Skip to content

Conversation

@jaminmc
Copy link

@jaminmc jaminmc commented Feb 7, 2021

I have tested this on my Ubuntu 20.04 server that has native Wireguard in its Kernel running LXD 4.10.

I have tested the following Unprivileged Containers:

  • Ubuntu 20.04
  • Centos 7
  • Debian 10
  • Centos 8
  • Fedora 32
  • Fedora 33
  • ArchLinux

I have not tested on OpenVZ

@jaminmc jaminmc mentioned this pull request Feb 7, 2021
Copy link
Author

@jaminmc jaminmc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a Rundown for you, so you know exactly what I did in the code :)
I'm sure you would deduce all of this on your own. But I thought it would save you some time :)

Comment on lines 15 to 34
if ip link add wg999 type wireguard 2> /dev/null ; then
echo "OpenVZ is not supported, but it seems to have correct kernel modules."
ip link del wg999
read -rp "Press enter to continue at your own risk, or CTRL-C to quit."
Container=1
else
echo "OpenVZ is not supported"
exit 1
fi
Copy link
Author

@jaminmc jaminmc Feb 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Tests for the WireGuard Module, and allows the install of the script at the users risk. As I have not tested OpenVZ.

The Test works by creating a Wireguard Interface of wg999, and if successful, the Wireguard Kernel module exists and works. Then it deletes that interface.

Comment on lines 26 to 44
if ip link add wg999 type wireguard 2> /dev/null ; then
ip link del wg999
echo "LXC is currently in Beta."
echo "WireGuard can technically run in an LXC container,"
echo "but the kernel module has to be installed on the host,"
echo "the container has to be run with some specific parameters"
echo "and only the tools need to be installed in the container."
echo "The Kernel seems to support Wireguard."
read -rp "Press enter to continue at your own risk, or CTRL-C to quit."
Container=1
else
echo "Your LXC host does not have the WireGuard Kernel Module."
echo "If you have access to the host, try installing wireguard-dkms on it."
exit 1
fi
Copy link
Author

@jaminmc jaminmc Feb 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Tests for WireGuard, and allows user to continue. I have tested this on my own LXD Ubuntu 20.04 server with Centos 7/8, Fedora 32/22, Debian 10, Ubuntu 16.04/18.04/20.04, and ArchLinux.
It the Kernel module isn't there, It exits, and suggests to install it to the Host, if user has access to it. Doesn't help if they are using a VPS that they can't change.

The Test works by creating a Wireguard Interface of wg999, and if successful, the Wireguard Kernel module exists and works. Then it deletes that interface.

Comment on lines 153 to 157
if [[ $Container == 1 ]]; then
apt-get install -y -t buster-backports wireguard-tools --no-install-recommends
else
apt-get install -y -t buster-backports wireguard
fi
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Install only wireguard-tools for Debian, as that is all that is needed when Kernel Module works.

Comment on lines 163 to 165
if [[ $Container != 1 ]]; then
dnf install -y wireguard-dkms
fi
Copy link
Author

@jaminmc jaminmc Feb 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If not a Container, then install wireguard-dkms. Not needed if it is in Kernel with a container.

Comment on lines 174 to 178
if [[ $Container == 1 ]]; then
yum -y install wireguard-tools iptables qrencode
else
yum -y install kmod-wireguard wireguard-tools iptables qrencode
fi
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Install only wireguard-tools for Centos, as that is all that is needed when Kernel Module works.

Comment on lines 356 to 392
apt-get autoremove --purge -y wireguard qrencode
apt-get autoremove --purge -y wireguard wireguard-tools qrencode
elif [[ ${OS} == 'debian' ]]; then
apt-get autoremove --purge -y wireguard qrencode
apt-get autoremove --purge -y wireguard wireguard-tools qrencode
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added wireguard-tools to the uninstall, as it is installed either way, but not purged if a container.

Copy link
Owner

@angristan angristan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks pretty good, thanks!

@alicemq
Copy link

alicemq commented Feb 23, 2021

Strangely on Hostinger VPS, OPENVZ is running with 5.4.0 kernel, but this command fails, while ip link add dev wg0 type wireguard works.

@alicemq
Copy link

alicemq commented Feb 23, 2021

Strangely on Hostinger VPS, OPENVZ is running with 5.4.0 kernel, but this command fails, while ip link add dev wg0 type wireguard works.

I can delete interface, but can not create. what is this sorcerry?

@angristan angristan added the enhancement New feature or request label Jan 22, 2023
@jaminmc jaminmc closed this Aug 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants