wg-pod icon indicating copy to clipboard operation
wg-pod copied to clipboard

Published 20 hours ago verified publisher icon b-m-f

[Proposal] Allow for ipranges when adding routes

Open marinmo opened this issue 1 year ago • 9 comments

Thank you for this awesome project.

It'd be nice if one could specify CIDR ranges when adding routes. Currently the -a flag just seems to accept static addresses such as for example 192.168.0.1:10.0.0.1. It'd be really nice if one could do for example 192.168.0.0/24:10.0.0.0/8 too.

Thanks in advance for your consideration of this proposal.

marinmo avatar Mar 19 '23 18:03 marinmo

Hi @marinmo,

I will give this a look on wednesday and will update here

b-m-f avatar Mar 20 '23 07:03 b-m-f

Hi @marinmo,

I have created a beta version at https://github.com/b-m-f/wg-pod/releases/tag/0.5-beta1

Can you try if it works properly?

Unfortunately this project has no test-suite I can leverage yet. Since I am trying to get this functionality integrated into podman itself I did not think it would be necessary

b-m-f avatar Mar 22 '23 14:03 b-m-f

Hello,

Sorry for not replying as swiftly as one would've liked. I've tested, but realized that the target (which would be the local container IP as that's used to communicate to localhost in most/all instances) also becomes a CIDR-range; this is my bad from the original proposal. The routing target expects an IP-address. Currently, 0.5-beta1 gives an error as such;

[root@905f921d72fa/]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 52:69:c1:af:c8:6e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.88.0.14/16 brd 10.88.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5069:c1ff:feaf:c86e/64 scope link
       valid_lft forever preferred_lft forever
[root@905f921d72fa /]# exit
marinmo@mediaserver /u/l/bin> sudo wg-pod join centos-helper /containers/wg/wg0.conf -d -a 192.168.254.0/24:10.88.0.14
Adding container centos-helper into WireGuard network defined in /containers/wg/wg0.conf
Create temporary private key file for WireGuard interface at /run/containers/network/centos-helper.pkey
Added new WireGuard interface podman-02b6449
Moved WireGuard interface podman-02b6449 to namespace netns-b1f911f8-4ebc-042f-49a8-c9efd8259f92
Set IP address of WireGuard interface podman-02b6449 in namespace netns-b1f911f8-4ebc-042f-49a8-c9efd8259f92 to 10.65.177.173/32
Set Config /containers/wg/wg0.conf onto WireGuard interface podman-02b6449 in namespace netns-b1f911f8-4ebc-042f-49a8-c9efd8259f92
Activated WireGuard interface podman-02b6449 in namespace netns-b1f911f8-4ebc-042f-49a8-c9efd8259f92
Successfully deleted the default route in namespace netns-b1f911f8-4ebc-042f-49a8-c9efd8259f92
Route 0.0.0.0/0 in namespace netns-b1f911f8-4ebc-042f-49a8-c9efd8259f92 through WireGuard interface podman-02b6449
Routing to 192.168.254.0/24 via 10.88.0.14/32 in namespace netns-b1f911f8-4ebc-042f-49a8-c9efd8259f92
Error: Error: inet address is expected rather than "10.88.0.14/32".

marinmo avatar Apr 06 '23 17:04 marinmo

@marinmo thanks for the feedback! I will push a new update in the coming days and ping you here so you can hopefully have the desired functionality.

b-m-f avatar Apr 06 '23 19:04 b-m-f

@marinmo could you try https://github.com/b-m-f/wg-pod/releases/tag/0.5-beta2 .

The gateway should now be set to an IP only instead of being in CIDR notation.

b-m-f avatar Apr 09 '23 16:04 b-m-f

Hey,

Sorry for getting back to you so slowly, life's been busy worrying about other things :) The output looks like this now which seems like a really minor issue (note /32 at the end of the gateway IP - the other IPs were also given as a singular IP for reference), but things work as expected!

Route 0.0.0.0/0 in namespace netns-ceb3abfa-2949-ce99-a5a0-3a5e279e20c7 through WireGuard interface podman-dc95bfa
Routing to 192.168.254.2/32 via 10.88.0.1/32 in namespace netns-ceb3abfa-2949-ce99-a5a0-3a5e279e20c7
Routing to 10.168.254.2/32 via 10.88.0.1/32 in namespace netns-ceb3abfa-2949-ce99-a5a0-3a5e279e20c7

marinmo avatar May 01 '23 19:05 marinmo

When specifying an IP-range the output looks like this (btw, I am aware /32 is only the IP specified - might be better to remove it anyway from the gateway? Or maybe this is a matter of taste ...)

Route 0.0.0.0/0 in namespace netns-7393ad1d-ab88-042f-f8e1-f81e075ba572 through WireGuard interface podman-8c0513b
Routing to 192.168.254.0/24 via 10.88.0.1/32 in namespace netns-7393ad1d-ab88-042f-f8e1-f81e075ba572
Routing to 10.168.254.0/24 via 10.88.0.1/32 in namespace netns-7393ad1d-ab88-042f-f8e1-f81e075ba572

marinmo avatar May 01 '23 20:05 marinmo

@marinmo ,

I will look into this soon. I think I just did not edit the print statements.

You might also be interested in https://github.com/b-m-f/netavark-wireguard-plugin which I just released. It still has some time go before it will be perfect - IPranges and IPv6 are the biggest trouble right now. Will need investigation and quite some work, but its going to be the cleaner solution to integrate WireGuard networks into podman containers :)

b-m-f avatar May 01 '23 20:05 b-m-f

Thanks so much for your help with this.

As for the plugin; that'd also probably be a cleaner solution since running wg-pod without superuser privileges isn't something I've been able to do so far.

It'd also negate the issue with systemd not really working as expected when launching a podman container as a user from a system-level service. All the above together has me running services requiring wg-pod as root, which negates a big selling point of using podman in the first place :) I'll keep an eye on the plugin! Think this issue can be regarded as resolved.

marinmo avatar May 01 '23 21:05 marinmo