[Docker] Install Docker in LXC running Debian Buster

If you already have an LXC with Debian running, add the following three lines to the lxc config (path /etc/pve/lxc/xxx.conf) and reboot the container:

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a

Now simple install docker.

sudo apt update && apt upgrade -y
sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose

Running and managing docker containers requires sudo privileges. If you don’t want to type sudo for every commmand, add your current user to the docker group.

sudo usermod -aG docker ${USER}

Docker should now be installed, the daemon started, and the process enabled to start on boot. Check that it’s running.

sudo systemctl status docker

Test if the installtions is working correctly with hello-world.

sudo docker run hello-world

Each container you will create gets a unique ID and name you can look up with “docker ps”. To remove the docker instance just use “docker rm” followed by the ID or the container name.

sudo docker ps -a
sudo docker stop relaxed_williamson
sudo docker rm relaxed_williamson

[Wireguard] Configuring Wireguard in LXC

Update 11.05.2020: I recommend using the PiVPN script (especially when using a unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

I followed these three guides: 1, 2 and 3
First set folder permissions and genereate the first key pair inside your lxc.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then create the config file. Mine is called wg0.conf.
As address you can take whatever IP you want. I also added NAT to get internet access with the client through my container.
For the client you have to create on the client side a key pair and enter the public key in the server wg0.conf as peer. Now your config should have an interface and a peer part.

Address =
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <private_server_key>

#1. Peer Phone
PublicKey = <public_client_key>
AllowedIPs =

#2. Peer Notebook
PublicKey = <public_client_key>
AllowedIPs =

Then create the config on the client side. Mine is called client.conf. As peer we now enter our public server key.

PrivateKey = <private_client_key>
Address =
#this is my local pi-hole
DNS =                

PublicKey = <public_server_key>
AllowedIPs =
Endpoint = my.domain.org:51820
PersistentKeepalive = 25

That’s all we need. Now start the interface in your container, after that on the client.

wg-quick up wg0

To check the connection status just run:

wg show

I testet my connection with IP-Leak and ifconfig.me.

To stop the interface run:

wg-quick down wg0

To set up the VPN interface to be persistent across reboots, enable it as service:

sudo systemctl enable wg-quick@wg0.service