New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard: add 'namespace' option to set interface netns #60983
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This pull request has been mentioned on Nix community. There might be relevant details there: |
cc @zx2c4 |
|
||
${optionalString (values.allowedIPsAsRoutes != false) (concatStringsSep "\n" (concatMap (peer: | ||
(map (allowedIP: | ||
"ip route replace ${allowedIP} dev ${name} table ${values.table}" | ||
"${ipns} route replace ${allowedIP} dev ${name} table ${values.table}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The wireguard netns guide does
ip -n container route add default dev wg0
Is this a relevant difference?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if allowedIP is 0.0.0.0/0, then no. Otherwise, ours will only add relevant routes, while the wireguard example always routes all traffic. People wanting to route all traffic generally have allowedIPs set to ["0.0.0.0/0", "::0/0"]
.
A quick look at this indicates that you've changed all the commands to run in a target named-namespace instead of the current namespace. Usually the appeal of namespace stuff with WireGuard is to create the device in one namespace and then move it into another, so that the listening socket lives in one while the interface lives in the other. I think that's what you have going on here? But perhaps you want to generalize it so that the creation happens in a designated namespace too? |
Ping! Unfortunately looks like some conflicts have developed, can you take a look when you get a chance? This is a great feature to support IMO, for example I think it's one of the cleanest and most reliable ways to ensure all traffic (for whatever you run in this namespace) goes through wireguard. Honestly I'm a little surprised similar isn't done for tor, to avoid leaks without having to use a VM. Maybe that's not as practical or in fact is already common, but if so that's news to me! :). Anyway, thanks and hopefully we can get this into a suitable state soon ^_^. |
Apparently there is orjail, which does the same thing for tor: https://github.com/orjail/orjail |
Closing in favour of #71510. |
Motivation for this change
The usecase in the first section of https://www.wireguard.com/netns/ (making a network namespace to allow proper sandboxing) is rather easy to support in nixpkgs, and hard outside of it. This PR adds an option to do it.
(cc: @Lucus16 , @grahamc, @Mic92, @xeji, @fpletz )
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)