Development discussion of WireGuard
 help / color / mirror / Atom feed
* DNS endpoint resolution in container namespace
@ 2022-11-24 10:03 Ondřej Grover
  0 siblings, 0 replies; only message in thread
From: Ondřej Grover @ 2022-11-24 10:03 UTC (permalink / raw)
  To: wireguard

Hi,

I tried to follow the example here
https://www.wireguard.com/netns/#ordinary-containerization
but I found out that the DNS endpoint resolution through

ip netns exec container wg setconf wg0 /etc/wireguard/wg0.conf

won't work, because it is run in the new container namespace not yet
capable of DNS resolution.
Looking at the source code here
https://git.zx2c4.com/wireguard-tools/tree/src/config.c#n242
confirmed my suspicion that the DNS resolution is done by the wg tool
in the container namespace rather than in the original namespace.

In an ideal world the DNS resolution should IMHO happen in the
original namespace capable of DNS resolution where the world-facing
UDP socket using that endpoint IP is anyway.
Often one could use just a hard-coded IP (that's indeed what I
resorted to in the end, or  perform DNS resolution at container
provisioning time as suggested by mrngm in IRC) for the wg0.conf in
the container, but with DynDNS and similar setups this may not be
possible.

But since that might require significant changes (e.g. requesting DNS
resolution in the original namespace through the kernel?), perhaps at
least in the short term I would  recommend that this caveat is
mentioned on the webpage and/or perhaps in the example the `wg
setconf` step would be run in the original namespace (unless there is
some repercussion to that I did not consider).

Best wishes and thanks for all your work making wireguard what it is today,
Ondrej G.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-12-01 13:11 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-24 10:03 DNS endpoint resolution in container namespace Ondřej Grover

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).