wireguard client inside systemd-nspawn container

[joeroback]

hi. is possible to use wireguard as a client in systemd-nspawn containers? jailmaker seems to be passing --capability=all but default, but using wireguard inside does not seem to work (e.g. wg-quick up wg0). would it work with a different type of networking mode besides the default, host networking? thx

[Lockszmith-GH]

You would probably want to setup bridge networking for wireguard to work, but I haven't tested this myself.

[Jip-Hop]

Using bridge or macvlan networking mode would be a good next attempt. It's not clear though what doesn't work about wg-quick up wg0. Are there any error messages or errors in logging?

[Jip-Hop]

Also I'd run modprobe wireguard on the host to be sure the wireguard kernel module is loaded before attempting to use wireguard in a jail.

[joeroback]

yea, bridge networking was the answer. for the default host networking, there was no errors thrown by wg-quick, but a wireguard device was NEVER made. (verified by ifconfig in both host and jail). switching to bridged networking, --network-bridge=br0 --resolv-conf=bind-host, wireguard (wg-quick) worked immediately as expected. as far as the wireguard kernel module is concerned, i rebooted a few times, and things just worked after switching to bridged networking. i did not have to modprobe wireguard or anything like that.

thanks for your help and suggestions! think we got this solved. or at least a viable workaround with bridged networking.

[NylonDiamond]

@joeroback I'm having issues getting access to my LAN over the internet. I set up the bridge as you did. I also forwarded wireguard port on my router. Any tips?

[Lockszmith-GH]

@NylonDiamond please start with #135

[joeroback]

not sure my setup makes sure all traffic goes over wireguard VPN and i never access any local resources. the containers write to datasets that other containers use etc, but i limit my containers using VPN/wireguard to have to use the wireguard interface, no leaking etc