wg-netns/README.md

wg-netns

wg-quick for linux network namespaces. A simple python script that implements the steps described at wireguard.com/netns.

Setup

Requirements:

• Linux
• Python 3.7 or newer
• ip from iproute2
• wg from wireguard-tools

Just download the script and make it executable.

mkdir -p ~/.local/bin/ && curl -o ~/.local/bin/wg-netns https://raw.githubusercontent.com/dadevel/wg-netns/master/wg-netns.py && chmod 0755 ~/.local/bin/wg-netns

Usage

Instead of running wg-quick up my-vpn run wg-netns up my-vpn.

Now you can spawn a shell in the new network namespace.

ip netns exec my-vpn bash -i

Or connect a container to it.

podman run -it --rm --network ns:/var/run/netns/my-vpn alpine wget -O - https://ipinfo.io

Or do whatever you want.

System Service

You can find a wg-quick@.service equivalent at wg-netns@.service.

Port Forwarding

Forward TCP traffic from outside a network namespace to a port inside a network namespace with socat.

socat tcp-listen:$LHOST,reuseaddr,fork "exec:ip netns exec $NETNS socat stdio 'tcp-connect:$RHOST',nofork"

Example: All connections to port 1234/tcp in the main netns are forwarded into the my-vpn netns to port 5678/tcp.

# terminal 1, create netns and start http server inside
wg-netns up my-vpn
echo hello > ./hello.txt
ip netns exec my-vpn python3 -m http.server 5678
# terminal 2, setup port forwarding
socat tcp-listen:1234,reuseaddr,fork "exec:ip netns exec my-vpn socat stdio 'tcp-connect:127.0.0.1:5678',nofork"
# terminal 3, test
curl http://127.0.0.1:1234/hello.txt