wg-netns/README.md

# wg-netns

[wg-quick](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8) for linux network namespaces.
A simple python script that implements the steps described at [wireguard.com/netns](https://www.wireguard.com/netns/#ordinary-containerization).

## Setup

Requirements:

- Linux
- Python 3.7 or newer
- `ip` from `iproute2`
- `wg` from `wireguard-tools`

Just download the script and make it executable.

~~~ bash
mkdir -p ~/.local/bin/ && curl -o ~/.local/bin/wg-netns https://raw.githubusercontent.com/dadevel/wg-netns/master/wg-netns.py && chmod 0755 ~/.local/bin/wg-netns
~~~

## Usage

Instead of running `wg-quick up my-vpn` run `wg-netns up my-vpn`.

Now you can spawn a shell in the new network namespace.

~~~ bash
ip netns exec my-vpn bash -i
~~~

Or connect a container to it.

~~~ bash
podman run -it --rm --network ns:/var/run/netns/my-vpn alpine wget -O - https://ipinfo.io
~~~

Or do whatever you want.

### System Service

You can find a `wg-quick@.service` equivalent at [wg-netns@.service](./wg-netns@.service).

### Port Forwarding

Forward TCP traffic from outside a network namespace to a port inside a network namespace with `socat`.

~~~ bash
socat tcp-listen:$LHOST,reuseaddr,fork "exec:ip netns exec $NETNS socat stdio 'tcp-connect:$RHOST',nofork"
~~~

Example: All connections to port 1234/tcp in the main netns are forwarded into the *my-vpn* netns to port 5678/tcp.

~~~ bash
# terminal 1, create netns and start http server inside
wg-netns up my-vpn
echo hello > ./hello.txt
ip netns exec my-vpn python3 -m http.server 5678
# terminal 2, setup port forwarding
socat tcp-listen:1234,reuseaddr,fork "exec:ip netns exec my-vpn socat stdio 'tcp-connect:127.0.0.1:5678',nofork"
# terminal 3, test
curl http://127.0.0.1:1234/hello.txt
~~~
initial commit 4 years ago			`# wg-netns`

			`[wg-quick](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8) for linux network namespaces.`
			`A simple python script that implements the steps described at [wireguard.com/netns](https://www.wireguard.com/netns/#ordinary-containerization).`

			`## Setup`

			`Requirements:`

			`- Linux`
add python3.7 compatibility 4 years ago			`- Python 3.7 or newer`
initial commit 4 years ago			- `ip` from `iproute2`
			- `wg` from `wireguard-tools`

			`Just download the script and make it executable.`

			`~~~ bash`
			`mkdir -p ~/.local/bin/ && curl -o ~/.local/bin/wg-netns https://raw.githubusercontent.com/dadevel/wg-netns/master/wg-netns.py && chmod 0755 ~/.local/bin/wg-netns`
			`~~~`

			`## Usage`

			Instead of running `wg-quick up my-vpn` run `wg-netns up my-vpn`.

			`Now you can spawn a shell in the new network namespace.`

			`~~~ bash`
			`ip netns exec my-vpn bash -i`
			`~~~`

			`Or connect a container to it.`

			`~~~ bash`
			`podman run -it --rm --network ns:/var/run/netns/my-vpn alpine wget -O - https://ipinfo.io`
			`~~~`

readme: document netns port forwarding with socat 4 years ago			`Or do whatever you want.`

			`### System Service`

add python3.7 compatibility 4 years ago			You can find a `wg-quick@.service` equivalent at [wg-netns@.service](./wg-netns@.service).
provide optional systemd service 4 years ago
readme: document netns port forwarding with socat 4 years ago			`### Port Forwarding`

			Forward TCP traffic from outside a network namespace to a port inside a network namespace with `socat`.

			`~~~ bash`
			`socat tcp-listen:$LHOST,reuseaddr,fork "exec:ip netns exec $NETNS socat stdio 'tcp-connect:$RHOST',nofork"`
			`~~~`

			`Example: All connections to port 1234/tcp in the main netns are forwarded into the my-vpn netns to port 5678/tcp.`

			`~~~ bash`
			`# terminal 1, create netns and start http server inside`
			`wg-netns up my-vpn`
			`echo hello > ./hello.txt`
			`ip netns exec my-vpn python3 -m http.server 5678`
			`# terminal 2, setup port forwarding`
			`socat tcp-listen:1234,reuseaddr,fork "exec:ip netns exec my-vpn socat stdio 'tcp-connect:127.0.0.1:5678',nofork"`
			`# terminal 3, test`
			`curl http://127.0.0.1:1234/hello.txt`
			`~~~`