network namespace wireguard routing [Was: Re: Userspace Networking Stack + WireGuard + Go]

Julian Orth ju.orth at gmail.com
Wed Jan 13 16:40:58 UTC 2021 

On 13/01/2021 17.33, Jason A. Donenfeld wrote:
 > In order to prevent this Go thread from being hijacked with Linux
 > concerns, I've changed the Subject line of the email. Please keep
 > follow ups in this thread rather than the other.
 >
 > Response is in line below:
 >
 > On Wed, Jan 13, 2021 at 5:26 PM Julian Orth <ju.orth at gmail.com> wrote:
 >>
 >> On 13/01/2021 17.04, Jason A. Donenfeld wrote:
 >>
 >>   > Even if you're unprivileged and want a WireGuard interface for just a
 >>   > single application that's bound to the lifetime of that application,
 >>   > you can still use WireGuard's normal kernel interface inside of a user
 >>   > namespace + a network namespace, and get a private process-specific
 >>   > WireGuard interface.
 >>
 >> That's what my patches from back in 2018 were trying to accomplish.
 >> Unless I've missed something since, I do not see how what you're
 >> describing would work.  Unless you also
 >>
 >> - create a TUN device in the network namespace
 >> - add a default route through that TUN device
 >> - manually route all traffic between the init network namespace and your
 >>     network namespace.
 >>
 >> Is that what you meant or is there a simpler way?
 >
 > What I meant was:
 >
 > 1. User opens his shell and runs ./blah. That executes in the init
 > namespace where all the physical interfaces are.
 > 2. blah creates a wireguard interface.
 > 3. blah creates a network namespace.
 > 4. blah moves that wireguard interface into that network namespace.
 > 5. blah calls `setns()` on one of its threads to use that network namespace.
 >
 > Thinking about this in more detail, I'm guessing you take issue with
 > step #2? Since that actually might require privileges in the init
 > namespace?

Exactly :). My patches in 2018 were trying to solve this by allowing the
user to change the "transit" network namespace after the device has been
created. The "transit" network namespace being the namespace in which
the Wireguard UDP socket lives. This would not require privileges in the
transit namespace, only some kind of proof that the user can create UDP
sockets in said namespace.

 >
 > Jason
 >

More information about the WireGuard mailing list