Domain as endpoint when using wireguard with network namespaces

Marios Makassikis mmakassikis at freebox.fr
Sat Aug 21 20:05:19 UTC 2021


On Tue, Aug 17, 2021 at 11:11 PM Waishon <waishon009 at gmail.com> wrote:
>
> Hey there,
>
> I'm currently trying to setup a wireguard-tunnel inside a
> network-namespace as descriped in the documentation, which fails when
> using a domain as endpoint:
> https://www.wireguard.com/netns/
>
> First I've created the wireguard interface inside the birth-namespace
> of the host using "ip link add wg0 type wireguard". Then I moved the
> wg0 interface to the newly created network namespace, which doesn't
> have any network interfaces and network connections beside the
> loopback interface.
>
> Then I configured the wg0 interface inside the network namespace using
>     wg set "INTERFACE_NAME" \
>         private-key <SECRET \
>         peer "PEER" \
>         endpoint vpn.example.com:51820 \
>         persistent-keepalive 25 \
>         allowed-ips ::/0
>
> This however results in a "Temporary failure in name resolution:
> `vpn.example.com:51820'. Trying again in 1.00 seconds..." error
> message, which makes sense, because the wireguard-tool tries to call
> getaddrinfo inside the network namespace. The namespace doesn't have
> an internet connection and the lookup fails.
> https://github.com/WireGuard/wireguard-tools/blob/96e42feb3f41e2161141d4958e2637d9dee6f90a/src/config.c#L242
>
> As a user I would expect that the wg-tool does the lookup in the
> birth-namespace of the interface and not inside the newly created
> network namespace.
>
> What is the recommended solution to resolve an domain endpoint when
> using network namespaces and wireguard? Just manually lookup the
> domain in the birth-namespace and use the ip as endpoint? The
> implementation however would be quiete hacky to make it properly work
> with IPv4 and IPv6.

Have you configured a nameserver for your network namespace ?

Normally, that would be /etc/netns/<namespace_name>/resolv.conf (you may
need to create the subdirectory first).


More information about the WireGuard mailing list