Update 11.05.2020: I recommend using the PiVPN script (especially when using a unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/
umask 077 wg genkey | tee privatekey | wg pubkey > publickey
Then create the config file. Mine is called wg0.conf.
As address you can take whatever IP you want. I also added NAT to get internet access with the client through my container.
For the client you have to create on the client side a key pair and enter the public key in the server wg0.conf as peer. Now your config should have an interface and a peer part.
[Interface] Address = 192.168.1.1/24 SaveConfig = true PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE ListenPort = 51820 FwMark = 0xca6c PrivateKey = <private_server_key> [Peer] #1. Peer Phone PublicKey = <public_client_key> AllowedIPs = 192.168.1.2/32 [Peer] #2. Peer Notebook PublicKey = <public_client_key> AllowedIPs = 192.168.1.3/32
Then create the config on the client side. Mine is called client.conf. As peer we now enter our public server key.
[Interface] PrivateKey = <private_client_key> Address = 192.168.1.2/24 #this is my local pi-hole DNS = 192.168.1.102 [Peer] PublicKey = <public_server_key> AllowedIPs = 0.0.0.0/0 Endpoint = my.domain.org:51820 PersistentKeepalive = 25
That’s all we need. Now start the interface in your container, after that on the client.
wg-quick up wg0
To check the connection status just run:
To stop the interface run:
wg-quick down wg0
To set up the VPN interface to be persistent across reboots, enable it as service:
sudo systemctl enable firstname.lastname@example.org