Userspace Networking Stack + WireGuard + Go
Marc-André Lureau
marcandre.lureau at gmail.com
Fri Jan 15 08:12:42 UTC 2021
Hi Julian
On Wed, Jan 13, 2021 at 8:28 PM Julian Orth <ju.orth at gmail.com> wrote:
>
> On 13/01/2021 17.04, Jason A. Donenfeld wrote:
>
> > Even if you're unprivileged and want a WireGuard interface for just a
> > single application that's bound to the lifetime of that application,
> > you can still use WireGuard's normal kernel interface inside of a user
> > namespace + a network namespace, and get a private process-specific
> > WireGuard interface.
>
> That's what my patches from back in 2018 were trying to accomplish.
> Unless I've missed something since, I do not see how what you're
> describing would work. Unless you also
>
> - create a TUN device in the network namespace
> - add a default route through that TUN device
> - manually route all traffic between the init network namespace and your
> network namespace.
>
> Is that what you meant or is there a simpler way?
I am not a network admin, but I agree. Setting up this kind of user
network namespace isn't trivial and requires some privileges. It would
be nice if the kernel or some services provided a simpler way. (fwiw,
some time ago I did some experimental/research work for VM &
containers at https://gitlab.freedesktop.org/elmarco/vnet)
--
Marc-André Lureau
More information about the WireGuard
mailing list