Userspace Networking Stack + WireGuard + Go

Marc-André Lureau marcandre.lureau at gmail.com
Fri Jan 15 08:12:42 UTC 2021


Hi Julian

On Wed, Jan 13, 2021 at 8:28 PM Julian Orth <ju.orth at gmail.com> wrote:
>
> On 13/01/2021 17.04, Jason A. Donenfeld wrote:
>
>  > Even if you're unprivileged and want a WireGuard interface for just a
>  > single application that's bound to the lifetime of that application,
>  > you can still use WireGuard's normal kernel interface inside of a user
>  > namespace + a network namespace, and get a private process-specific
>  > WireGuard interface.
>
> That's what my patches from back in 2018 were trying to accomplish.
> Unless I've missed something since, I do not see how what you're
> describing would work.  Unless you also
>
> - create a TUN device in the network namespace
> - add a default route through that TUN device
> - manually route all traffic between the init network namespace and your
>    network namespace.
>
> Is that what you meant or is there a simpler way?


I am not a network admin, but I agree. Setting up this kind of user
network namespace isn't trivial and requires some privileges. It would
be nice if the kernel or some services provided a simpler way. (fwiw,
some time ago I did some experimental/research work for VM &
containers at https://gitlab.freedesktop.org/elmarco/vnet)

-- 
Marc-André Lureau


More information about the WireGuard mailing list