From: Marios Makassikis <mmakassikis@freebox.fr>
To: Waishon <waishon009@gmail.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: Domain as endpoint when using wireguard with network namespaces
Date: Sat, 21 Aug 2021 22:05:19 +0200 [thread overview]
Message-ID: <CAF6XXKUjvO2XfehGHjY2qZ_ukHuAQv4+B+1pH-WJ_tqK0n0zzQ@mail.gmail.com> (raw)
In-Reply-To: <CANO0tfaBiU3r+bvBp5q57EBc4FNu0+FJ78_7G=vPzdJvuTi18g@mail.gmail.com>
On Tue, Aug 17, 2021 at 11:11 PM Waishon <waishon009@gmail.com> wrote:
>
> Hey there,
>
> I'm currently trying to setup a wireguard-tunnel inside a
> network-namespace as descriped in the documentation, which fails when
> using a domain as endpoint:
> https://www.wireguard.com/netns/
>
> First I've created the wireguard interface inside the birth-namespace
> of the host using "ip link add wg0 type wireguard". Then I moved the
> wg0 interface to the newly created network namespace, which doesn't
> have any network interfaces and network connections beside the
> loopback interface.
>
> Then I configured the wg0 interface inside the network namespace using
> wg set "INTERFACE_NAME" \
> private-key <SECRET \
> peer "PEER" \
> endpoint vpn.example.com:51820 \
> persistent-keepalive 25 \
> allowed-ips ::/0
>
> This however results in a "Temporary failure in name resolution:
> `vpn.example.com:51820'. Trying again in 1.00 seconds..." error
> message, which makes sense, because the wireguard-tool tries to call
> getaddrinfo inside the network namespace. The namespace doesn't have
> an internet connection and the lookup fails.
> https://github.com/WireGuard/wireguard-tools/blob/96e42feb3f41e2161141d4958e2637d9dee6f90a/src/config.c#L242
>
> As a user I would expect that the wg-tool does the lookup in the
> birth-namespace of the interface and not inside the newly created
> network namespace.
>
> What is the recommended solution to resolve an domain endpoint when
> using network namespaces and wireguard? Just manually lookup the
> domain in the birth-namespace and use the ip as endpoint? The
> implementation however would be quiete hacky to make it properly work
> with IPv4 and IPv6.
Have you configured a nameserver for your network namespace ?
Normally, that would be /etc/netns/<namespace_name>/resolv.conf (you may
need to create the subdirectory first).
next prev parent reply other threads:[~2021-08-21 20:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 22:19 Domain as endpoint when using wireguard with network namespaces Waishon
2021-08-18 5:54 ` Tomcsanyi, Domonkos
[not found] ` <781a68d1-6a85-4bb7-9911-003ba722c504@Spark>
[not found] ` <B255319F-EE48-42F6-8735-36285E490C66@tomcsanyi.net>
2021-08-18 21:27 ` "Tomcsányi, Domonkos"
2021-08-18 21:30 ` Waishon
2021-08-21 20:05 ` Marios Makassikis [this message]
2021-08-21 20:14 ` Waishon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAF6XXKUjvO2XfehGHjY2qZ_ukHuAQv4+B+1pH-WJ_tqK0n0zzQ@mail.gmail.com \
--to=mmakassikis@freebox.fr \
--cc=waishon009@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).