Use WireGuard with container on a Raspberrly Pi. Building container (Image) failes

Question

I would like to use a container to run WireGuard on my Raspberry Pi. I installed Podman and Buildah succesfully. I created a conatiner with Alpinelinux (for the RB) and try to install Wireguard in it. When I try to do the last step starting the service it failes. I am new to this topic so there could be a beginners mistake too which I might not see. I get this error when i run the command sudo buildah run $container -- wg-quick up wg0 with out privileged mode

[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not permitted
Unable to access interface: Operation not permitted
[#] ip link delete dev wg0
Cannot find device "wg0"
error while running runtime: exit status 1
ERRO exit status 1

but when i run the command sudo buildah run $container -- wg-quick up wg0 in the priviaged mode i get this

error reading build container "vpn-container": error reading build container: container not known

What is the problem? My files which I use are included. The container is build with buildah.

This is my buildah file:

#!/usr/bin/env bash
echo "net.ipv4.ip_forward=1" >> local.conf
container=$(buildah from --name "vpn-container" arm32v7/alpine)
echo $container
buildah run $container -- apk add bash
buildah config --workingdir /tmp $container
buildah run $container -- mkdir /etc/wireguard
buildah copy $container local.conf /tmp
buildah run $container -- mv /tmp/local.conf /etc/sysctl.d/local.conf
buildah copy $container *WireGuard.sh /tmp
buildah run $container -- chmod +x *WireGuard.sh
buildah run $container -- ./installWireGuard.sh
buildah run $container -- ./configureWireGuard.sh
Enable IP Forwarding
sudo buildah run $container -- wg-quick up wg0
#buildah commit $container vpn-baseimage

and this is my installWireguard.sh

#!/bin/bash
apk update
apk add -U wireguard-tools
#apk add wireguard-tools-wg
#apk add wireguard-vanilla

and this is my configureWireguard.sh

#!/bin/bash
# Generate security keys
wg genkey | tee server_private_key | wg pubkey > server_public_key
wg genkey | tee client_private_key | wg pubkey > client_public_key
server_private_key=$(wg genkey)
server_public_key=$(echo $server_private_key | wg pubkey)
client_private_key=$(wg genkey)
client_public_key=$(echo $server_private_key | wg pubkey)
echo security keys:
echo server_private_key: $server_private_key
echo server_public_key: $server_public_key
echo client_private_key: $client_private_key
echo client_public_key: $client_public_key
Generate server configuration
cat <<EOF > wg0.conf
[Interface]
Address = 10.123.0.1/24
SaveConfig = true
PrivateKey = $server_private_key
ListenPort = 45340
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT
EOF
chmod -r wg0.conf
cp wg0.conf /etc/wireguard/wg0.conf
Enable autostart
#systemctl enable wg-quick@wg0
#chown -R root:root /etc/wireguard/
#chmod -R og-rwx /etc/wireguard/*

Answer 1

Basically Docker containers don't have permission to edit your network interfaces by default. You can fix this by either adding --cap-add=NET_ADMIN to your docker run command, or in docker-compose.yml you can add:

container_or_service_name: cap_add: - NET_ADMIN

https://stackoverflow.com/questions/27708376/why-am-i-getting-an-rtnetlink-operation-not-permitted-when-using-pipework-with-d