LXD: Create WireGuard container

Create container

CONTAINER=wireguard
 
# Add ubuntu-minimal repository
lxc remote add --protocol simplestreams ubuntu-minimal https://cloud-images.ubuntu.com/minimal/releases/
 
# Create LXD container
#lxc launch ubuntu-minimal:lts ${CONTAINER}
lxc launch ubuntu-minimal:22.04 ${CONTAINER}
 
# update APT packages
lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt update && apt -y dist-upgrade && apt -y autoremove"
 
# Install WireGuard
lxc exec ${CONTAINER} -- bash -c "export http_proxy=${http_proxy} && apt install -y wireguard iptables iputils-ping"

Configure UDP 4000 port forward to wireguard container

lxc config device add ${CONTAINER} udp51820 proxy listen=udp:0.0.0.0:51820 connect=udp:127.0.0.1:51820

Configure WireGuard

cd /etc/wireguard
umask 077;
wg genkey | tee privatekey | wg pubkey > publickey
 
# /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.8.1/24
ListenPort = 51820
PrivateKey = aI+ohS+Jd5T5lMIDXqvLwp8g6eT6U28bQVS43t5YaU8=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE     
 
[Peer]
PublicKey = yD3wRcoQ94Wu9o9WaLzjfA0S2IQrD91E8xxpSiMU6yE=
AllowedIPs = 192.168.8.2/32

Enable and start WireGuard systemd sercvice

# wg-quick up wg0
sudo systemctl enable --now wg-quick@wg0.service

WireGuard Home configuration

# Generate WireGuard keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
 
# Define home environment
HOME_DEFAULT_GW=192.168.178.1
HOME_DEFAULT_IF=wlp3s0
 
# wg-office.conf
[Interface]
PrivateKey = mLn9fY3OgVoWoGR6tYpFnXHgqNz6o1v7FJ3zjgm/r3s=
Address = 192.168.8.2/24
# OPTINOAL: Exclude some networks from VPN routing
#PreUp = ip route add 192.168.1.0/24 via ${HOME_DEFAULT_GW} dev ${HOME_DEFAULT_IF}
#PostDown = ip route del 192.168.1.0/24 via ${HOME_DEFAULT_GW} dev ${HOME_DEFAULT_IF}
#PreUp = ip route add 10.10.0.0/16 via ${HOME_DEFAULT_GW} dev ${HOME_DEFAULT_IF}
#PostDown = ip route del 10.10.0.0/16 via ${HOME_DEFAULT_GW} dev ${HOME_DEFAULT_IF}
 
[Peer]
PublicKey = SK8HVAND5LR81YuKzluoxCEjpYmz5hWHfq+Lt65bIFI=
Endpoint = 192.168.8.1:51820
PersistentKeepalive = 15
AllowedIPs = 10.0.0.0/8 # private class A
AllowedIPs = 172.16.0.0/12 # private class B
AllowedIPs = 192.168.0.0/16 # private class C
AllowedIPs = 212.11.12.13/32 # some public IPs

Configure DNS and primary VPN

# remove previous WireGuard configuration
nmcli connection down wg-office
nmcli connection delete wg-office
 
# import WireGuard configuration
nmcli connection import type wireguard file wg-office.confnmcli connection down wg-office
 
# configure DNS
nmcli connection modify wg-office ipv4.dns "192.168.251.6"
 
# OPTINAL: Autostart primary VPN
nmcli connection modify wg-office connection.secondaries $(nmcli -g connection.uuid connection show OFFICE_VPN1) # auto start primary VPN
 
# Start WirgeGuard VPN
nmcli connection up wg-office

Import previous wireguard configuration

lxc file push ~/backup/wireguard/* ${CONTAINER}/etc/wireguard --recursive
lxc restart ${CONTAINER}

Links
Wireguard allowedips calculator: https://www.procustodibus.com/blog/2021/03/wireguard-allowedips-calculator/