wg trunk (TM) traffic isolation: VRF vs netns

Matthias Urlichs matthias at urlichs.de
Wed Dec 23 14:55:46 CET 2020

> thoughts?
> - jrun

When in doubt, do both.

I am running my home router as a couple of netns domains on one of the 
less-overworked servers in the basement, facilitated by a couple of 
"dumb" scripts that set it all up.

My setup: create a netns instance, move the machine's main interface 
into it, setup VLANs and bridges in there, and then add a veth interface 
to one of the bridges whose other end is moved back to the root namespace.

Bonus points, the router instance doesn't have any services (thus only 
needs FORWARD firewall rules) and can run on basically any local system 
with enough bandwidth. Just add VLANs to its interface on the switch.

Within that router netns I have separate VRFs for "sensitive" and 
"guest" traffic, mainly to simplify firewall rules and routing tables.

-- Matthias Urlichs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20201223/5c5ea83a/attachment.asc>

More information about the WireGuard mailing list