network namespace wireguard routing [Was: Re: Userspace Networking Stack + WireGuard + Go]
Jason A. Donenfeld
Jason at zx2c4.com
Wed Jan 13 16:33:25 UTC 2021
In order to prevent this Go thread from being hijacked with Linux
concerns, I've changed the Subject line of the email. Please keep
follow ups in this thread rather than the other.
Response is in line below:
On Wed, Jan 13, 2021 at 5:26 PM Julian Orth <ju.orth at gmail.com> wrote:
>
> On 13/01/2021 17.04, Jason A. Donenfeld wrote:
>
> > Even if you're unprivileged and want a WireGuard interface for just a
> > single application that's bound to the lifetime of that application,
> > you can still use WireGuard's normal kernel interface inside of a user
> > namespace + a network namespace, and get a private process-specific
> > WireGuard interface.
>
> That's what my patches from back in 2018 were trying to accomplish.
> Unless I've missed something since, I do not see how what you're
> describing would work. Unless you also
>
> - create a TUN device in the network namespace
> - add a default route through that TUN device
> - manually route all traffic between the init network namespace and your
> network namespace.
>
> Is that what you meant or is there a simpler way?
What I meant was:
1. User opens his shell and runs ./blah. That executes in the init
namespace where all the physical interfaces are.
2. blah creates a wireguard interface.
3. blah creates a network namespace.
4. blah moves that wireguard interface into that network namespace.
5. blah calls `setns()` on one of its threads to use that network namespace.
Thinking about this in more detail, I'm guessing you take issue with
step #2? Since that actually might require privileges in the init
namespace?
Jason
More information about the WireGuard
mailing list