Skip to content

WireGuard tunnel with netns

This example configures a WireGuard tunnel for a branch office using netns namespace isolation:

  • configures an uplink interface in a dedicated outside netns namespace
  • create a WireGuard interface wg0 in the root netns namespace while the encrypted traffic originates from the outside netns namespace
  • configure routing in both netns namespaces

ifstate

interfaces:
  # inside interface
  - name: eth0
    addresses:
    - 192.0.2.129/25
    link:
      state: up
      kind: physical
  # wireguard vpn
  - name: wg0
    addresses:
    - 192.0.2.1/25
    link:
      state: up
      kind: wireguard
      bind_netns: outside
    wireguard:
      private_key: !include /etc/wireguard/peer_A.key
      peers:
      - public_key: oef+ZSlMWWCF1bEHPaw04TmjPyHKcz2b81njwIQI0xA=
        endpoint: 198.51.100.2:4711
        allowedips:
        - 0.0.0.0/0

routing:
  rules: []
  routes:
    # default route via vpn
    - to: 0.0.0.0/0
      dev: wg0

namespaces:
  outside:
    interfaces:
      - name: eth0
        addresses:
        - 198.51.100.2/31
        link:
          state: up
          kind: physical
    routing:
      rules: []
      routes:
        - to: 0.0.0.0/0
          via: 198.51.100.1