Replies: 1 comment 3 replies
-
|
I haven't tried myself, but I get frequent reports of using Wireguard with rootless containers and pasta (the default back-end for rootless networking) in a rather simple way. See also https://bugs.passt.top/show_bug.cgi?id=49#c1 for some notes/workarounds. It might even be that you don't need those workarounds. A write-up/detailed status from somebody actually using/testing it would be nice to have, of course. |
Beta Was this translation helpful? Give feedback.
-
|
That's my current workflow. It works for rootful and rootless users, but the rootless user needs But this way, you'll have local interface + wireguard interface inside the container only. # Create pod
podman pod create --network=none --name wgpod
podman pod start wgpod
# Get PID of InfraContainer and define variables
infra_pid="$(podman ps --pod --format json --filter pod='wgpod' --format '{{.Pid}}')"
infra_wg=wg-"$infra_pid"
infra_ns=wg-"$infra_pid"
wg_config=/opt/wg-test.conf
# Associate network namespace with infra-process, create WireGuard interface and move it to network namespace
sudo /usr/bin/env bash << EOF
ip netns attach "$infra_ns" "$infra_pid"
ip link add "$infra_wg" type wireguard
ip link set "$infra_wg" netns "$infra_ns"
EOF
# Configure WireGuard inside the namespace
sudo ip netns exec "$infra_ns" /usr/bin/env bash << EOF
ip addr add "$(awk '/^Address/ {print $3}' "$wg_config")" dev "$infra_wg"
wg setconf "$infra_wg" <(wg-quick strip "$wg_config")
ip link set "$infra_wg" up
ip route add 0.0.0.0/0 dev "$infra_wg"
# wg show
EOF
# Test connectivity (1)
sudo ip netns exec "$infra_ns" wget -q -O- icanhazip.com
sudo nsenter --net=/proc/"$infra_pid"/ns/net wget -q -O- icanhazip.com
sudo nsenter --net=/var/run/netns/"$infra_ns" wget -q -O- icanhazip.com
# Test connectivity (2)
echo 'nameserver 1.1.1.1' > /tmp/resolv.conf
podman run -it --rm --pod=wgpod -v /tmp/resolv.conf:/etc/resolv.conf alpine wget -q -O- icanhazip.com
podman run -it --rm --pod=wgpod alpine sh -c 'route; ip addr'
# Test connectivity (3)
podman run -it --rm --network ns:/var/run/netns/"$infra_ns" --dns 1.1.1.1 alpine wget -q -O- icanhazip.com
podman run -it --rm --network ns:/proc/"$infra_pid"/ns/net --dns 1.1.1.1 alpine wget -q -O- icanhazip.com
# Stop pod
podman pod stop wgpod
# Cleanup network namespace
sudo /usr/bin/env sh <<EOF
ip netns exec "$infra_ns" ip link set "$infra_wg" down
ip netns exec "$infra_ns" ip link delete dev "$infra_wg"
ip netns delete "$infra_ns"
EOF
# Destroy pod
podman pod rm wgpod |
Beta Was this translation helpful? Give feedback.
-
|
What I'm suggesting is that you would try with rootless networking instead. That is, drop the |
Beta Was this translation helpful? Give feedback.
-
|
I definitely have to say that this is way beyond my knowledge. |
Beta Was this translation helpful? Give feedback.
-
question
Is there a "gold standard" for connecting a container to an external WireGuard VPN in both rootful and rootless modes using the current version of Podman?
"the market"
There are various approaches to running WireGuard with Podman. Some work only in rootful mode, while others support rootless mode but require additional privileges. One automatic method configures the network within a pod but necessitates "network admin rights", which may be undesirable. Another manual method involves setting up WireGuard externally and then moving the WireGuard interface into the namespace.
Additionally, there are extensive tutorials, such as this one, where the author clearly invested significant effort. However, these guides can be challenging for everyday users to follow.
Beta Was this translation helpful? Give feedback.
All reactions