Simple WireGuard Docker network setup

I recently set this up, but with Podman since I was experimenting with CentOS. It turned out to be quite simple to use network namespaces. I created a new namespace for wireguard and moved wg0 into the namespace, then had the container use that namespace:<p><pre><code> ip netns add vpn ip link add wg0 type wireguard ip link set wg0 netns vpn # configure wireguard as usual, prefix commands with ip netns exec vpn podman run --network=ns:&#x2F;var&#x2F;run&#x2F;netns&#x2F;vpn ... </code></pre> When I tried this was not yet possible with rootless containers, but in newer Podman versions you can tell slirp4netns to use a specific network interface with --network=slirp4netns:outbound_addr=INTERFACE.

&gt; take a look at an OpenVPN config file and you will appreciate this shortness<p>OpenVPN config files can be pretty small once you remove all the comments (my server is 22 lines)<p>That being said, I like WireGuard. I&#x27;ve switched over a lot of stuff to it. It does have some issues though:<p>* Road warrior configurations aren&#x27;t easy. If you use a DNS name as an endpoint, and that DNS entry changes, you have to refresh it. They have a contrib script in the repo that you can put in cron and do this for you, but it&#x27;s still not built in.<p>* You might need keep-alives in certain configurations<p>* You can&#x27;t bind Wireguard to an IP address. It listens on all adapters. The devs argue it doesn&#x27;t matter since WG won&#x27;t respond via UDP unless it gets a valid key, but this does put WG into a weird state where it might send on an IP it&#x27;s not receiving on.<p>There are others I&#x27;m probably forgetting. I do like it though. It&#x27;s faster, the setup is clear. If you have one setting wrong in OpenVPN the connection could fail and you not get useful stuff in the logs.

An even simpler way of routing a certain container through wireguard, without needing to create a docker network and bind it to wg manually:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;pirate&#x2F;wireguard-docs#example-client-container-setup" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pirate&#x2F;wireguard-docs#example-client-cont...</a>

This is the most simple setup I could get. <a href="https:&#x2F;&#x2F;github.com&#x2F;lightswitch05&#x2F;wireguard-docker" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;lightswitch05&#x2F;wireguard-docker</a>

WireGuard tackles these problems:<p>1. Complex implementation: lots of moving parts with a lot of room for defects<p>2. Complex configuration: lots of configuration settings with a lot of room for misconfiguration<p>3. Complex protocols: overcomplicated handshaking and key negotiation<p>All these things leave a lot of flexibility for backdooring, binary exploitation, etc. aka &quot;capabilities&quot; in spook-speak.

I appreciate the write up, but you can&#x27;t just put &quot;simple&quot; in a title to and expect it to be simple for everyone. It&#x27;s simple for what audience? I know there are plenty of developers (especially Mac&#x2F;Windows users) who would read this and be put off. Simple for me would be running one command like &quot;docker-compose up&quot; and be up and running.