[Wireguard] Preparing Proxmox Host for Wireguard in LXC

I followed this guide for using Wireguard inside LXC on Proxmox. (Also helpfull)

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard

But as i ran “modprobe wireguard” I just got:

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So I ran “dkms autoinstall”… but no success.

Error! Your kernel headers for kernel 5.0.15-1-pve cannot be found.
Please install the linux-headers-5.0.15-1-pve package,
or use the --kernelsourcedir option to tell DKMS where it's located

As I run “apt install pve-headers” it installed new pve-headers but for a different kernel:

pve-headers pve-headers-5.0 pve-headers-5.0.21-1-pve

As expected, “modprobe wireguard” still returned

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So i checked my current kernel with “uname –kernel-release” and since my last reboot was about two weeks ago, it was running on 5.0.15-1-pve. So I did a reboot, checked the kernel again and now it was on 5.0.21-1-pve. So I did “dkms autoinstall” again, now with success:

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
make -j4 KERNELRELEASE=5.0.21-1-pve -C /lib/modules/5.0.21-1-pve/build M=/var/lib/dkms/wireguard/0.0.20190702/build..........
cleaning build area...

DKMS: build completed.

wireguard.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.0.21-1-pve/updates/dkms/

depmod....

DKMS: install completed.

“modprobe wireguard” now returned no error. I continued the guide with:

echo "wireguard" >> /etc/modules-load.d/modules.conf

Entered my already created Debian 10 container and followed the guide:

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt-get install --no-install-recommends wireguard-tools
ip link add wg0 type wireguard

Edit: To get Wireguard working, I also had to add the TUN device to the containers config, like I did for OpenVPN as well.
You’ll find the config here: /etc/pve/lxc/container_name.conf

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

9 Comments

  1. Asiier

    Hi!
    I’m trying to follow your tutorial but something is not working…

    If add the lines:
    lxc.cgroup.devices.allow: c 10:200 rwm
    lxc.hook.autodev: sh -c “modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun”

    My container will not start and I’ll get this error:
    Job for pve-container@110.service failed because the control process exited with error code.
    See “systemctl status pve-container@110.service” and “journalctl -xe” for details.
    TASK ERROR: command ‘systemctl start pve-container@110’ failed: exit code 1

    I tried to run the mknow net/tun c 10 200 inside the container and won’t work saying: Operation not permitted
    So probably that’s the problem, but I’m not sure how to solve it
    I’m using a Derbian 10 template and followed the guide step to step.

    For the Wireguard part everything seems to be working, but I guess without that TUN device I cannot get any connectivity

    1. nocin

      Hi Asiier,

      I just created a new container, added the two lines to the config and got the same error. Seems like this will not work with unprivileged containers.
      As I setup wireguard I used an privileged container. May be you give that a try.

      1. Asiier

        Yepp,
        That woked perfectly, but I’m now fighting with the NAT or Iptables because I can get connection to my subnet but I’m unable to connect to the internet…

        I made sure that everything is set up correctly but seems like the command: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
        Is not working…

        1. nocin

          Just had a look at your reddit post. My PostUp and PostDown strings look a bit different.

          PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
          PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

          I also use a specific IP for the clients in the server conf.
          See here: https://nocin.eu/wireguard-installing-wireguard-in-lxc/

          I’m not using any special IP-table rules.

          root@wireguard:~# iptables –list
          Chain INPUT (policy ACCEPT)
          target prot opt source destination

          Chain FORWARD (policy ACCEPT)
          target prot opt source destination
          ACCEPT all — anywhere anywhere

          Chain OUTPUT (policy ACCEPT)
          target prot opt source destination

          1. Asiier

            Hmmm I added the:
            iptables -A FORWARD -i %i -j ACCEPT
            Since somebody was recommending that in another post and worked for the dude asking the question.

            Anyways, for me is not working with or without it… So I don’t know
            You didn’t need to do any additional configuration on your router right?

          2. nocin

            In my Router I only have the UDP forwarding for port 51820. Did you tried the wireguard default port 51820? In your reddit post you took 6500 as ListenPort.

          3. Asiier

            I finally solve the problem…

            The issue was that on my server I was allowing IP from any range 0.0.0.0/0, so I guess whenever the server didn’t have an Interface to said IP range, it would just send the packets back and forward from the Server to the Client instead of to my Router…

            I though the Allow IP setting on the Server meant from which external IP could receive connections (Like the IP giving by my IPS while using mobile data) but no the Private IP range from within the VPN Tunnel

            So anyways, now it’s working
            I just allow the IP on the range and everything flies.

            [Interface]
            Address = 10.10.2.14/24
            SaveConfig = true
            PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
            PostDown = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT;
            ListenPort = 6500
            FwMark = 0xca6c
            PrivateKey = xxx

            [Peer]
            PublicKey = xxx
            AllowedIPs = 10.10.2.0/30
            Endpoint = x.x.x.x:37980

            The ports doesn’t matter as long as you forward them correctly on the router

          4. nocin

            Nice to hear!
            I had this misunderstanding of the AllowIp Settings as well.

            In the meantime I had to set up another Proxmox Host and also had to setup Wireguard again. This time I used the PiVPN Tool the set up Wireguard:

          5. https://www.pivpn.io/
          6. This was by far the easiest way. You don’t even have to add the tun device to your container config and it will run fine inside an unprivileged container.
            Can highly recommend it!

Leave a Reply

Your email address will not be published. Required fields are marked *