Hi Julian On Wed, Jan 13, 2021 at 8:28 PM Julian Orth <[email protected]> wrote: > > On 13/01/2021 17.04, Jason A. Donenfeld wrote: > > > Even if you're unprivileged and want a WireGuard interface for just a > > single application that's bound to the lifetime of that application, > > you can still use WireGuard's normal kernel interface inside of a user > > namespace + a network namespace, and get a private process-specific > > WireGuard interface. > > That's what my patches from back in 2018 were trying to accomplish. > Unless I've missed something since, I do not see how what you're > describing would work. Unless you also > > - create a TUN device in the network namespace > - add a default route through that TUN device > - manually route all traffic between the init network namespace and your > network namespace. > > Is that what you meant or is there a simpler way?
I am not a network admin, but I agree. Setting up this kind of user network namespace isn't trivial and requires some privileges. It would be nice if the kernel or some services provided a simpler way. (fwiw, some time ago I did some experimental/research work for VM & containers at https://gitlab.freedesktop.org/elmarco/vnet) -- Marc-André Lureau
