So I’d like to have a service running through a VPN. I’ve been trying to read up on this lately but I’m generally confused on how to do it.
Have I misunderstood something with the following:
- I create a new netns,
- create a new wireguard device, set it up, and
- move the wireguard device to that new netns,
- then I start applications and services in this namespace.
So far so good? How do I actually do this? Any obvious caveats?
I’ve recently sent a PR for just this: wireguard: add 'namespace' option to set interface netns by yorickvP · Pull Request #60983 · NixOS/nixpkgs · GitHub. You can add a
namespace argument to your wireguard interface config, then run
ip netns exec your-namespace-here your-command-here to run a command in this namespace.
For example, I run
sudo -E ip netns exec irc-container sudo -E -u #$(id -u) -g #$(id -g) weechat to run a command in this namespace as my own user.
Note that if you want to use a different DNS for this namespace, you should add a custom resolv.conf at
Nice! That’ll be in systemd v242, not in nixpkgs yet.