Last active
January 5, 2025 01:33
-
-
Save brauliobo/11c9cb69b3492fec6045684d5a38b5ee to your computer and use it in GitHub Desktop.
Wireguard VPN over a network namespace service for one specific app
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # put in /etc/systemd/system/netns-wg.service | |
| [Unit] | |
| Description=Start a VPN Network Namespace | |
| After=network.target | |
| [Service] | |
| Type=oneshot | |
| RemainAfterExit=true | |
| Environment=NS=netns_wg | |
| Environment=WG=wg_netns | |
| # copy from wg conf | |
| Environment=IPV4=10.11.12.13/32 | |
| Environment=IPV6=2001:DB8:0000:0000:244:17FF:FEB6:D37D/64 | |
| ExecStart=ip netns add ${NS} | |
| ExecStart=ip -n ${NS} link set lo up | |
| ExecStart=ip link add ${WG} type wireguard | |
| ExecStart=ip link set ${WG} netns ${NS} | |
| ExecStart=ip netns exec ${NS} wg setconf ${WG} /etc/wireguard/${WG}.conf | |
| ExecStart=ip -n ${NS} addr add ${IPV4} dev ${WG} | |
| # ExecStart=ip -n ${NS} addr add ${IPV6} dev ${WG} | |
| ExecStart=ip -n ${NS} link set ${WG} up | |
| ExecStart=ip -n ${NS} route add default dev ${WG} | |
| # ExecStart=ip -n ${NS} -6 route add default dev ${WG} | |
| ExecStop=ip netns delete anonfirst | |
| [Install] | |
| WantedBy=multi-user.target |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ sudo systemctl start netns-wg | |
| $ sudo ip netns exec netns_wg curl ifconfig.co | |
| X.X.X.X | |
| $ firejail --netns=netns_wg curl ifconfig.co | |
| X.X.X.X | |
| $ firejail --netns=netns_wg chromium | |
| $ sudo ip netns exec netns_wg sudo -u $USER chromium |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # put in /etc/wireguard/wg_metns.conf | |
| [Interface] | |
| PrivateKey = <PRIVATE_KEY> | |
| # Address is set on the service, keep it commented here | |
| #Address = 10.11.12.13/32 | |
| #DNS = 10.11.0.1 | |
| [Peer] | |
| PublicKey = <PUBLIC_KEY> | |
| PresharedKey = <PRESHARED_KEY> | |
| AllowedIPs = 0.0.0.0/0 | |
| Endpoint = 11.22.33.44:51820 | |
| PersistentKeepalive = 25 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment