multiple wg interface in different namespace

Quan Zhou quanzhou822 at gmail.com
Tue Jul 17 15:13:27 CEST 2018 

It works! Thank you!
On Tue, Jul 17, 2018 at 6:23 AM Samuel Holland <samuel at sholland.org> wrote:
>
> Hello,
>
> On 07/16/18 03:50, Quan Zhou wrote:
> > I've been using wg for a while without any problem, but today I wanted
> > to try something with the namespace[1]. There's a difference in my
> > settings, I already have a wg working without the netns. This or
> > perhaps other factors results in a failure bringing up the interface:
> > ``RTNETLINK answers: Address already in use.'' Details follow.
> >
> > [1]: https://www.wireguard.com/netns/
> >
> > Configuration:
> > ==== SiteA to SiteC (working correctly):
> >
> > ```bash
> > ip link add dev wg0 type wireguard
> > wg setconf wg0 /etc/wireguard/wg0.conf
> > ip link set up dev wg0
> > ip route add 192.168.<>.0/24 dev wg0
> > ip route add 10.12.<>.0/24 dev wg0
> > ```
> > ==== SiteA to SiteB (Trouble bringing up iface on Site A):
> > ```bash
> > ip netns add sv0
> > ip link add sv0en0 type veth peer ens3
> > ip link add sv0wg0 type wireguard
> > ip link set sv0en0 netns sv0
> > ip link set sv0wg0 netns sv0
>
> Here you're creating the WireGuard interface before moving it to the sv0
> namespace. The underlying UDP socket used by WireGuard is created in the
> original namespace, and is _not_ moved with the interface. If you're using the
> same ListenPort on both interfaces, the sockets will conflict, as you can see in
> dmesg. Either:
> - Use different listen ports for the two WireGuard interfaces, or
> - Create sv0wg0 in the sv0 namespace instead of moving it there after the fact.
>
> > ip -n sv0 addr add <IP>/32 dev sv0en0
> > ip -n sv0 route add default dev sv0en0
> > ip -n sv0 link set up sv0en0
> > ip netns exec sv0 wg setconf sv0wg0 ./sv0wg0.conf
> > ip -n sv0 addr add <IP>/31 dev sv0wg0
> > ip -n sv0 link set up sv0wg0
> > ```
> > # ip -n sv0 link set up sv0wg0
> > RTNETLINK answers: Address already in use
> >
> > ==== dmesg |grep wireguard
> > ```
> > [   16.051148] wireguard: loading out-of-tree module taints kernel.
> > [   16.051390] wireguard: module verification failed: signature and/or
> > required key missing - tainting kernel
> > [   16.051880] wireguard: WireGuard 0.0.20180708 loaded. See
> > www.wireguard.com for information.
> > [   16.051881] wireguard: Copyright (C) 2015-2018 Jason A. Donenfeld
> > <Jason at zx2c4.com>. All Rights Reserved.
> > [  214.191712] wireguard: sv0wg0: Could not create IPv4 socket
> > [  233.096882] wireguard: sv0wg0: Could not create IPv4 socket
> > [  250.411586] wireguard: sv0wg0: Could not create IPv4 socket
> > [  522.266844] wireguard: sv0wg0: Could not create IPv4 socket
> > [  950.891264] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1004.031902] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1044.773710] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1053.273612] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1057.656802] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1312.781415] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1359.582271] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1370.719755] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1586.955734] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 1603.063851] wireguard: sv0wg0: Could not create IPv4 socket
> > [ 2257.095367] wireguard: wg0: Could not create IPv4 socket
> > [ 3631.242070] wireguard: sv0wg0: Could not create IPv4 socket
> > ```
> > ==== Workaround (not really)
> > ```bash
> > # ip link set down wg0
> > # ip -n sv0 link set up sv0wg0
> > # # >>> Works
> > # ip link set up wg0
> > # # >>> RTNETLINK answers: Address already in use
> > # # >>> See entry [ 2257.095367] in the dmesg above
> > ```
> >
>
> Regards,
> Samuel



-- 
Regards,

Quan Zhou

E271C0D1BD90012B8D8EECF6F822BC9F8E1C35C8
quanzhou822 at gmail.com
https://keybase.io/qzhou

More information about the WireGuard mailing list