-
-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Selective Application Tunneling #30
Comments
By certain applications do you mean certain ports, or unix sockets, or something else? I believe the wireguard userspace implementations let you do anyting you want with the wireguard connection, so you could conceivably bind an application to a wg connection with a small userspace program without needing to use a tun/tap interface + assign it a real port. It could work something like a CloudFlare's Argo tunnels https://www.cloudflare.com/en-ca/products/argo-tunnel/ https://github.com/WireGuard/wireguard-go/blob/master/device/receive.go#L93 |
The use case would be - I have say firefox going through the tunnel while chrome is not tunneled. shell utilities like |
There is: https://www.wireguard.com/netns/ And for resolv: http://man7.org/linux/man-pages/man8/ip-netns.8.html There is also firejail where you can specify both netns and dns. |
@pirate Was trying to get to is @alextrekov3307 suggestion of using the Edit EDIT 2 |
Figured out how to do this with docker: https://github.com/pirate/wireguard-docs#containerization If you can get your application running inside a docker container, then you can route all of its traffic through wireguard like this:
version: '3'
services:
wireguard:
image: linuxserver/wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
volumes:
- /lib/modules:/lib/modules
- ./wg0.conf:/config/wg0.conf:ro
vpn_test:
image: curlimages/curl
entrypoint: curl -s http://whatismyip.akamai.com/
network_mode: 'service:wireguard'
docker-compose up
docker-compose run vpn_test
# should output public IP of VPN relay server (instead of container host) |
That should not happen if set up properly. Try to delete all cache and browser configuration or sandbox it in its own rootfs. Network namespaces produce isolated virtualized networking stacks, not even rules carry over (have to execute iptaables/etc in each namespace). |
Can you cover the usecase where wireguard is ran out of a separate network namespace wherein certain applications are launched -- and only the traffic of those launched from that network namespace is tunneled? I've been doing this on OpenVpn for a years but as Ubuntu's adoption of
systemd-resolved
I've had DNS leaks.Would love if there was a wireguard native way to tunnel certain applications rather than tunnel traffic based on range of destination IP addresses.
Ps. thanks for the HN post.
The text was updated successfully, but these errors were encountered: