39 lines
1.3 KiB
Markdown
39 lines
1.3 KiB
Markdown
|
---
|
||
|
|
title: "Wireguard on Nspawn"
|
||
|
|
date: 2025-01-30
|
||
|
|
draft: false
|
||
|
|
tags: ["Wireguard", "linux", "nspawn", "container", "systemd", "Debian", "bookworm", "Arch"]
|
||
|
|
authors: ["trent"]
|
||
|
|
post: 35
|
||
|
|
---
|
||
|
|
date: 2025-01-30
|
||
|
|
|
||
|
|
## Introduction
|
||
|
|
Have you ever been thinking about `systemd-nspawn` containers and thought wouldn't
|
||
|
|
it be awesome if you could just wireguard outa there as easily as you can with a
|
||
|
|
virtual machine?
|
||
|
|
|
||
|
|
You can do it!
|
||
|
|
|
||
|
|
I have tested this with a Debian 12 `nspawn` container on a Debian 12 host, as well
|
||
|
|
as both Arch Linux and Debian 12 containers on an Arch Linux host.
|
||
|
|
|
||
|
|
## install wireguard-tools in container
|
||
|
|
*mask unwanted dependencies with a trailing `-`*
|
||
|
|
|
||
|
|
`apt install wireguard-tools linux-base-`
|
||
|
|
|
||
|
|
You can now configure with `wg-quick` and start using `wireguard`.
|
||
|
|
|
||
|
|
## unpacking the install
|
||
|
|
The trick is to avoid installing the dependencies of `wireguard` that you
|
||
|
|
don't need inside a container. You don't need a kernel, busybox,
|
||
|
|
initramfs, wireguard-modules, or dkms.
|
||
|
|
|
||
|
|
We mask `linux-base-` by adding a `-` after it, and the result is that only
|
||
|
|
`wireguard-tools` are installed, without `wireguard` or a bunch of other dependencies.
|
||
|
|
|
||
|
|
## what about LXD containers?
|
||
|
|
I'm curious if this will work in LXD containers, but don't really have
|
||
|
|
a testing environment set up for that right now.
|