wg-pod
A tool to quickly join your podman container/pod into a WireGuard network.
Explanation
wg-pod wires up the tools ip,route,wg and podman. It creates a WireGuard interface inside of the containers network namespace and routes all traffic defined as AllowedIPs
through the WireGuard interface.
Existing interfaces in the namespace are not deleted and a route that is more specific than the default route in the namespace will still match. This means that the container will be able to talk over both the WireGuard network and the original network that was created for it by podman.
Commands
join
Parameters
container_name (required)
: specify the name of the container that should get connected into the networkconfig_path (required)
: absolute path to the wireguard config
Flags
port-remapping (optional)
: comma separated list of ports to remap from the interface to the container
Dependencies
- Linux
- write permissions to
/run/containers
- permissions to change the network
CAP_NET_ADMIN
- nftables
- ip
- wireguard
Cool automation
Use wg-pod
inside the ExecStartPost
lifecycle of SystemD unit files to spawn containers into a network directly after creation. Check out quadlet for a convenient way of creating those unit files.
Security considerations
- Make sure that no user (not even root) can edit around network configurations inside your container. (
CAP_NET_ADMIN
must not be given) - The Host network that was set up during container creation is still reachable with routing rules more specific than the default route to the WireGuard VPN