This is a very simple script to help with network namespaces. There are also some systemd unit files included to help run the script as a service.
- linux distribution with network namespaces
- systemd
socat
packageiproute2
packageswireguard-tools
packages
Copy bin/wgjailr
to /usr/bin
and make sure it is executable:
sudo chmod +x bin/wgjailr
sudo cp bin/wgjailr /usr/bin
The script has three main commands that can be executed: up
, down
, and e
.
The up
command creates a new network namespace and adds a loopback interface, a VPN interface, and sets the default route in the new namespace. It also sets the resolv.conf
in the network namespace to the specified DNS server.
The down
command deletes the network namespace and cleans up the resolvconf.
The e
command allows executing a command in the network namespace as the current user.
The following variables are configurable, just change them at the top of the script:
NETWORK_NAMESPACE_NAME
: The name of the network namespace. Default isvpn
.VPN_CONFIG_PATH
: The path to your VPN configuration file. Default is/opt/wireguard.conf
.VPN_DNS_SERVER
: The DNS server to be used in the network namespace. If not set, will be read from the wireguard .conf file.VPN_INTERFACE_NAME
: The name of the VPN interface in the network namespace. Default istun0
.VPN_LOCAL_IP
: The local IP address assigned to the VPN interface in the network namespace. If not set, will be read from the wireguard .conf file.
In addition to the shell script, there are several Systemd unit files that are used to run the script on system start-up, forward a port from the root network namespace to the namespaced network, and run a service in the network namespace, effectively jailing the service to the network namespace.
netns-vpn.service
: This unit file is used to create the network namespace and set up the VPN interface. The ExecStart and ExecStop directives runs theup
anddown
commands in thewgjailr
script.[email protected]
: This unit file is used to forward a port from the root network namespace to the namespaced network. TheExecStart
directive uses thesocat
utility to listen on a specified port and forward the connection to the namespaced network.qBittorrent-nox.service
: This unit file is an example of how to run a service, in this caseqBittorrent-nox
, in the network namespace. TheExecStart
directive runs thee
command in thewgjailr
script, followed by the qBittorrent command line client.[email protected]
: This template unit file is an example of how to run a service, in this caseqBittorrent-nox
, in the network namespace as a specific user. It uses Systemd's built in support for network namespaces. Write the username that shall run the qbittorrent server after the "@". Example: sudo systemctl start netns-vpn-qbittorrent-nox@myqbittorrentuser
Using a completely separate and unprivileged user to run the qbittorrent server is advantageous for security, because in case of a security vulnerability in qbittorrent, the attacker will only gain the privileges of the user running the server.
To use these unit files, you must copy them to the /etc/systemd/system/
directory.