Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux network namespace for backend isolation behind wireguard #3

Open
laanwj opened this issue May 4, 2022 · 0 comments
Open

Linux network namespace for backend isolation behind wireguard #3

laanwj opened this issue May 4, 2022 · 0 comments

Comments

@laanwj
Copy link

laanwj commented May 4, 2022
edited
Loading

An alternative to iptables with uidrange would be to to run the lightning daemon in a Linux network namespace that has only the wireguard interface configured. I think this avoids having to do any kind of firewall setup on the backend.

This amounts to creating the wireguard interface, creating the namespace, then moving the wireguard interface into the namespace. An example is given on the wireguard website itself: https://www.wireguard.com/netns/

I use this script locally, it's used like netns-wg-start.sh vpn-wg0 wg0:

#!/bin/bash
set -e
NETNS_NAME=$1
DEV_NAME=$2
CONF=/etc/wireguard/$DEV_NAME.conf

ADDRESSES=$(cat ${CONF} |grep Address | cut -d = -f 2)
ADDRESS4=$(echo $ADDRESSES | cut -d , -f 1)
ADDRESS6=$(echo $ADDRESSES | cut -d , -f 2)
DNS=$(cat ${CONF} |grep DNS | cut -d = -f 2)

echo "IPv4: ${ADDRESS4} IPv6: ${ADDRESS6} DNS: ${DNS}"

# Create a Wireguard network interface in the default namespace.
# ip link del wg0
ip link add $DEV_NAME type wireguard

# Load the Wireguard configuration.
wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf

# Create a new network namespace.
if [ ! -e /var/run/netns/${NETNS_NAME} ]; then
    ip netns add ${NETNS_NAME}
    ip -n ${NETNS_NAME} addr add 127.0.0.1/8 dev lo
    ip -n ${NETNS_NAME} link set lo up
fi

# Set up DNS
mkdir -p /etc/netns/$NETNS_NAME
echo "nameserver $DNS" > /etc/netns/$NETNS_NAME/resolv.conf

# Move the Wireguard interface to the network namespace.
ip link set $DEV_NAME netns $NETNS_NAME

# Set the IP address of the Wireguard interface.
ip -n $NETNS_NAME addr add $ADDRESS4 dev $DEV_NAME
ip -n $NETNS_NAME addr add $ADDRESS6 dev $DEV_NAME

# Bring up the Wireguard interface.
ip -n $NETNS_NAME link set $DEV_NAME up

# Make the Wireguard interface the default route.
ip -n $NETNS_NAME route add default dev $DEV_NAME
ip -n $NETNS_NAME -6 route add default dev $DEV_NAME

Associated netns-wg-stop.sh:

#!/bin/bash
set -e
NETNS_NAME=$1
DEV_NAME=$2
CONF=/etc/wireguard/$DEV_NAME.conf

ip -n $NETNS_NAME link set $DEV_NAME down 
# Deleting the netns will get rid of the wg0 interface as well
ip netns delete ${NETNS_NAME}
echo "Stopped $DEV_NAME in $NETNS_NAME"

To run something in the namespace, the most straightforward way is:

sudo -b ip netns exec vpn-wg0 sudo -i -u <user> /path/to/clightning …
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@laanwj