Guide: WireGuard on OpenVZ/LXC VPS

2»

Comments

  • @Daniel said:

    @atth said: would it be possible to assign a /80 IPV6 subnet to the wireguard interface and assign IPV6 addresses to my devices that way?

    Not 100% sure but I have a feeling this won't work on OpenVZ due to how it configures the network device, and you'll need to try it on KVM instead.

    As an update to this, I managed to figure this out after reading the recent wireguard/IPv6 post by jnraptor, specifically this comment https://talk.lowendspirit.com/discussion/comment/41804#Comment_41804

    Following the example in the linked comment, what I did was:
    1. Allocate IPv6 addresses on the OVZ control panel (but on a /80 subnet). This automatically adds the IP addresses to venet0 with a /64 netmask
    2. Use the PreUp line in wg0.conf to tear down the IPv6 addresses that will be used for wg0 and clients.
    3. Add IPv6 addresses to wg0.conf interface and AllowedIPs as required, using the /80 netmask

    Hope this helps someone!

    Thanked by (1)Abdullah
  • edited October 2020

    Keep in mind tho this requires TAP and you have to accept the fact userland network processing would be very disappointing. wireguard being limited to userland gives it no edge against ZeroTier and similar competitors.

    Thus I suggest that the host should install the kernel module and allow the downstream containers to raise their volume back to 100%. The kernel namespace isolation means you won't have to worry about host attacks. it's very safe and kind if the host would like to install it, this can be as simple as apt install wireguard following by a modprobe wireguard.

    By the way linux kernel 5.6 has merged wireguard in-tree and this means it will even be usable for all containers out of the box once LTS passthough 5.6. This is probably a great news for Proxmox LXC users as Proxmox are very active in pushing their kernel to mainline as much as possible.

    However, for OpenVZ buddies whose host are using the sh***y CentOS (and so RHEL), things won't be that straightforward -- you will need DKMS to compile specifically for each rhel kernel update. And because RHEL backports so frequent...this could be a risk.

Sign In or Register to comment.