Mount your podman container into WireGuard networks on spawn

Related tags

Network wg-pod
Overview

wg-pod

A tool to quickly join your podman container/pod into a WireGuard network.

Explanation

wg-pod wires up the tools ip,route,wg and podman. It creates a WireGuard interface inside of the containers network namespace and routes all traffic defined as AllowedIPs through the WireGuard interface.

Existing interfaces in the namespace are not deleted and a route that is more specific than the default route in the namespace will still match. This means that the container will be able to talk over both the WireGuard network and the original network that was created for it by podman.

Commands

join

Parameters

  • container_name (required): specify the name of the container that should get connected into the network
  • config_path (required): absolute path to the wireguard config

Flags

  • port-remapping (optional): comma separated list of ports to remap from the interface to the container

Dependencies

  • Linux
  • write permissions to /run/containers
  • permissions to change the network CAP_NET_ADMIN
  • nftables
  • ip
  • wireguard

Cool automation

Use wg-pod inside the ExecStartPost lifecycle of SystemD unit files to spawn containers into a network directly after creation. Check out quadlet for a convenient way of creating those unit files.

Security considerations

  • Make sure that no user (not even root) can edit around network configurations inside your container. (CAP_NET_ADMIN must not be given)
  • The Host network that was set up during container creation is still reachable with routing rules more specific than the default route to the WireGuard VPN
You might also like...
The easiest, most secure way to use WireGuard and 2FA.

This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.
A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.

Hyprspace A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks. demo.mp4 Table of Contents A Bit of Backstory Use Cases A Digital N

An userspace SORACOM Arc client powered by wireguard-go

soratun An easy-to-use, userspace SORACOM Arc client powered by wireguard-go. For deploying and scaling Linux servers/Raspberry Pi devices working wit

A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a c

Data source provider for Terraform that interacts with the Solana networks

Terraform Solana Provider Registry Page Requirements Terraform = 0.13.x Go 1.16.x (for building from source) Example Usage Full provider documentatio

Layer2 version of wireguard with Floyd Warshall implement in go.

Etherguard 中文版README A Full Mesh Layer2 VPN based on wireguard-go OSPF can find best route based on it's cost. But sometimes the lentancy are differen

Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface

wg-ovpn Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface Warning: really ugly and unstable code! Building Obtain latest so

Attach services to specified networks automatically

Docker swarm network attacher Description docker-swarm-network-attacher aims to solve the problem of sharing a network between unrelated services. Wit

Go Implementation of WireGuard

Go Implementation of WireGuard

Comments
  • Error moving to namespace .

    Error moving to namespace .

    wg-pod looks really handy but I'm getting an error when the move to the container namespace occurs. It seems that in my case wg-pod is trying to use . instead of an actual namespace and ip isn't playing.

    A snippet of the journal:

    Adding container wggenweb into WireGuard network defined in /etc/wireguard/moadmin.conf
    Feb 18 17:22:52 momod wg-pod[13131]: Create temporary private key file for WireGuard interface at /run/containers/network/wggenweb.pkey
    Feb 18 17:22:52 momod wg-pod[13131]: Added new WireGuard interface podman-ec19a2f
    Feb 18 17:22:52 momod wg-pod[13131]: Error: problem when trying to move WireGuard interface podman-ec19a2f to namespace .
    Feb 18 17:22:52 momod wg-pod[13131]:  RTNETLINK answers: Invalid argument
    

    When starting this pod infra container on Ubuntu 21.10 via this systemd unit file:

    
    [Unit]
    Description=Podman wggenweb-pod.service
    Documentation=man:podman-generate-systemd(1)
    Wants=network.target
    After=network-online.target
    RequiresMountsFor= 
    Requires=wggenweb-container.service
    Before=wggenweb-container.service
    
    [Service]
    Environment=PODMAN_SYSTEMD_UNIT=%n
    Restart=always
    RestartSec=30
    TimeoutStopSec=70
    ExecStartPre=/bin/rm -f %t/%n.pid %t/%n.pod-id
    ExecStartPre=/usr/bin/podman pod create \
    --infra-conmon-pidfile %t/%n.pid \
    --pod-id-file %t/%n.pod-id \
    --publish 8080:8080 \
    --name wggenweb \
    --replace
    ExecStart=/usr/bin/podman pod start --pod-id-file %t/%n.pod-id
    ExecStartPost=/usr/local/bin/wg-pod join wggenweb \
    /etc/wireguard/moadmin.conf \
    --port-remapping 8080:8080
    ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/%n.pod-id -t 10
    ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/%n.pod-id
    PIDFile=%t/%n.pid
    Type=forking
    KillMode=control-group
    
    [Install]
    WantedBy=multi-user.target default.target
    

    Any suggestions on debugging would be welcome.

    Edit: I suppose the obvious thing is to remove the ExecStartPost line and see what happens when I manually try to get the namespace etc.

    opened by adrinux 7
  • Not working with multiple AllowedIPs

    Not working with multiple AllowedIPs

    When using multiple AllowedIPs like in a standard wireguard.conf file, e.g.

    AllowedIPs = 192.168.42.0/24, 192.168.178.0/24
    

    wg-pod join results in this error:

    Error: problem when configuring WireGuard interface podman-4137677 in namespace cni-673da6a1-33a4-48fc-1e92-7091531fa383 with config /root/wireguard/homeassistant/wg0.conf
    Unable to parse IP address: `'
    
    opened by Siroj42 2
  • DNS over Tunnel

    DNS over Tunnel

    Currently all the DNS is resolved via the CNI interface created by podman.

    If the default interface should be deleted the DNS is not switching to the WireGuard interface.

    wg-quick supports this with DNS= in the config file.

    This can be added to support this. Even of containers can be of all different shape and setup it is probably still safe to assume that using /etc/resolv.conf will work.

    help wanted 
    opened by b-m-f 0
Releases(0.4)
Owner
Maximilian Ehlers
Building the future, today.
Maximilian Ehlers
🐉 Simple WireGuard proxy with minimal overhead for WireGuard traffic.

swgp-go ?? Simple WireGuard proxy with minimal overhead for WireGuard traffic. Proxy Modes 1. Zero overhead Simply AES encrypt the first 16 bytes of a

null 67 Nov 29, 2022
Automatically spawn a reverse shell fully interactive for Linux or Windows victim

Girsh (Golang Interactive Reverse SHell) Who didn't get bored of manually typing the few lines to upgrade a reverse shell to a full interactive revers

null 285 Dec 3, 2022
Connect your devices into a single private WireGuard®-based mesh network.

Wiretrustee A WireGuard®-based mesh network that connects your devices into a single private network. Why using Wiretrustee? Connect multiple devices

null 3.8k Nov 28, 2022
A library for working with IP addresses and networks in Go

IPLib I really enjoy Python's ipaddress library and Ruby's ipaddr, I think you can write a lot of neat software if some of the little problems around

Chad Robinson 96 Nov 30, 2022
A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

null 1.7k Nov 29, 2022
webrpc is a schema-driven approach to writing backend services for modern Web apps and networks

webrpc is a schema-driven approach to writing backend servers for the Web. Write your server's api interface in a schema format of RIDL or JSON, and t

null 487 Nov 22, 2022
The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.

bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse e

bettercap 12.1k Dec 3, 2022
Transfer 10Gbps http traffic over 1Gbps networks :)

httpteleport Teleports 10Gbps http traffic over 1Gbps networks. Built on top of fastrpc. Use cases httpteleport may significantly reduce inter-server

Aliaksandr Valialkin 447 Nov 30, 2022
Netmaker is a tool for creating and managing virtual networks

Netmaker is a tool for creating and managing virtual networks. The goal is to make virtual/overlay/mesh networking easy for non-networking people. It should be like clicking a button. Netmaker consists of a server, an agent, and a UI.

GRAVITL 5.7k Dec 1, 2022
Simple Web based configuration generator for WireGuard. Demo:

Wg Gen Web Simple Web based configuration generator for WireGuard. Why another one ? All WireGuard UI implementations are trying to manage the service

vx3r 1.1k Dec 1, 2022