Setting up Wireguard in an LXC container

Wireguard is a VPN solution that can be used to connect to the local network from the internet. In this setup it is installed in to a Proxmox LXC container.

 

Step 1 - Install Wireguard kernel module

On proxmoxProxmox host shell

apt update
apt install wireguard pve-headers

Set module to auto-load at boot

echo "wireguard" >> /etc/modules-load.d/modules.conf

Step 2 - Start container and load user space tools fore wireguard

Create Container with usual settings

Once container started, log in and install tools

apt-get install --no-install-recommends wireguard-tools

Test everything works by adding a temporary wg0 device

ip link add wg0 type wireguard

Step 3 - Generate Key Pair

Generate private key and remove all permissions for anyone other than root

wg genkey | tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Generate public key derived from private key

cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key

Step 4 - Choose IP range

The server needs a range of private IPv4 addresses to use for clients and its tunnel interface. These IP addresses should be chosen from a reserved block of addresses:
10.0.0.0 to 10.255.255.255 (10/8 prefix)
172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

Step 5 - Create Server Configuration

Create configuration file

nano /etc/wireguard/wg0.conf

Template for config file

[Interface]
PrivateKey = <server private key>
Address = 10.0.0.1/32
ListenPort = 51820
SaveConfig = false
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <client public key>
AllowedIPS = <client configured IP address>

NOTE: iptables is not installed in container by default

apt install iptables

Step 6 - Routing WireGuard Peers internet traffic through WireGuard Server (Optional)

If only using WG to connect a peer to the server in order to access services on the server only, this does not need to be completed.
If routing Peers internet traffic through WG Server configure IP fowarding by following tutorial steps 4 and 5 on Digital Ocean

Step 7 - Starting WireGuard Server

WG can be configured to run as a systemd service using built-in wg-quick script, which means it can be configured to start on boot.

systemctl enable [email protected]
systemctl start [email protected]

Step 8 - (For Windows) Configure WireGuard client

On Windows client Add Tunnel -> Add empty tunnel

Adjust the configuration for to:

[Interface]
PrivateKey = <generated private key>
Address = 10.0.0.2/32
DNS = <local lan gateway IP>

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
AllowedIPs = 0.0.0.0/0, 192.168.0.0/24, 10.0.0.1/32
Endpoint = YOUR_SERVER_WAN_IP:51820

NOTE: Remove DNS and 0.0.0.0/0 if you do not want to route internet traffic through VPN

Step 9 - Add client public key to server

Back on container shell

wg set wg0 peer <client public key> allowed-ips <client VPN IP>

note: client VPN IP should be the address set in the client interface field (10.0.0.2/32)

If there are issues with this method, add the information to the [Peer] section of the server.conf file.

Resources

https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04
https://www.wireguard.com/quickstart/
https://serversideup.net/how-to-configure-a-wireguard-windows-10-vpn-client/
https://securityboulevard.com/2019/04/howto-install-wireguard-in-an-unprivileged-container-proxmox/