WireGuard on Linux ‘jail’ with systemd-nspawn

Has anyone been able to successfully install and configure WireGuard on a Linux systemd-nspawn ‘jail’? How?

I have been able to move away from kubernetes/SCALE apps with such jails (all of my installs run Tailscale for remote management, and the performance overhead from the k3s service for such a simple task was annoying, to say the least), but I’m stuck trying to set up WireGuard. I know it is possible - there’s an app for that, after all - but can’t seem to make it work inside a jail (I’m working with these via the jailmaker script by @Jip-Hop).

FWIW, I have installed WireGuard on a number of bare metal and virtual machines, and the procedure is straightforward to me.

On the old forum people have report successful installation of wireguard in the jail in the jailmaker thread. I think their posts will have some hints which may be useful to you.

Read the whole thread, couldn’t find anything specific to WireGuard. Will keep looking.

Look for tailscale. It’s using wireguard under the hood. I think the same advice applies to wireguard itself. Search results for query: Tailscale | TrueNAS Community

Tailscale simply works, running their install script - the only thing needed is the --capability=CAP_NET_ADMIN argument in the jail config.

Anyway, I did manage to get WireGuard running for now as a docker container inside a jail, following this link: GitHub - linuxserver/docker-wireguard

It takes a couple minutes to accept connections when the jail is restarted, but it is enough for my current needs. I’ll investigate further how to do this without docker, as a side project.

1 Like

For some reason it takes the sandbox a relatively long time to get a dhcp lease when it starts

1 Like

Can we mark this reply as the “Solution” to your original question?

Yes, it solves my problem - and the docker container is quite easy to set up.

I’d still like to understand the reason why a plain jail won’t work, though…

1 Like