moismailzai / comments.ismailzai.com

Comments repository for ismailzai.com.
0 stars 0 forks source link

blog/creating-wireguard-jails-with-linux-network-namespaces #3

Open utterances-bot opened 1 year ago

utterances-bot commented 1 year ago

Creating WireGuard jails with Linux network namespaces | Mo Ismailzai

The network namespace is a powerful Linux kernel feature that enables the creation of isolated network environments within a single logical host. In this blog post, we will explore the concept of network namespaces, how to use them with WireGuard, and how to isolate processes with this combination.

https://www.ismailzai.com/blog/creating-wireguard-jails-with-linux-network-namespaces

zz0rk commented 1 year ago

When I followed your instructions, I substituted tun0 with wg0. Otherwise, I followed them to the letter, but I don't believe the wg0 is working. There's no traffic flowing.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 10.2.0.2/32 scope global wg0 valid_lft forever preferred_lft forever

The wg0.conf file from my VPN provider (some information reducted):

[Interface] PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Address = 10.2.0.2/32 DNS = 10.2.0.1

[Peer] PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX AllowedIPs = 0.0.0.0/0

Thank you

P.S. When I use the same wg0.conf file on another machine with wg-quick up wg0 it works.

moismailzai commented 1 year ago

Hey, did it just get missed in your copy / paste above or are you missing the Endpoint directive under the [Peer] heading?

zz0rk commented 1 year ago

Hiya, I am using Proton VPN. I've only redacted the keys. It works under Debian 12: nmcli connection import type wireguard file wg0.conf

[Interface]
# Key for wg0
# Bouncing = 1
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = XXX
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# NL-FREE#216012
PublicKey = XXX
AllowedIPs = 0.0.0.0/0

ip netns exec wireguard wg setconf wg0 <(wg-quick strip /etc/wireguard/wg0.conf)

Thanks, moismailzai

zz0rk commented 1 year ago

Jeez, I did forget to copy/paste the endpoint: Endpoint = 138.199.7.159:51820

Best-HeyGman commented 10 months ago

Thank you for your work. Your explanation and the code in your repository are awesome and helped me a lot 👍

nnWhisperer commented 7 months ago

Hello, thanks for the work. Have you tried running the code without socat part? According to the wireguard documentation here, the reason the code in this blog post works is moving a wg tun from one namespace to the other, not the socat part. Hence, the socat part seems incorrect and totally redundant. What's the port number 8080 for anyway.

nnWhisperer commented 7 months ago

I agree that such feature of wireguard isn't apparent.

moismailzai commented 7 months ago

nnWhisperer: I appreciate your insights. The socat component serves a practical purpose distinct from the WireGuard namespace transfer capabilities. While WireGuard ensures that the VPN tunnel's encrypted packets correctly navigate between namespaces, socat enables external access to services within the VPN-protected namespace, which is useful for scenarios where direct interaction with services isolated in a network namespace is desired.