Replies: 14 comments 16 replies
-
I have thought about this recently. I personally would like to add wireguard support in the not so far future. My thoughts:
In any case we should not do anything directly related to cryptography, i.e. key generation. |
Beta Was this translation helpful? Give feedback.
-
Yup, this also helps when a hostname is used for the Endpoint as the initial request to initiate the connection resolves it to an IP via the hosts DNS resolver settings.
Where do you think this
How could we deal with sth like
So, would you say that
I think it might be better to do this via the
Currently I have a lot of free time as I am stuck in german university burocracy and also still looking for a job. |
Beta Was this translation helpful? Give feedback.
-
You can work on it, any help is welcome. I already have enough things to do anyways. I would also like the opinion of the other members @flouthoc @mheon @baude or anybody else who might be interested it this.
Yes I think something like
Just ignore it like, this is already done by the macvlan driver. I don't see how we can support it when the peer endpoint is on other system. We cannot route anything directly to the wireguard container interface in this case since the host netns is not part of that subnet.
Mhh, I think you are right. Maybe it is best to just setup the route for the AllowedIPs. In this case the user has full control. |
Beta Was this translation helpful? Give feedback.
-
Sure thing. Lets wait for some feedback and then I can compile what we gathered so far.
What do you think about the following when
This could be executed inside the containers network namespace after the interface was moved inside of it and remote peers would be able to use the port that was rebound. |
Beta Was this translation helpful? Give feedback.
-
either start a design doc (@Luap99 knows where that is) or start a discussion that mimics it ? |
Beta Was this translation helpful? Give feedback.
-
I have no real comments except RE: port forwarding - I feel like we should explicitly disable it with VPN'd networks to ensure all traffic goes through the VPN? |
Beta Was this translation helpful? Give feedback.
-
Sounds like a good idea. |
Beta Was this translation helpful? Give feedback.
-
Yes let ignore them, if there is a use case for this we can always add it later. |
Beta Was this translation helpful? Give feedback.
-
Did you mean 5.6? AFAIK wireguard was added in 5.6 to the kernel |
Beta Was this translation helpful? Give feedback.
-
This will not work, interface names can only be 15 chars long. The container name can be much longer. I think |
Beta Was this translation helpful? Give feedback.
-
Can you add a description of the general user workflow, e.g. Do you plan to also make the required changes in podman and cotnainers/common? What should podman network inspect display, I assume that all fields are empty except the driver name and date? |
Beta Was this translation helpful? Give feedback.
-
Just found this after successfully experimenting with a manual container setup modeled after /~https://github.com/jcarrano/wg-podman. I can't upvote this enough, would be just perfect for setting up services only reachable through a VPN. This is my current task and so far, I'll probably have to work with routing, port-forwarding and maybe even some NAT. I'm not sure I can sell some fiddly bash script as solid infrastructure :) Unfortunately, I'm not in a situation where I can commit to regular work, but I am an experienced rustacean and if necessary, I'd be willing to try and contribute. Port-forwarding would not be a requirement for me at all at this point. I know it's another project, but the absolute cherry on top would be if one could (in the end) re-use existing docker compose files with podman-compose and just amend the network config to have a wireguard connection. But I assume that, as soon as podman can pass on the configuration, that should be possible as well? |
Beta Was this translation helpful? Give feedback.
-
Do you have a good resource for the netlink API messages? |
Beta Was this translation helpful? Give feedback.
-
I think I have covered almost everything we discussed (excecpt interface name. see #472 (comment)). There are 3 PRs at and the netavark one is quite huge. If I can make the review easier somehow please let me know! Over the next few days I have some interviews (Redhat is also on the list :)) and will prepare for them, so I might take a bit to respond. |
Beta Was this translation helpful? Give feedback.
-
Draft 1
WireGuard interfaces in Podman
Have a dedicated WireGuard interface for a container.
Prerequisites
How?
wg-$HASH
$HASH
should be 12 chars longAllowedIPs
from the configs[Peers]
array are aggregated and saved in a Set.Tool choices
RFC
PostUp
andPostDown
DNS
settings of the[Interface]
section as wellHistory
Beta Was this translation helpful? Give feedback.
All reactions