Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect WireGuard in Containers, and allow install. #185

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

jaminmc
Copy link

@jaminmc jaminmc commented Feb 7, 2021

I have tested this on my Ubuntu 20.04 server that has native Wireguard in its Kernel running LXD 4.10.

I have tested the following Unprivileged Containers:

  • Ubuntu 20.04
  • Centos 7
  • Debian 10
  • Centos 8
  • Fedora 32
  • Fedora 33
  • ArchLinux

I have not tested on OpenVZ

@jaminmc jaminmc mentioned this pull request Feb 7, 2021
Copy link
Author

@jaminmc jaminmc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a Rundown for you, so you know exactly what I did in the code :)
I'm sure you would deduce all of this on your own. But I thought it would save you some time :)

Comment on lines +15 to +23
if ip link add wg999 type wireguard 2> /dev/null ; then
echo "OpenVZ is not supported, but it seems to have correct kernel modules."
ip link del wg999
read -rp "Press enter to continue at your own risk, or CTRL-C to quit."
Container=1
else
echo "OpenVZ is not supported"
exit 1
fi
Copy link
Author

@jaminmc jaminmc Feb 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Tests for the WireGuard Module, and allows the install of the script at the users risk. As I have not tested OpenVZ.

The Test works by creating a Wireguard Interface of wg999, and if successful, the Wireguard Kernel module exists and works. Then it deletes that interface.

Comment on lines +26 to +40
if ip link add wg999 type wireguard 2> /dev/null ; then
ip link del wg999
echo "LXC is currently in Beta."
echo "WireGuard can technically run in an LXC container,"
echo "but the kernel module has to be installed on the host,"
echo "the container has to be run with some specific parameters"
echo "and only the tools need to be installed in the container."
echo "The Kernel seems to support Wireguard."
read -rp "Press enter to continue at your own risk, or CTRL-C to quit."
Container=1
else
echo "Your LXC host does not have the WireGuard Kernel Module."
echo "If you have access to the host, try installing wireguard-dkms on it."
exit 1
fi
Copy link
Author

@jaminmc jaminmc Feb 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Tests for WireGuard, and allows user to continue. I have tested this on my own LXD Ubuntu 20.04 server with Centos 7/8, Fedora 32/22, Debian 10, Ubuntu 16.04/18.04/20.04, and ArchLinux.
It the Kernel module isn't there, It exits, and suggests to install it to the Host, if user has access to it. Doesn't help if they are using a VPS that they can't change.

The Test works by creating a Wireguard Interface of wg999, and if successful, the Wireguard Kernel module exists and works. Then it deletes that interface.

wireguard-install.sh Outdated Show resolved Hide resolved
Comment on lines +153 to +157
if [[ $Container == 1 ]]; then
apt-get install -y -t buster-backports wireguard-tools --no-install-recommends
else
apt-get install -y -t buster-backports wireguard
fi
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Install only wireguard-tools for Debian, as that is all that is needed when Kernel Module works.

Comment on lines +163 to +165
if [[ $Container != 1 ]]; then
dnf install -y wireguard-dkms
fi
Copy link
Author

@jaminmc jaminmc Feb 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If not a Container, then install wireguard-dkms. Not needed if it is in Kernel with a container.

Comment on lines +174 to +178
if [[ $Container == 1 ]]; then
yum -y install wireguard-tools iptables qrencode
else
yum -y install kmod-wireguard wireguard-tools iptables qrencode
fi
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Install only wireguard-tools for Centos, as that is all that is needed when Kernel Module works.

Comment on lines -356 to +392
apt-get autoremove --purge -y wireguard qrencode
apt-get autoremove --purge -y wireguard wireguard-tools qrencode
elif [[ ${OS} == 'debian' ]]; then
apt-get autoremove --purge -y wireguard qrencode
apt-get autoremove --purge -y wireguard wireguard-tools qrencode
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added wireguard-tools to the uninstall, as it is installed either way, but not purged if a container.

Copy link
Owner

@angristan angristan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks pretty good, thanks!

wireguard-install.sh Outdated Show resolved Hide resolved
wireguard-install.sh Show resolved Hide resolved
@alicemq
Copy link

alicemq commented Feb 23, 2021

Strangely on Hostinger VPS, OPENVZ is running with 5.4.0 kernel, but this command fails, while ip link add dev wg0 type wireguard works.

@alicemq
Copy link

alicemq commented Feb 23, 2021

Strangely on Hostinger VPS, OPENVZ is running with 5.4.0 kernel, but this command fails, while ip link add dev wg0 type wireguard works.

I can delete interface, but can not create. what is this sorcerry?

@angristan angristan added the enhancement New feature or request label Jan 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants