2
0
mirror of https://github.com/dadevel/wg-netns synced 2024-10-30 21:20:12 +00:00
Go to file
dadevel 812e027bc0 rewrite for v1
Allow multiple interfaces per namespace.
Change configuration format to json.
2020-12-09 21:55:26 +00:00
.gitignore initial commit 2020-11-15 17:04:55 +01:00
LICENSE initial commit 2020-11-15 17:04:55 +01:00
README.md rewrite for v1 2020-12-09 21:55:26 +00:00
wg-netns.py rewrite for v1 2020-12-09 21:55:26 +00:00
wg-netns@.service rewrite for v1 2020-12-09 21:55:26 +00:00

wg-netns

wg-quick with support for linux network namespaces. It's a simple python script that implements the steps described at wireguard.com/netns.

Setup

Requirements:

  • Linux
  • Python 3.7 or newer
  • ip from iproute2
  • wg from wireguard-tools

Just download the script and make it executable.

mkdir -p ~/.local/bin/ && curl -o ~/.local/bin/wg-netns https://raw.githubusercontent.com/dadevel/wg-netns/master/wg-netns.py && chmod 0755 ~/.local/bin/wg-netns

Usage

First, create a configuration profile. You can find two examples below.

./mini.json:

{
  "name": "ns-example",
  "interfaces": [
    {
      "name": "wg-example",
      "address": ["10.10.10.192/32", "fc00:dead:beef::192/128"],
      "private-key": "4bvaEZHI...",
      "peers": [
        {
          "public-key": "bELgMXGt...",
          "endpoint": "vpn.example.com:51820",
          "allowed-ips": ["0.0.0.0/0", "::/0"]
        }
      ]
    }
  ]
}

./maxi.json:

{
  "name": "ns-example",
  "dns-server": ["10.10.10.1", "10.10.10.2"],
  "pre-up": "some shell command",
  "post-up": "some shell command",
  "pred-own": "some shell command",
  "post-down": "some shell command",
  "interfaces": [
    {
      "name": "wg-site-a",
      "address": ["10.10.11.172/32", "fc00:dead:beef:1::172/128"],
      "listen-port": 51821,
      "fwmark": 51821,
      "private-key": "nFkQQjN+...",
      "mtu": 1420,
      "peers": [
        {
          "public-key": "Kx+wpJpj...",
          "preshared-key": "5daskLoW...",
          "endpoint": "a.example.com:51821",
          "persistent-keepalive": 25,
          "allowed-ips": ["10.10.11.0/24", "fc00:dead:beef:1::/64"]
        }
      ]
    },
    {
      "name": "wg-site-b",
      "address": ["10.10.12.172/32", "fc00:dead:beef:2::172/128"],
      "listen-port": 51822,
      "fwmark": 51822,
      "private-key": "guYPuE3X...",
      "mtu": 1420,
      "peers": [
        {
          "public-key": "NvZMoyrg...",
          "preshared-key": "cFQuyIX/...",
          "endpoint": "b.example.com:51822",
          "persistent-keepalive": 25,
          "allowed-ips": ["10.10.12.0/24", "fc00:dead:beef:2::/64"]
        }
      ]
    }
  ]
}

Now it's time to setup your new network namespace and all associated wireguard interfaces.

wg-netns up ./example.json

You can verify the success with a combination of ip and wg.

ip netns exec ns-example wg show

Or you can spawn a shell inside the netns.

ip netns exec ns-example bash -i

Or connect a container to it.

podman run -it --rm --network ns:/var/run/netns/ns-example docker.io/alpine wget -O - https://ipinfo.io

Or do whatever else you want.

System Service

You can find a wg-quick@.service equivalent at wg-netns@.service.

Port Forwarding

With socat you can forward TCP traffic from outside a network namespace to a port inside a network namespace.

socat tcp-listen:$LHOST,reuseaddr,fork "exec:ip netns exec $NETNS socat stdio 'tcp-connect:$RHOST',nofork"

Example: All connections to port 1234/tcp in the main netns are forwarded into the ns-example namespace to port 5678/tcp.

# terminal 1, create netns and start http server inside
wg-netns up ns-example
hello > ./hello.txt
ip netns exec ns-example python3 -m http.server 5678
# terminal 2, setup port forwarding
socat tcp-listen:1234,reuseaddr,fork "exec:ip netns exec ns-example socat stdio 'tcp-connect:127.0.0.1:5678',nofork"
# terminal 3, test access
curl http://127.0.0.1:1234/hello.txt