You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An alternative to iptables with uidrange would be to to run the lightning daemon in a Linux network namespace that has only the wireguard interface configured. I think this avoids having to do any kind of firewall setup on the backend.
This amounts to creating the wireguard interface, creating the namespace, then moving the wireguard interface into the namespace. An example is given on the wireguard website itself: https://www.wireguard.com/netns/
I use this script locally, it's used like netns-wg-start.sh vpn-wg0 wg0:
#!/bin/bashset -e
NETNS_NAME=$1
DEV_NAME=$2
CONF=/etc/wireguard/$DEV_NAME.conf
ADDRESSES=$(cat ${CONF}|grep Address | cut -d = -f 2)
ADDRESS4=$(echo $ADDRESSES| cut -d , -f 1)
ADDRESS6=$(echo $ADDRESSES| cut -d , -f 2)
DNS=$(cat ${CONF}|grep DNS | cut -d = -f 2)echo"IPv4: ${ADDRESS4} IPv6: ${ADDRESS6} DNS: ${DNS}"# Create a Wireguard network interface in the default namespace.# ip link del wg0
ip link add $DEV_NAMEtype wireguard
# Load the Wireguard configuration.
wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf
# Create a new network namespace.if [ !-e /var/run/netns/${NETNS_NAME} ];then
ip netns add ${NETNS_NAME}
ip -n ${NETNS_NAME} addr add 127.0.0.1/8 dev lo
ip -n ${NETNS_NAME} link set lo up
fi# Set up DNS
mkdir -p /etc/netns/$NETNS_NAMEecho"nameserver $DNS"> /etc/netns/$NETNS_NAME/resolv.conf
# Move the Wireguard interface to the network namespace.
ip link set$DEV_NAME netns $NETNS_NAME# Set the IP address of the Wireguard interface.
ip -n $NETNS_NAME addr add $ADDRESS4 dev $DEV_NAME
ip -n $NETNS_NAME addr add $ADDRESS6 dev $DEV_NAME# Bring up the Wireguard interface.
ip -n $NETNS_NAME link set$DEV_NAME up
# Make the Wireguard interface the default route.
ip -n $NETNS_NAME route add default dev $DEV_NAME
ip -n $NETNS_NAME -6 route add default dev $DEV_NAME
Associated netns-wg-stop.sh:
#!/bin/bash
set -e
NETNS_NAME=$1
DEV_NAME=$2
CONF=/etc/wireguard/$DEV_NAME.conf
ip -n $NETNS_NAME link set $DEV_NAME down
# Deleting the netns will get rid of the wg0 interface as well
ip netns delete ${NETNS_NAME}
echo "Stopped $DEV_NAME in $NETNS_NAME"
To run something in the namespace, the most straightforward way is:
An alternative to iptables with
uidrange
would be to to run the lightning daemon in a Linux network namespace that has only the wireguard interface configured. I think this avoids having to do any kind of firewall setup on the backend.This amounts to creating the wireguard interface, creating the namespace, then moving the wireguard interface into the namespace. An example is given on the wireguard website itself: https://www.wireguard.com/netns/
I use this script locally, it's used like
netns-wg-start.sh vpn-wg0 wg0
:Associated
netns-wg-stop.sh
:To run something in the namespace, the most straightforward way is:
The text was updated successfully, but these errors were encountered: