WireGuard VPN networking for unprivileged network namespaces
Project description
WireGuard VPN networking for unprivileged network namespaces
wireguard4netns is directly inspired by the awesome work of the authors of slirp4netns. Instead of providing generic user-mode networking for unprivileged network namespaces through libslirp, wireguard4netns brings network access to the containers through wireguard-go, a userspace WireGuard VPN tunnel implementation.
Motivation
We were building a framework for developing Edge-Native applications (the
Sinfonia project) and for this we
split applications into two primary components, a frontend that runs on the
user's device and a backend consisting of one or more services are deployed on
a nearby Kubernetes cluster (cloudlet
). We leverage WireGuard tunnels
between the two to avoid having to expose deployed services to the world, the
frontend's network environment is as if it was part of the same deployment
inside the same Kubernetes cluster and namespace as the backend. This hides
most unnecessary network details from the application's frontend and provides
various other advantages such as privacy and network mobility.
The main disadvantage was that root privileges are needed to create, configure and attach the in-kernel WireGuard interface to a network namespace. This required either sudo access by the user, or an administrator installed setuid root binary helper. However slirp4netns showed the path to an alternative approach, create a tuntap interface inside the unprivileged network namespace and pass the control socket back to the default namespace where (in our case) a userspace WireGuard implementation is started. All frontend traffic is then sent through the tunnel to a VPN endpoint on the nearby cloudlet which passes it along to the deployed namespace of the application's backend.
Building from source
Make sure you initialize and update the wireguard-go git-submodule.
git clone ... wireguard4netns
cd wireguard4netns/
git submodule update --init
poetry build
This will download a copy of golang and build a custom wireguard-go
binary
which will be placed at src/wireguard4netns/wireguard-go
. As long as that
binary is present it will not try to rebuild the wireguard-go code again.
We have to use a custom built version osf wireguard-go because starting it with
an existing tunnel socket fd is really just an artifact of how it sets up the
tuntap device and uapi socket in the foreground and then daemonizes itself,
passing along the already open file descriptors. With our approach the tuntap
device ends up in a different network namespace and wireguard-go is unable to
query or set the MTU. The relevant changes to avoid failing on MTU operations
is in wireguard-go.patch
.
We also needed to make sure the UAPI socket is placed in a user-writable
location instead of /var/run/wireguard
, this socketDirectory
path is
modified through a custom linker flag that is set in build.py
where we build
the binary.
Licenses
wireguard4netns is MIT licensed
Copyright (c) 2022 Carnegie Mellon University
SPDX-License-Identifier: MIT
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
wireguard-go is MIT licensed
Copyright (C) 2017-2022 WireGuard LLC. All Rights Reserved.
License: MIT
see wireguard-go/LICENSE and wireguard-go/README.md
"WireGuard" is a registered trademark of Jason A. Donenfeld.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for wireguard4netns-0.1.2-cp311-cp311-manylinux_2_17_x86_64.manylinux_2_5_x86_64.manylinux1_x86_64.manylinux2014_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 11da7011d8753108d31866abf55abb87fa44da19ab2466a44efec74332dd0e71 |
|
MD5 | 49efe0126f758cb9e208fcae8d3ea34a |
|
BLAKE2b-256 | 6ad10cee69672f2bca094d2947f4d9fb3db4e0e3464055507c50103b4dbb98a2 |
Hashes for wireguard4netns-0.1.2-cp310-cp310-manylinux_2_17_x86_64.manylinux_2_5_x86_64.manylinux1_x86_64.manylinux2014_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 05b36679e8e8dfce82e5bd90073be7af1980126cb3f4ea0b5a72fe1810fde6c9 |
|
MD5 | 67c98a6c446eeba64a55626c6c94784f |
|
BLAKE2b-256 | 390bb2dfbdb4a552497c9f759179e8c7942852f81f483e43b0ba99d6f959d6eb |
Hashes for wireguard4netns-0.1.2-cp39-cp39-manylinux_2_17_x86_64.manylinux_2_5_x86_64.manylinux1_x86_64.manylinux2014_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 03df0f261267dccaf50a4c95f40e92bcc74234de4676f2156af5d88df192b672 |
|
MD5 | b6c3062e91c2d4623b1302e019937a8c |
|
BLAKE2b-256 | bae684a318bdb1ada4f62bda382d3a484a7c1ce25274843e1b717709a74a40ba |
Hashes for wireguard4netns-0.1.2-cp38-cp38-manylinux_2_17_x86_64.manylinux_2_5_x86_64.manylinux1_x86_64.manylinux2014_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bc0da0667821da01b05f8d8b4b4147de9b10903b556f2292a069c9b6cd66e6d6 |
|
MD5 | a75118a8ac36cbe5c6c9d8479a91ae13 |
|
BLAKE2b-256 | 9a79e3e46f9703a561a65bdd290c798e0727abecf571060d07629f2d09f784d6 |
Hashes for wireguard4netns-0.1.2-cp37-cp37m-manylinux_2_17_x86_64.manylinux_2_5_x86_64.manylinux1_x86_64.manylinux2014_x86_64.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 76ea46753bfbc0c1d0962af6cf33728a45ac241aa50f7479c74df419566880af |
|
MD5 | 98da1837d782a18bb83d77976a9ff78e |
|
BLAKE2b-256 | 9573ee41f3e348ca41f8b27e139b893df67015815972b6a3581cf11e10764fae |