wireguard: add 'namespace' option to set interface netns #60983
Conversation
|
This pull request has been mentioned on Nix community. There might be relevant details there: |
|
cc @zx2c4 |
|
|
||
| ${optionalString (values.allowedIPsAsRoutes != false) (concatStringsSep "\n" (concatMap (peer: | ||
| (map (allowedIP: | ||
| "ip route replace ${allowedIP} dev ${name} table ${values.table}" | ||
| "${ipns} route replace ${allowedIP} dev ${name} table ${values.table}" |
There was a problem hiding this comment.
The wireguard netns guide does
ip -n container route add default dev wg0
Is this a relevant difference?
There was a problem hiding this comment.
if allowedIP is 0.0.0.0/0, then no. Otherwise, ours will only add relevant routes, while the wireguard example always routes all traffic. People wanting to route all traffic generally have allowedIPs set to ["0.0.0.0/0", "::0/0"].
|
A quick look at this indicates that you've changed all the commands to run in a target named-namespace instead of the current namespace. Usually the appeal of namespace stuff with WireGuard is to create the device in one namespace and then move it into another, so that the listening socket lives in one while the interface lives in the other. I think that's what you have going on here? But perhaps you want to generalize it so that the creation happens in a designated namespace too? |
|
Ping! Unfortunately looks like some conflicts have developed, can you take a look when you get a chance? This is a great feature to support IMO, for example I think it's one of the cleanest and most reliable ways to ensure all traffic (for whatever you run in this namespace) goes through wireguard. Honestly I'm a little surprised similar isn't done for tor, to avoid leaks without having to use a VM. Maybe that's not as practical or in fact is already common, but if so that's news to me! :). Anyway, thanks and hopefully we can get this into a suitable state soon ^_^. |
|
Apparently there is orjail, which does the same thing for tor: https://github.com/orjail/orjail |
|
Closing in favour of #71510. |
Motivation for this change
The usecase in the first section of https://www.wireguard.com/netns/ (making a network namespace to allow proper sandboxing) is rather easy to support in nixpkgs, and hard outside of it. This PR adds an option to do it.
(cc: @Lucus16 , @grahamc, @Mic92, @xeji, @fpletz )
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)