Join Log in
Score:0
uhsl_m avatar Server

WireGuard & Network Namespaces

in flag
uhsl_m

I am trying to set up a VPN gateway with two wireguard interfaces.

One being a gateway accessible from the init namespace, which can forward incoming local packets from eth0.

The second interface is for accepting incoming connections for a web-server. And I need this one isolated so it doesn't interfere with the gateway interface.

Looking around I think that using the wireguard namespace trick may work. This sort of set up

|----------------------------- |
|   ------------------         |
|   | vpn forward ns |         |
|   |                |         |
|   | |<--->-macvlan<|---->|   |
|   |-|--------------|     |<->|eht0 ------- Local network, inc gateway. 
|     |                    |   |
|     |    init namespace  |   |
|     |                    |   |
|     |<->wireguard if     |   |
|                          |   |
|   ------------------     |   |
|   | vpn inbound ns |     |   |
|   |                |     |   |
|   ||<-->-macvlan<--|---->|   |
|   ||               |         |
|   ||<->wireguard if|         |
|   |----------------|         |
|------------------------------|

However the technique on the official docs: https://www.wireguard.com/netns/ won't work, as I need the physical interface available on the LAN to receive local packets to forward.

I also found this answer: https://unix.stackexchange.com/questions/654712/forward-only-lan-traffic-from-network-namespace-to-root-namespace

But it seems incomplete, when I implement something along these lines, the namespace using the macvlan cannot connect to anything, let alone the wireguard connection working.

What I think I need to do for the gateway interface:

Create a namespace & add a macvlan to it. Add default route so everything in this namespace goes through the macvlan and by extension the eth0. Create the wireguard device in the namespace, then move it to the init namespace. Set the default route for the init namespace to the wireguard interface. So now everything in the init namespace gets routed through the wireguard interface, which in turn will go through the macvlan then through the eth0 and into the wider network?

For the inbound interface: Same start, but do not move the wireguard interface out of the namespace. I can then run my webserver in this namespace and inbound connections via wireguard will connect to it.

I don't fully understand how the macvlan works. Is it purely an alias for the linked physical device? so anything routed down it is in fact just being routed down say eth0? Do i need to give it an ip address? If so, does it need to be on the same subnet as my internet gateway in order to reach the wider internet?

Is there a better way to achieve what I am trying to do?

308
1 + 5
A.B avatar
cl flag
A.B
The WireGuard site describes multiple methods for using network namespaces. The very first is called "Ordinary Containerization" where you move the WG interface to the network namespace and nothing else: the web server will have a single interface visible. Can you explain why you are ruling out this method?
0
Reply
uhsl_m avatar
in flag
uhsl_m
That would work for the inbound/webserver part, but not for the VPN gateway. This device is an interim gateway for the local network. It takes in packets from all other devices on the network and forwards them through wireguard, So I need a wireguard interface accessible in the init namespace. An issue I foresee doing it that way for the web-server is that its wireguard packets may be routed through the gateway wireguard interface because in the init namespace all packets go through the gateway wireguard interface.
0
Reply
A.B avatar
cl flag
A.B
I don't understand what you're trying to do, even if you explain it in the question and in this comment. Whatever routing limitation exists, it can be overcome. But I don't know what limitation you are hitting so you think you'd need multiple WG interfaces and multiple network namespaces.
0
Reply
uhsl_m avatar
in flag
uhsl_m
It it to overcome a mullvad VPN issue. You cannot do a "hairpin" connection to an open port. That is, if you are connected to the mullvad wireguard peer, you cannot access an open port on that same peer. I have an open mullvad port so that I can access this webservice from anywhere (I have a dns entry). However, becuase this server acts as a VPN getway for my entire local network, I cannot access this webservice while my devices are connected, becuase their packets get forwarded through the VPN and becuase they are trying to reconnect to the same place it fails.
0
Reply
uhsl_m avatar
in flag
uhsl_m
So the second wireguard interface so that the connection does not hairpin, but in fact connects to a completely different peer. So the webservice sits behind one mullvad VPN connection, and my gateway uses another.
0
Reply
Score:1
uhsl_m avatar Server
in flag
uhsl_m

I was overthinking it. All i needed to do was have both interfaces share a fw mark.

The main interface can still be created via wg-quick. Albeit, with the FwMark value in the conf file set.

The second interface needs to be created manually, it can still use the wg conf file, with the FwMark set. Then moved into an isolating namespace. Once it has been brought up and a default route within that namespace added, this secondary wireguard interface, using the same FwMark as the main one, can act independently.

If a service is put in that namespace listening on an open port, it can be connected to via the main wireguard interface using the secondary endpoint IP.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.