rootless: wireguard using infra-container fails here

[tobwen]

summary

Some days ago, I've found this promising repository to set up a rootless Podman container with Wireguard-only connectivity, without user-space networking (i.e. without slirp): https://github.com/jcarrano/wg-podman

I tried to reproduce it in Debian, but failed in multiple ways.
Update: I also tried several versions of Podman. I don't think it's a podman issue, I guess I'm doing something wrong or missing something. That's why I didn't release a podman info.

steps

Create an empty pod with --network=none and start it

podman pod create --network=none --infra-conmon-pidfile=/home/tobwen/mypod.pid --name mypod
podman pod start mypod

Since the pod has an empty netns, get its PID:

infra_id="$(podman pod ps --format json --filter name=mypod | jq -r '.[0].InfraId')"
infra_pid="$(podman ps --format json --filter id=${infra_id} | jq -r '.[0].Pid')"

Setup the named netns and configure the wireguard-interface. I need to do this as root. The work-around with shared mounts on /run/netns didn't work for me on Debian.

ip netns attach mypod "$infra_pid"
ip link add wg-mypod type wireguard
ip link set wg-mypod netns mypod

ip netns exec mypod wg setconf wg-mypod /home/tobwen/wg-mypod.conf
ip netns exec mypod ip address add 192.168.6.190/32 dev wg-mypod
ip netns exec mypod ip link set wg-mypod up

And now create a container in the pod and enter it

podman run -it --rm --pod=mypod alpine

The interface it there, but I cannot wget anything:

# ip addr
2: wg-mypod: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.6.190/32 scope global wg-mypod
       valid_lft forever preferred_lft forever

# wget 1.1.1.1
Couldn't connect to server.

questions

What am I doing wrong? Is it because I assigned the PID to the netns as root? But the whole thing also doesn't work when being run as root (same output)

rootful podman

For rootful podman, I'm going the lazy way. But this one isn't as isolated as the pod-variant, since the connection to host still exists.

podman run --init -it --name wireguard -d alpine
nsp="$(podman inspect wireguard | jq -r .[].NetworkSettings.SandboxKey | awk -F/ '{print $NF}')"
ip netns exec "$nsp" wg-quick up wg-test
podman exec -it wireguard sh

[IBims1NicerTobi]

Afaik you have to spawn the wireguard interface outside the netns. So spawn the wireguard interface -> configure the interface -> move it into the new namespace. The wireguard homepage has an example. https://www.wireguard.com/netns/

[IBims1NicerTobi]

ip route add 0.0.0.0/0 dev wg-mypod instead of the defaut route solves the issue

[tobwen]

Thanks a lot. It works perfectly. I'll write a small how-to later.