WG on LXC

Development discussion of WireGuard
 help / color / mirror / Atom feed

* WG on LXC
@ 2024-03-22 18:52 Peter Lister
  2024-03-31 14:50 ` Daniel Gröber
  0 siblings, 1 reply; 2+ messages in thread
From: Peter Lister @ 2024-03-22 18:52 UTC (permalink / raw)
  To: wireguard

I'm using wg on my home network, using a Linux router with OpenWRT and 
running services (e.g. IMAP) on LXC containers.

Having read how wg is intended to work within name spaces, I expected to 
easily create LXC containers with *only* a wg interface, but it seems 
that LXC only understands a "veth" interface and then a wg instance 
using this interface's address as an endpoint.

This works, but I want my internal services to see *only* the wg vpn. If 
a server container needs to connect out, e.g. for software update, I'll 
fire up a temporary veth with a temporary address.

It also seems odd that client hosts need each wg client to use 
per-server endpoint addresses when they are all hosted on one physical 
server's network interface.

I'm sure it's possible to script a solution, but ideally I want to 
specify lxc.net.0.type as "wireguard", give it a key pair and that 
should be that, with all config living outside the container.

This appears to me as common use-case. Has anyone spoken to the lxc 
developers about adding this kind of "first class citizen" support for wg?

All the best,
Peter

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: WG on LXC
  2024-03-22 18:52 WG on LXC Peter Lister
@ 2024-03-31 14:50 ` Daniel Gröber
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Gröber @ 2024-03-31 14:50 UTC (permalink / raw)
  To: Peter Lister; +Cc: wireguard

Hi Peter,

On Fri, Mar 22, 2024 at 06:52:16PM +0000, Peter Lister wrote:
> I'm using wg on my home network, using a Linux router with OpenWRT and
> running services (e.g. IMAP) on LXC containers.
> 
> Having read how wg is intended to work within name spaces, I expected to
> easily create LXC containers with *only* a wg interface, 

This is a relatively new way of doing things, not every tool is going to
support it.

What exactly are you trying to accomplish by doing this? In my mind you can
simply have *one* wg tunnel on the LXC host machine and use routed veth
networking to connect the containers to this uplink, but I'm probably
missing something.

> It also seems odd that client hosts need each wg client to use per-server
> endpoint addresses when they are all hosted on one physical server's network
> interface.

I'm not sure I've understood your current setup. Could you make your
explaination a bit more concrete? Wg configs snippets from the Host and
container would be helpful.

> I'm sure it's possible to script a solution, but ideally I want to specify
> lxc.net.0.type as "wireguard", give it a key pair and that should be that,
> with all config living outside the container.

Sounds nice but you'll want to talk to the LXC project instead of WireGuard
if getting that supported is your goal.

--Daniel

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-03-31 14:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-22 18:52 WG on LXC Peter Lister
2024-03-31 14:50 ` Daniel Gröber

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).