| Title: WireGuard and Linux network namespaces
Author: Solène
Date: 02 July 2024
Tags: security vpn network linux
Description: In this article, you will learn how to establish a VPN in
a dedicated network namespace on Linux
# Introduction
This guide explains how to setup a WireGuard tunnel on Linux using a
dedicated network namespace so you can choose to run a program on the
VPN or over clearnet.
I have been able to figure the setup thanks to the following blog post,
I enhanced it a bit using scripts and sudo rules.
|
|
# Explanations
By default, if you connect WireGuard tunnel, its "allowedIps" field
will be used as a route with a higher priority than your current
default route. It is not always ideal to have everything routed
through a VPN, so you will create a dedicated network namespace that
uses the VPN as a default route, without affecting all other software.
Unfortunately, compared to OpenBSD rdomain (which provide the same
features in this situation), network namespaces are much more
complicated to deal with and requires root to run a program under a
namespace.
You will create a SAFE sudo rule to allow your user to run commands
under the new namespace, making it more practical for daily use.
# Setup
## VPN tunnel and namespace
You need a wg-quick compatible WireGuard configuration file, but do not
make it automatically used at boot.
Create a script (for root use only) with the following content, then
make it executable:
```shell
#!/bin/sh
# your VPN configuration file
CONFIG=/etc/wireguard/my-vpn.conf
# this directory is used to have a per netns resolver file
mkdir -p /etc/netns/vpn/
# cleanup any previous VPN in case you want to restart it
ip netns exec vpn ip l del tun0
ip netns del vpn
# information to reuse later
DNS=$(awk '/^DNS/ { print $3 }' $CONFIG)
IP=$(awk '/^Address/ { print $3 }' $CONFIG)
# the namespace will use the DNS defined in the VPN configuration file
echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf
# now, it creates the namespace and configure it
ip netns add vpn
ip -n vpn link set lo up
ip link add tun0 type wireguard
ip link set tun0 netns vpn
ip netns exec vpn wg setconf tun0 <(wg-quick strip "$CONFIG")
ip -n vpn a add "$IP" dev tun0
ip -n vpn link set tun0 up
ip -n vpn route add default dev tun0
ip -n vpn add
# extra check if you want to verify the DNS used and the public IP assigned
#ip netns exec vpn dig ifconfig.me
#ip netns exec vpn curl https://ifconfig.me
```
This script autoconfigure the network namespace and the VPN interface +
the DNS server to use. There are extra checks at the end of the script
that you can uncomment if you want to take a look at the public IP and
DNS resolver used just after connection.
Running this script will make the netns "vpn" available for use.
The command to run a program under the namespace is `ip netns exec vpn
your command`, it can only be run as root.
## Sudo rule
Now you need a specific rule so you can use sudo to run a command in
vpn netns as your own user without having to log in as root.
Add this to your sudo configuration file, in my example I allow the
user `solene` to run commands as `solene` for the netns vpn:
```sudoers
solene ALL=(root) NOPASSWD: /usr/sbin/ip netns exec vpn /usr/bin/sudo -u solene -- *
```
When using this command line, you MUST use full paths exactly as in the
sudo configuration file, this is important otherwise it would allow you
to create a script called `ip` with whatever commands and run it as
root, while `/usr/sbin/ip` can not be spoofed by a local script in
$PATH.
If I want a shell session with the VPN, I can run the following
command:
```
sudo /usr/sbin/ip netns exec vpn /usr/bin/sudo -u solene -- bash
```
This runs bash under the netns vpn, so any command I'm running from it
will be using the VPN.
# Limitations
It is not a real limitation, but you may be caught by it, if you make a
program listening on localhost in the netns vpn, you can only connect
to it from another program in the same namespace. There are methods to
connect two namespaces, but I do not plan to cover it, if you need to
search about this setup, it can be done using socat (this is explained
in the blog post linked earlier) or a local bridge interface.
# Conclusion
Network namespaces are a cool feature on Linux, but it is overly
complicated in my opinion, unfortunately I have to deal with it, but at
least it is working fine in practice. |