wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
From: Julian Orth <ju.orth@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: network namespace wireguard routing [Was: Re: Userspace Networking Stack + WireGuard + Go]
Date: Wed, 13 Jan 2021 17:40:58 +0100	[thread overview]
Message-ID: <abbf2cfa-025b-78ac-1d26-aeb9ce9263a3@gmail.com> (raw)
In-Reply-To: <CAHmME9rbUbEZah0MDtdRXhUxMtOSrcdo4BCN1LY-iDtXUWHy5Q@mail.gmail.com>

On 13/01/2021 17.33, Jason A. Donenfeld wrote:
 > In order to prevent this Go thread from being hijacked with Linux
 > concerns, I've changed the Subject line of the email. Please keep
 > follow ups in this thread rather than the other.
 > Response is in line below:
 > On Wed, Jan 13, 2021 at 5:26 PM Julian Orth <ju.orth@gmail.com> wrote:
 >> On 13/01/2021 17.04, Jason A. Donenfeld wrote:
 >>   > Even if you're unprivileged and want a WireGuard interface for just a
 >>   > single application that's bound to the lifetime of that application,
 >>   > you can still use WireGuard's normal kernel interface inside of a user
 >>   > namespace + a network namespace, and get a private process-specific
 >>   > WireGuard interface.
 >> That's what my patches from back in 2018 were trying to accomplish.
 >> Unless I've missed something since, I do not see how what you're
 >> describing would work.  Unless you also
 >> - create a TUN device in the network namespace
 >> - add a default route through that TUN device
 >> - manually route all traffic between the init network namespace and your
 >>     network namespace.
 >> Is that what you meant or is there a simpler way?
 > What I meant was:
 > 1. User opens his shell and runs ./blah. That executes in the init
 > namespace where all the physical interfaces are.
 > 2. blah creates a wireguard interface.
 > 3. blah creates a network namespace.
 > 4. blah moves that wireguard interface into that network namespace.
 > 5. blah calls `setns()` on one of its threads to use that network namespace.
 > Thinking about this in more detail, I'm guessing you take issue with
 > step #2? Since that actually might require privileges in the init
 > namespace?

Exactly :). My patches in 2018 were trying to solve this by allowing the
user to change the "transit" network namespace after the device has been
created. The "transit" network namespace being the namespace in which
the Wireguard UDP socket lives. This would not require privileges in the
transit namespace, only some kind of proof that the user can create UDP
sockets in said namespace.

 > Jason

  reply	other threads:[~2021-01-13 16:42 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-13 16:04 Userspace Networking Stack + WireGuard + Go Jason A. Donenfeld
2021-01-13 16:26 ` Julian Orth
2021-01-13 16:33   ` network namespace wireguard routing [Was: Re: Userspace Networking Stack + WireGuard + Go] Jason A. Donenfeld
2021-01-13 16:40     ` Julian Orth [this message]
2021-01-13 16:46     ` Toke Høiland-Jørgensen
2021-01-13 16:49       ` Jason A. Donenfeld
2021-01-14 10:44         ` Toke Høiland-Jørgensen
2021-01-15  8:12   ` Userspace Networking Stack + WireGuard + Go Marc-André Lureau
2021-01-14 23:25 ` Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=abbf2cfa-025b-78ac-1d26-aeb9ce9263a3@gmail.com \
    --to=ju.orth@gmail.com \
    --cc=Jason@zx2c4.com \
    --cc=wireguard@lists.zx2c4.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).