Domain as endpoint when using wireguard with network namespaces

Marios Makassikis mmakassikis at
Sat Aug 21 20:05:19 UTC 2021

On Tue, Aug 17, 2021 at 11:11 PM Waishon <waishon009 at> wrote:
> Hey there,
> I'm currently trying to setup a wireguard-tunnel inside a
> network-namespace as descriped in the documentation, which fails when
> using a domain as endpoint:
> First I've created the wireguard interface inside the birth-namespace
> of the host using "ip link add wg0 type wireguard". Then I moved the
> wg0 interface to the newly created network namespace, which doesn't
> have any network interfaces and network connections beside the
> loopback interface.
> Then I configured the wg0 interface inside the network namespace using
>     wg set "INTERFACE_NAME" \
>         private-key <SECRET \
>         peer "PEER" \
>         endpoint \
>         persistent-keepalive 25 \
>         allowed-ips ::/0
> This however results in a "Temporary failure in name resolution:
> `'. Trying again in 1.00 seconds..." error
> message, which makes sense, because the wireguard-tool tries to call
> getaddrinfo inside the network namespace. The namespace doesn't have
> an internet connection and the lookup fails.
> As a user I would expect that the wg-tool does the lookup in the
> birth-namespace of the interface and not inside the newly created
> network namespace.
> What is the recommended solution to resolve an domain endpoint when
> using network namespaces and wireguard? Just manually lookup the
> domain in the birth-namespace and use the ip as endpoint? The
> implementation however would be quiete hacky to make it properly work
> with IPv4 and IPv6.

Have you configured a nameserver for your network namespace ?

Normally, that would be /etc/netns/<namespace_name>/resolv.conf (you may
need to create the subdirectory first).

More information about the WireGuard mailing list