A tool to quickly join your podman container/pod into a WireGuard network.
wg-pod wires up the tools ip,route,wg and podman. It creates a WireGuard interface inside of the containers network namespace and routes all traffic defined as
AllowedIPs through the WireGuard interface.
Existing interfaces in the namespace are not deleted and a route that is more specific than the default route in the namespace will still match. This means that the container will be able to talk over both the WireGuard network and the original network that was created for it by podman.
container_name (required): specify the name of the container that should get connected into the network
config_path (required): absolute path to the wireguard config
port-remapping (optional): comma separated list of ports to remap from the interface to the container
- write permissions to
- permissions to change the network
wg-pod inside the
ExecStartPost lifecycle of SystemD unit files to spawn containers into a network directly after creation. Check out quadlet for a convenient way of creating those unit files.
- Make sure that no user (not even root) can edit around network configurations inside your container. (
CAP_NET_ADMINmust not be given)
- The Host network that was set up during container creation is still reachable with routing rules more specific than the default route to the WireGuard VPN