---
title: "Wireguard on Nspawn"
date: 2025-01-30
draft: false
tags: ["Wireguard", "linux", "nspawn", "container", "systemd", "Debian", "bookworm", "Arch"]
authors: ["trent"]
post: 35
---
date: 2025-01-30

## Introduction
Have you ever been thinking about `systemd-nspawn` containers and thought wouldn't
it be awesome if you could just wireguard outa there as easily as you can with a
virtual machine?

You can do it!

I have tested this with a Debian 12 `nspawn` container on a Debian 12 host, as well
as both Arch Linux and Debian 12 containers on an Arch Linux host.

## install wireguard-tools in container
*mask unwanted dependencies with a trailing `-`*

`apt install wireguard-tools linux-base-`

You can now configure with `wg-quick` and start using `wireguard`.

## unpacking the install
The trick is to avoid installing the dependencies of `wireguard` that you
don't need inside a container.  You don't need a kernel, busybox,
initramfs, wireguard-modules, or dkms.

We mask `linux-base-` by adding a `-` after it, and the result is that only
`wireguard-tools` are installed, without `wireguard` or a bunch of other dependencies.

## what about LXD containers?
I'm curious if this will work in LXD containers, but don't really have
a testing environment set up for that right now.