jails WireGuard in jail with kernel support?

[kolumatani]

Is it possible to run WireGuard in jail with kernel support?

 

[T-Daemon]

Is it possible to run WireGuard in jail with kernel support?

How to install a Wireguard VPN client in a FreeBSD jail

 

[kolumatani]

Meta-port for WireGuard net/wireguard wants to install kernel module net/wireguard-kmod, and this seems to fail in jail:

pkg install wireguard
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
    wireguard: 2,1
    wireguard-kmod: 0.0.20220615

Number of packages to be installed: 2

Proceed with this action? [y/N]: y
[test1] [1/2] Installing wireguard-kmod-0.0.20220615...
[test1] [1/2] Extracting wireguard-kmod-0.0.20220615:   0%
pkg: Fail to create temporary file: /boot/modules/.pkgtemp.if_wg.ko.r4LTGiV0G9Sb:Read-only file system
[test1] [1/2] Extracting wireguard-kmod-0.0.20220615: 100%

The jail is created with sysutils/bastille.

In How to install a Wireguard VPN client in a FreeBSD jail the meta-port for WireGuard net/wireguard does not require the kernel module net/wireguard-kmod, uses slow userspace implementation net/wireguard-go, and installs successfully.

Should WireGuard in jail somehow use the kernel module from host?

 

[skenizen]

Not sure what's the policy about answering old posts, but as I had the exact same issue and found this in a search engine, I'm going to answer it for people also finding it.

There are two issues with sysutils/bastille : the base install is mounted read-only and the jail use the kernel from the host, so you can't (to my knowledge) load a kernel module that is not loaded on the host.

Step by step solution to get wireguard-kmod running with bastille:

1. Editing the fstab file in /usr/local/bastille/jails/[jail-name]/fstab and replacing ro by rw in order to mount the filesystem with read-write settings
2. Installing net/wireguard in the jail (this time there will be no issue with the read-only and the install will proceed properly).
3. Editing again fstab to put the read-only back (ro) - and restart the jail.
4. Intalling net/wireguard on the host (might work just with the kernel module but I haven't checked) and loading the kernel module.

With this steps done, wireguard should work inside the bastille jail.

 

[Echoxxzz]

You need to load the if_wg.ko kernel module on the host by adding if_wg_load="YES" to /boot/loader.conf.

 

[dracocephalum]

For FreeBSD 14.1, as Echoxxzz pointed out, to use WireGuard in a jail you need the following:

1. Host: add if_wg_load="YES" to /boot/loader.conf.
2. Jail: pkg install wireguard-tools # this is to get the service startup scripts

You don't need to install any packages on host, wg kernel module is already part of FreeBSD 14.1