Understanding wireguard, network namespaces and running services in them



So I’d like to have a service running through a VPN. I’ve been trying to read up on this lately but I’m generally confused on how to do it.

Have I misunderstood something with the following:

  1. I create a new netns,
  2. create a new wireguard device, set it up, and
  3. move the wireguard device to that new netns,
  4. then I start applications and services in this namespace.

So far so good? How do I actually do this? Any obvious caveats?


I’ve recently sent a PR for just this: https://github.com/NixOS/nixpkgs/pull/60983. You can add a namespace argument to your wireguard interface config, then run ip netns exec your-namespace-here your-command-here to run a command in this namespace.
For example, I run sudo -E ip netns exec irc-container sudo -E -u #$(id -u) -g #$(id -g) weechat to run a command in this namespace as my own user.

Note that if you want to use a different DNS for this namespace, you should add a custom resolv.conf at /etc/netns/your-namespace-here/resolv.conf

1 Like

Note that systemd also supports letting a service join an existing network namespace



Nice! That’ll be in systemd v242, not in nixpkgs yet.