fe80::f841:ffff:fefa:6a48/64 scope link
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet scope global wg0
       valid_lft forever preferred_lft forever

wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/wg-quick@wg0.service.d
     Active: active (exited) since Mon 2022-10-03 14:03:38 WAT; 28min ago
       Docs: man:wg-quick(8)
    Process: 129 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 129 (code=exited, status=0/SUCCESS)
        CPU: 29ms

Oct 03 14:03:37 wireguard systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Oct 03 14:03:37 wireguard wg-quick[129]: [#] ip link add wg0 type wireguard
Oct 03 14:03:38 wireguard wg-quick[129]: [#] wg setconf wg0 /dev/fd/63
Oct 03 14:03:38 wireguard wg-quick[129]: [#] ip -4 address add dev wg0
Oct 03 14:03:38 wireguard wg-quick[129]: [#] ip link set mtu 1420 up dev wg0
Oct 03 14:03:38 wireguard wg-quick[129]: [#] ip -4 route add dev wg0
Oct 03 14:03:38 wireguard wg-quick[129]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; i>
Oct 03 14:03:38 wireguard systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

My expectation is that the Wireguard port would be open on both the Wireguard LXC container and the Proxmox Host node. Am I mistaken?

Can any one support on this ?
