I followed this guide for using Wireguard inside LXC on Proxmox. (Also helpfull)
echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard
But as i ran “modprobe wireguard” I just got:
modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve
So I ran “dkms autoinstall”… but no success.
Error! Your kernel headers for kernel 5.0.15-1-pve cannot be found.
Please install the linux-headers-5.0.15-1-pve package,
or use the --kernelsourcedir option to tell DKMS where it's located
As I run “apt install pve-headers” it installed new pve-headers but for a different kernel:
pve-headers pve-headers-5.0 pve-headers-5.0.21-1-pve
As expected, “modprobe wireguard” still returned
modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve
So i checked my current kernel with “uname –kernel-release” and since my last reboot was about two weeks ago, it was running on 5.0.15-1-pve. So I did a reboot, checked the kernel again and now it was on 5.0.21-1-pve. So I did “dkms autoinstall” again, now with success:
Kernel preparation unnecessary for this kernel. Skipping...
Building module:
cleaning build area...
make -j4 KERNELRELEASE=5.0.21-1-pve -C /lib/modules/5.0.21-1-pve/build M=/var/lib/dkms/wireguard/0.0.20190702/build..........
cleaning build area...
DKMS: build completed.
wireguard.ko:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/5.0.21-1-pve/updates/dkms/
depmod....
DKMS: install completed.
“modprobe wireguard” now returned no error. I continued the guide with:
echo "wireguard" >> /etc/modules-load.d/modules.conf
Entered my already created Debian 10 container and followed the guide:
echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt-get install --no-install-recommends wireguard-tools
ip link add wg0 type wireguard
Edit: To get Wireguard working, I also had to add the TUN device to the containers config, like I did for OpenVPN as well.
You’ll find the config here: /etc/pve/lxc/container_name.conf
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
Hi!
I’m trying to follow your tutorial but something is not working…
If add the lines:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c “modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun”
My container will not start and I’ll get this error:
Job for pve-container@110.service failed because the control process exited with error code.
See “systemctl status pve-container@110.service” and “journalctl -xe” for details.
TASK ERROR: command ‘systemctl start pve-container@110’ failed: exit code 1
I tried to run the mknow net/tun c 10 200 inside the container and won’t work saying: Operation not permitted
So probably that’s the problem, but I’m not sure how to solve it
I’m using a Derbian 10 template and followed the guide step to step.
For the Wireguard part everything seems to be working, but I guess without that TUN device I cannot get any connectivity
Hi Asiier,
I just created a new container, added the two lines to the config and got the same error. Seems like this will not work with unprivileged containers.
As I setup wireguard I used an privileged container. May be you give that a try.
Yepp,
That woked perfectly, but I’m now fighting with the NAT or Iptables because I can get connection to my subnet but I’m unable to connect to the internet…
I made sure that everything is set up correctly but seems like the command: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Is not working…
Here is the link from my post over r/wireguard
Maybe you can help me solve the issue.
https://www.reddit.com/r/WireGuard/comments/fajw04/connected_to_my_server_and_access_to_subnet_but/?utm_source=share&utm_medium=web2x
Just had a look at your reddit post. My PostUp and PostDown strings look a bit different.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
I also use a specific IP for the clients in the server conf.
See here: https://nocin.eu/wireguard-installing-wireguard-in-lxc/
I’m not using any special IP-table rules.
root@wireguard:~# iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Hmmm I added the:
iptables -A FORWARD -i %i -j ACCEPT
Since somebody was recommending that in another post and worked for the dude asking the question.
Anyways, for me is not working with or without it… So I don’t know
You didn’t need to do any additional configuration on your router right?
In my Router I only have the UDP forwarding for port 51820. Did you tried the wireguard default port 51820? In your reddit post you took 6500 as ListenPort.
I finally solve the problem…
The issue was that on my server I was allowing IP from any range 0.0.0.0/0, so I guess whenever the server didn’t have an Interface to said IP range, it would just send the packets back and forward from the Server to the Client instead of to my Router…
I though the Allow IP setting on the Server meant from which external IP could receive connections (Like the IP giving by my IPS while using mobile data) but no the Private IP range from within the VPN Tunnel
So anyways, now it’s working
I just allow the IP on the range and everything flies.
[Interface]
Address = 10.10.2.14/24
SaveConfig = true
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
PostDown = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
ListenPort = 6500
FwMark = 0xca6c
PrivateKey = xxx
[Peer]
PublicKey = xxx
AllowedIPs = 10.10.2.0/30
Endpoint = x.x.x.x:37980
The ports doesn’t matter as long as you forward them correctly on the router
Nice to hear!
I had this misunderstanding of the AllowIp Settings as well.
In the meantime I had to set up another Proxmox Host and also had to setup Wireguard again. This time I used the PiVPN Tool the set up Wireguard:
This was by far the easiest way. You don’t even have to add the tun device to your container config and it will run fine inside an unprivileged container.
Can highly recommend it!