812e027bc0
Allow multiple interfaces per namespace. Change configuration format to json. |
||
---|---|---|
.gitignore | ||
LICENSE | ||
README.md | ||
wg-netns.py | ||
wg-netns@.service |
wg-netns
wg-quick with support for linux network namespaces. It's a simple python script that implements the steps described at wireguard.com/netns.
Setup
Requirements:
- Linux
- Python 3.7 or newer
ip
fromiproute2
wg
fromwireguard-tools
Just download the script and make it executable.
mkdir -p ~/.local/bin/ && curl -o ~/.local/bin/wg-netns https://raw.githubusercontent.com/dadevel/wg-netns/master/wg-netns.py && chmod 0755 ~/.local/bin/wg-netns
Usage
First, create a configuration profile. You can find two examples below.
./mini.json
:
{
"name": "ns-example",
"interfaces": [
{
"name": "wg-example",
"address": ["10.10.10.192/32", "fc00:dead:beef::192/128"],
"private-key": "4bvaEZHI...",
"peers": [
{
"public-key": "bELgMXGt...",
"endpoint": "vpn.example.com:51820",
"allowed-ips": ["0.0.0.0/0", "::/0"]
}
]
}
]
}
./maxi.json
:
{
"name": "ns-example",
"dns-server": ["10.10.10.1", "10.10.10.2"],
"pre-up": "some shell command",
"post-up": "some shell command",
"pred-own": "some shell command",
"post-down": "some shell command",
"interfaces": [
{
"name": "wg-site-a",
"address": ["10.10.11.172/32", "fc00:dead:beef:1::172/128"],
"listen-port": 51821,
"fwmark": 51821,
"private-key": "nFkQQjN+...",
"mtu": 1420,
"peers": [
{
"public-key": "Kx+wpJpj...",
"preshared-key": "5daskLoW...",
"endpoint": "a.example.com:51821",
"persistent-keepalive": 25,
"allowed-ips": ["10.10.11.0/24", "fc00:dead:beef:1::/64"]
}
]
},
{
"name": "wg-site-b",
"address": ["10.10.12.172/32", "fc00:dead:beef:2::172/128"],
"listen-port": 51822,
"fwmark": 51822,
"private-key": "guYPuE3X...",
"mtu": 1420,
"peers": [
{
"public-key": "NvZMoyrg...",
"preshared-key": "cFQuyIX/...",
"endpoint": "b.example.com:51822",
"persistent-keepalive": 25,
"allowed-ips": ["10.10.12.0/24", "fc00:dead:beef:2::/64"]
}
]
}
]
}
Now it's time to setup your new network namespace and all associated wireguard interfaces.
wg-netns up ./example.json
You can verify the success with a combination of ip
and wg
.
ip netns exec ns-example wg show
Or you can spawn a shell inside the netns.
ip netns exec ns-example bash -i
Or connect a container to it.
podman run -it --rm --network ns:/var/run/netns/ns-example docker.io/alpine wget -O - https://ipinfo.io
Or do whatever else you want.
System Service
You can find a wg-quick@.service
equivalent at wg-netns@.service.
Port Forwarding
With socat
you can forward TCP traffic from outside a network namespace to a port inside a network namespace.
socat tcp-listen:$LHOST,reuseaddr,fork "exec:ip netns exec $NETNS socat stdio 'tcp-connect:$RHOST',nofork"
Example: All connections to port 1234/tcp in the main netns are forwarded into the ns-example namespace to port 5678/tcp.
# terminal 1, create netns and start http server inside
wg-netns up ns-example
hello > ./hello.txt
ip netns exec ns-example python3 -m http.server 5678
# terminal 2, setup port forwarding
socat tcp-listen:1234,reuseaddr,fork "exec:ip netns exec ns-example socat stdio 'tcp-connect:127.0.0.1:5678',nofork"
# terminal 3, test access
curl http://127.0.0.1:1234/hello.txt