My host is behind a NAT and connects to some other bastion host via wireguard, on interface wg0, with AllowedIPs set to 0.0.0.0/0,::/0, which routes all traffic through that bastion host.
Now, I'd like to run some application within a systemd-nspawn container, that uses a completely different wireguard tunnel: wg1. wg1 now should route all traffic (0.0.0.0/0,::/0) from inside that container. Additionally, I need to access ports from the host that the software in this container opens up.
What are the steps to create this container? Ideally, wg1 is created as a seperate tunnel "next to" wg0, instead of tunneling through wg0.
What I have done so far, without success:
- create a
wg1.netdevwithin/etc/systemd/networkwith:
[NetDev]
Name=wg1
Kind=wireguard
[WireGuard]
PrivateKey = redacted
[Peer]
PublicKey = redacted
PresharedKey = redacted
Endpoint = domain.tld:port
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 25
- configure the nspawn-container via
/etc/systemd/nspawn/mycontainer.nspawn
[Network]
VirtualEthernet = true
Interface = wg1
- within the container:
/etc/systemd/network/wg1.network
[Match]
Name=wg1
[Network]
IpAddress = <v4 static subnet ip within wg1>
IpAddress = <v6 ...>
- within the container:
/etc/resolv.conf
nameserver <v4 dns advertised by wg1 subnet>
nameserver <v6 ...>
- Enable
systemd-networkdinside the container. - Enable ip-forwarding by
net.ipv4.ip_forward=1andnet.ipv6.conf.all.forwarding=1(Not sure if this is necessary though?)
