Wireguard preferred method.

Forssux

Member
Mar 27, 2022
56
4
8
Hi there,

I'm new to Proxmox and have it running (Virtual Environment 7.1-11)
I want to install Wireguard but didn't found anything that compares the 5 methods that I'm now aware of.
-on host
-in VM
-In LXC
-In Docker in LXC
-turnkey solution

The differences that I would like to know is performance impact,safety and Maintenance impact.
I choose the turnkey implementation as it has already a template in Proxmox.

I followed the small guide here https://github.com/turnkeylinux-apps/wireguard/blob/master/docs/setup.rst
It seems however that whenever I change the port in the /etc/wireguard/wg0.conf it got changed wright back to the initial one.

In the last section they speak of...
1.Choose client profile in the inithooks
But I can't seem to find it, so I copied text from /etc/wireguard/clients/guyf.conf
to /etc/wireguard/wg0.conf but that got erased to.
So can somebody explain to me the final steps to get it working

Thanks in advance
Guy
 
I got it working..
so I configuered 2 clients on the server with
Bash:
wireguard-addclient

and then copied the content into the /etc/wireguard/wg0.conf
and then copied the clients to the smartphones

and then I changed firewal port on the router of the ISP
and then I did a portforward to the wireguard container 192.168.1.254 in my main router
It works but is noticably slower than my real hardware machine ...NOT good enough for video streaming of security cameras
 
  • Like
Reactions: cobmojo
Sorry to revive this topic but I was curious if anyone had opinions on running Wireguard in an LXC vs. VM? Planning to install on a new node this weekend and i have always installed as an unprivileged LXC. I had someone the other day mentioning that due to it being internet facing a VM may be safer with better isolation. However, with wireguard being really well built and also running unprivileged on the host, is it really neccesary to use a VM?

Curious to hear people's replies!
 
Sorry to revive this topic but I was curious if anyone had opinions on running Wireguard in an LXC vs. VM? Planning to install on a new node this weekend and i have always installed as an unprivileged LXC. I had someone the other day mentioning that due to it being internet facing a VM may be safer with better isolation. However, with wireguard being really well built and also running unprivileged on the host, is it really neccesary to use a VM?

Curious to hear people's replies!

I was just wondering how you got on with that, and what solution you settled with in the end? Thanks
 
How I set it up really quick and easy :

- Debian lxc template (low specs, lightweight)
- install PiVPN and choose Wireguard: https://docs.pivpn.io/install/
- open a port in your router (can be 51820 or some other port)
- add WG clients and scan QR code on your smartphone (iOS and Android).
- done
 
@Spoonman2002
You are correct, that is for sure the way to do it.

Here's the things I tried that didn't work:
-Alpine LXC, building everything by hand (how hard could it be?) for 2 days. I got it to where it SHOULD have worked, but didn't. Gave up there.
-Alpine LXC, configure using PiVPN script. For whatever reason the script would NOT let me pick Wireguard, silently picked ovpn every time.
-Turnkey Linux Wireguard. Downloaded and ran the provided Wireguard LXC template, but it didn't have Wireguard installed? Gave up quick.
-Like you said, Debian 11 LXC template, install wireguard using PiVPN script. Easy peesy. Took like 30 min, total.

I really like the absolutely barebones nature of Alpine, but just couldn't get it working. Debian has all the comforts of home, and Wireguard VPN seems to be using effectively zero CPU. That said, I haven't pushed more than maybe 50 MB/s through the VPN, but that's all I need it to do.

Not sure if it made a difference but in addition to your instructions above, I added a couple extra things. Added two lxc lines to the container .conf file and chown'ed the /dev/net/tun as suggested by a couple other tutorials.
Reference: https://forum.proxmox.com/threads/p...reguard-vpn-server-howto-05-2022-rev1.110778/
 
  • Like
Reactions: Hammerhand
@Spoonman2002
You are correct, that is for sure the way to do it.

Here's the things I tried that didn't work:
-Alpine LXC, building everything by hand (how hard could it be?) for 2 days. I got it to where it SHOULD have worked, but didn't. Gave up there.
-Alpine LXC, configure using PiVPN script. For whatever reason the script would NOT let me pick Wireguard, silently picked ovpn every time.
-Turnkey Linux Wireguard. Downloaded and ran the provided Wireguard LXC template, but it didn't have Wireguard installed? Gave up quick.
-Like you said, Debian 11 LXC template, install wireguard using PiVPN script. Easy peesy. Took like 30 min, total.

I really like the absolutely barebones nature of Alpine, but just couldn't get it working. Debian has all the comforts of home, and Wireguard VPN seems to be using effectively zero CPU. That said, I haven't pushed more than maybe 50 MB/s through the VPN, but that's all I need it to do.

Not sure if it made a difference but in addition to your instructions above, I added a couple extra things. Added two lxc lines to the container .conf file and chown'ed the /dev/net/tun as suggested by a couple other tutorials.
Reference: https://forum.proxmox.com/threads/p...reguard-vpn-server-howto-05-2022-rev1.110778/
Going to create this lxc too, would like to have as less resources as possible but I am not sure to be too short on this. Could you give any clue about which resources should I give to the lxc?
 
Going to create this lxc too, would like to have as less resources as possible but I am not sure to be too short on this. Could you give any clue about which resources should I give to the lxc?
I think I gave it one processor and like 2gb ram just so Debian had plenty of room to breathe. While running the VPN I wasn’t able to see a difference in CPU usage and very little ram. You could probably run just above minimums for Debian and be fine, unless you’re wanting to push a whole bunch of traffic. My bet is Debian will take more ram+cpu usage than wireguard.

To be honest, I shifted to CloudFlare tunnels for my use case (access my home lab from afar) so haven’t played with wireguard much more.
 
  • Like
Reactions: Hammerhand
I think I gave it one processor and like 2gb ram just so Debian had plenty of room to breathe. While running the VPN I wasn’t able to see a difference in CPU usage and very little ram. You could probably run just above minimums for Debian and be fine, unless you’re wanting to push a whole bunch of traffic. My bet is Debian will take more ram+cpu usage than wireguard.

To be honest, I shifted to CloudFlare tunnels for my use case (access my home lab from afar) so haven’t played with wireguard much more.
Ok, thanks for all the tips
 
Going to create this lxc too, would like to have as less resources as possible but I am not sure to be too short on this. Could you give any clue about which resources should I give to the lxc?
My Wireguard lxc has 512MB memory and 4 cores (which is plenty, never had any issues).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!