Mount your podman container into WireGuard networks on spawn

wg-pod

A tool to quickly join your podman container/pod into a WireGuard network.

Explanation

wg-pod wires up the tools ip,route,wg and podman. It creates a WireGuard interface inside of the containers network namespace and routes all traffic defined as AllowedIPs through the WireGuard interface.

Existing interfaces in the namespace are not deleted and a route that is more specific than the default route in the namespace will still match. This means that the container will be able to talk over both the WireGuard network and the original network that was created for it by podman.

Commands

join

Parameters

  • container_name (required): specify the name of the container that should get connected into the network
  • config_path (required): absolute path to the wireguard config

Flags

  • port-remapping (optional): comma separated list of ports to remap from the interface to the container

Dependencies

  • Linux
  • write permissions to /run/containers
  • permissions to change the network CAP_NET_ADMIN
  • nftables
  • ip
  • wireguard

Cool automation

Use wg-pod inside the ExecStartPost lifecycle of SystemD unit files to spawn containers into a network directly after creation. Check out quadlet for a convenient way of creating those unit files.

Security considerations

  • Make sure that no user (not even root) can edit around network configurations inside your container. (CAP_NET_ADMIN must not be given)
  • The Host network that was set up during container creation is still reachable with routing rules more specific than the default route to the WireGuard VPN
Owner
Maximilian Ehlers
Building the future, today.
Maximilian Ehlers
https://github.com/b-m-f/wg-pod
Similar Resources

The easiest, most secure way to use WireGuard and 2FA.

This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

Jan 8, 2023

A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.

A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks.

Hyprspace A Lightweight VPN Built on top of Libp2p for Truly Distributed Networks. demo.mp4 Table of Contents A Bit of Backstory Use Cases A Digital N

Dec 29, 2022

An userspace SORACOM Arc client powered by wireguard-go

soratun An easy-to-use, userspace SORACOM Arc client powered by wireguard-go. For deploying and scaling Linux servers/Raspberry Pi devices working wit

Jun 2, 2022

A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a c

Dec 22, 2022

Data source provider for Terraform that interacts with the Solana networks

Terraform Solana Provider Registry Page Requirements Terraform = 0.13.x Go 1.16.x (for building from source) Example Usage Full provider documentatio

Aug 6, 2022

Layer2 version of wireguard with Floyd Warshall implement in go.

Etherguard 中文版README A Full Mesh Layer2 VPN based on wireguard-go OSPF can find best route based on it's cost. But sometimes the lentancy are differen

Dec 29, 2022

Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface

wg-ovpn Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface Warning: really ugly and unstable code! Building Obtain latest so

Sep 27, 2022

Attach services to specified networks automatically

Docker swarm network attacher Description docker-swarm-network-attacher aims to solve the problem of sharing a network between unrelated services. Wit

Nov 11, 2021

Go Implementation of WireGuard

Go Implementation of WireGuard

Jan 2, 2023
Comments
  • Error moving to namespace .

    Error moving to namespace .

    wg-pod looks really handy but I'm getting an error when the move to the container namespace occurs. It seems that in my case wg-pod is trying to use . instead of an actual namespace and ip isn't playing.

    A snippet of the journal:

    Adding container wggenweb into WireGuard network defined in /etc/wireguard/moadmin.conf
Feb 18 17:22:52 momod wg-pod[13131]: Create temporary private key file for WireGuard interface at /run/containers/network/wggenweb.pkey
Feb 18 17:22:52 momod wg-pod[13131]: Added new WireGuard interface podman-ec19a2f
Feb 18 17:22:52 momod wg-pod[13131]: Error: problem when trying to move WireGuard interface podman-ec19a2f to namespace .
Feb 18 17:22:52 momod wg-pod[13131]:  RTNETLINK answers: Invalid argument

    When starting this pod infra container on Ubuntu 21.10 via this systemd unit file:

    
[Unit]
Description=Podman wggenweb-pod.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
RequiresMountsFor= 
Requires=wggenweb-container.service
Before=wggenweb-container.service

[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=always
RestartSec=30
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/%n.pid %t/%n.pod-id
ExecStartPre=/usr/bin/podman pod create \
--infra-conmon-pidfile %t/%n.pid \
--pod-id-file %t/%n.pod-id \
--publish 8080:8080 \
--name wggenweb \
--replace
ExecStart=/usr/bin/podman pod start --pod-id-file %t/%n.pod-id
ExecStartPost=/usr/local/bin/wg-pod join wggenweb \
/etc/wireguard/moadmin.conf \
--port-remapping 8080:8080
ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/%n.pod-id -t 10
ExecStopPost=/usr/bin/podman pod rm --ignore -f --pod-id-file %t/%n.pod-id
PIDFile=%t/%n.pid
Type=forking
KillMode=control-group

[Install]
WantedBy=multi-user.target default.target

    Any suggestions on debugging would be welcome.

    Edit: I suppose the obvious thing is to remove the ExecStartPost line and see what happens when I manually try to get the namespace etc.

  • Not working with multiple AllowedIPs

    Not working with multiple AllowedIPs

    When using multiple AllowedIPs like in a standard wireguard.conf file, e.g.

    AllowedIPs = 192.168.42.0/24, 192.168.178.0/24

    wg-pod join results in this error:

    Error: problem when configuring WireGuard interface podman-4137677 in namespace cni-673da6a1-33a4-48fc-1e92-7091531fa383 with config /root/wireguard/homeassistant/wg0.conf
Unable to parse IP address: `'
  • DNS over Tunnel

    DNS over Tunnel

    Currently all the DNS is resolved via the CNI interface created by podman.

    If the default interface should be deleted the DNS is not switching to the WireGuard interface.

    wg-quick supports this with DNS= in the config file.

    This can be added to support this. Even of containers can be of all different shape and setup it is probably still safe to assume that using /etc/resolv.conf will work.

Related tags
Network wg-pod
🐉 Simple WireGuard proxy with minimal overhead for WireGuard traffic.

swgp-go ?? Simple WireGuard proxy with minimal overhead for WireGuard traffic. Proxy Modes 1. Zero overhead Simply AES encrypt the first 16 bytes of a

Jan 8, 2023
Automatically spawn a reverse shell fully interactive for Linux or Windows victim
 Automatically spawn a reverse shell fully interactive for Linux or Windows victim

Girsh (Golang Interactive Reverse SHell) Who didn't get bored of manually typing the few lines to upgrade a reverse shell to a full interactive revers

Dec 14, 2022
Connect your devices into a single private WireGuard®-based mesh network.

Wiretrustee A WireGuard®-based mesh network that connects your devices into a single private network. Why using Wiretrustee? Connect multiple devices

Dec 31, 2022
A library for working with IP addresses and networks in Go

IPLib I really enjoy Python's ipaddress library and Ruby's ipaddr, I think you can write a lot of neat software if some of the little problems around

Dec 20, 2022
A fork of the simple WireGuard VPN server GUI community maintained
 A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

Dec 25, 2022
webrpc is a schema-driven approach to writing backend services for modern Web apps and networks
 webrpc is a schema-driven approach to writing backend services for modern Web apps and networks

webrpc is a schema-driven approach to writing backend servers for the Web. Write your server's api interface in a schema format of RIDL or JSON, and t

Jan 7, 2023
The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.
 The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.

bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse e

Jan 3, 2023
Transfer 10Gbps http traffic over 1Gbps networks :)

httpteleport Teleports 10Gbps http traffic over 1Gbps networks. Built on top of fastrpc. Use cases httpteleport may significantly reduce inter-server

Nov 30, 2022
Netmaker is a tool for creating and managing virtual networks
 Netmaker is a tool for creating and managing virtual networks

Netmaker is a tool for creating and managing virtual networks. The goal is to make virtual/overlay/mesh networking easy for non-networking people. It should be like clicking a button. Netmaker consists of a server, an agent, and a UI.

Jan 2, 2023
Simple Web based configuration generator for WireGuard. Demo:
 Simple Web based configuration generator for WireGuard. Demo:

Wg Gen Web Simple Web based configuration generator for WireGuard. Why another one ? All WireGuard UI implementations are trying to manage the service

Jan 1, 2023