From: "Tomcsanyi, Domonkos" <domi@tomcsanyi.net>
To: Waishon <waishon009@gmail.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: Domain as endpoint when using wireguard with network namespaces
Date: Wed, 18 Aug 2021 07:54:12 +0200 [thread overview]
Message-ID: <03667268-5415-4FB0-9D4B-1E51466A3F5C@tomcsanyi.net> (raw)
In-Reply-To: <CANO0tfaBiU3r+bvBp5q57EBc4FNu0+FJ78_7G=vPzdJvuTi18g@mail.gmail.com>
I am sorry, but I need to ask: if your namespace does not have an internet connection how would you connect to your remote endpoint after the DNS lookup issue is solved and you received the IP behind vpn.example.com?
Kind regards,
Domi
> 17.08.2021 dátummal, 23:06 időpontban Waishon <waishon009@gmail.com> írta:
>
> Hey there,
>
> I'm currently trying to setup a wireguard-tunnel inside a
> network-namespace as descriped in the documentation, which fails when
> using a domain as endpoint:
> https://www.wireguard.com/netns/
>
> First I've created the wireguard interface inside the birth-namespace
> of the host using "ip link add wg0 type wireguard". Then I moved the
> wg0 interface to the newly created network namespace, which doesn't
> have any network interfaces and network connections beside the
> loopback interface.
>
> Then I configured the wg0 interface inside the network namespace using
> wg set "INTERFACE_NAME" \
> private-key <SECRET \
> peer "PEER" \
> endpoint vpn.example.com:51820 \
> persistent-keepalive 25 \
> allowed-ips ::/0
>
> This however results in a "Temporary failure in name resolution:
> `vpn.example.com:51820'. Trying again in 1.00 seconds..." error
> message, which makes sense, because the wireguard-tool tries to call
> getaddrinfo inside the network namespace. The namespace doesn't have
> an internet connection and the lookup fails.
> https://github.com/WireGuard/wireguard-tools/blob/96e42feb3f41e2161141d4958e2637d9dee6f90a/src/config.c#L242
>
> As a user I would expect that the wg-tool does the lookup in the
> birth-namespace of the interface and not inside the newly created
> network namespace.
>
> What is the recommended solution to resolve an domain endpoint when
> using network namespaces and wireguard? Just manually lookup the
> domain in the birth-namespace and use the ip as endpoint? The
> implementation however would be quiete hacky to make it properly work
> with IPv4 and IPv6.
next prev parent reply other threads:[~2021-08-18 5:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 22:19 Waishon
2021-08-18 5:54 ` Tomcsanyi, Domonkos [this message]
[not found] ` <781a68d1-6a85-4bb7-9911-003ba722c504@Spark>
[not found] ` <B255319F-EE48-42F6-8735-36285E490C66@tomcsanyi.net>
2021-08-18 21:27 ` "Tomcsányi, Domonkos"
2021-08-18 21:30 ` Waishon
2021-08-21 20:05 ` Marios Makassikis
2021-08-21 20:14 ` Waishon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03667268-5415-4FB0-9D4B-1E51466A3F5C@tomcsanyi.net \
--to=domi@tomcsanyi.net \
--cc=waishon009@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).