Using a Wireguard VPN for only select processes on Linux
This guide will help you setup a network namespace which connects over a wireguard connection and give you a shell in that namespace where you can run anything you need. It is great for when you want to run something through a VPN, but don't want to send all of your internet traffic through the VPN. Keep in mind that this is not a container and whatever you run in your network namespace has access to your filesystem just like anything else would and needs to be run with appropriate permissions. I am assuming you already installed wireguard for this tutorial.
- Add a line to your wireguard config (usually /etc/wireguard/wg0.cfg) that says
AllowedIPs = 0.0.0.0/0, ::/0under the
[Peer]section if it is not already there. If you are using this for a VPN service, they probably provided you with a wireguard config file to use here.
- Run the networked namespace creation script available here as root. Enter the name of your primary network interface at the prompt (you can list your system's network interfaces with
ip aon most Linux machines, use one with a LAN IP address).
- Start a shell in the namespace using the recommended command from the output of the above script.
sudo wg-quick up wg0in the namespace where
wg0is the name of your wireguard config file you are using.
- Your namespace is now connected to the internet over a wireguard connection while your main system is not! In addition, you can access your namespace and your namespace can access your main system over the veth interface that was created with the IPs
10.200.1.2respectively, try pinging between them!
Make a Wireguard Network Namespace systemd service unit for startup and shutdown
- Download these two scripts for startup and shutdown.
- Edit the top of both of the scripts and change the values at the top to match your current network interface with internet access and the name of your wireguard config file in
/etc/wireguard/. If you are using a VPN provider they should have provided a file to place there or made you run a script which added configs there to choose from.
- Make a service file called
- Copy the startup and shutdown scripts to
/usr/binand mark each of them as executable using
chmod a+x scriptname.sh.
- (OPTIONAL, avoid if using a VPN config) Run
mkdir -p /etc/netns/ns1/and then
echo 'nameserver 220.127.116.11' > /etc/netns/ns1/resolv.confto use a custom DNS server for your wireguard namespace rather than whatever DNS service the rest of your system uses. Replace
51.15.98/87with a DNS server of your choosing, but I would point you to the ones here.
wg-namespace.serviceand add the following:
[Unit] Description=Start and stop wireguard namespace [Service] Type=oneshot ExecStart=/usr/bin/wgns-start ExecStop=/usr/bin/wgns-stop RemainAfterExit=yes [Install] WantedBy=multi-user.target
- To start the service and enable it to run on startup run
systemctl enable --now wg-namespace.service.
Now you have a namespace setup like above which preserves itself across reboots. To run commands in that namespace which has all traffic going through wireguard, run
ip netns exec ns1 YOUR-COMMAND-HERE. You can run
/bin/bash -i to get an interactive bash shell there, too. Keep in mind that some wireguard VPN configs have finicky DNS resolution setups and so if it doesn't resolve domain names but can ping outside IP addresses try restarting the service.
An Example Application: VPN seedbox
Now that all of this is setup I'm going to outline a use-case that some people might find familiar. Say you are running a seedbox for fully gratis GNU/Linux distro torrents in a country where that might be frowned upon on a system which already hosts content directly on the public internet. Once the
ns1 namespace is setup you can make a new user called torrentrunner to isolate their configuration files and avoid issues. Then install
deluge-web, a torrent daemon with a webui for controlling it. Then once that is done you can enable the service for the webui so it runs in the default namespace with
sudo systemctl enable deluge-web. Before running the daemon though, you should probably use
ip netns exec ns1 links press “g” and browse to a site which confirms you are on a VPN (what is my ip address or whatever), otherwise restart the namespace systemd service unit and try again because sometimes it can be finicky. Once you are ready, run the daemon and kill it once with the new user to ensure the config files exist
sudo -u torrentrunner deluged and
sudo -u torrentrunner killall deluged. Find the deluge
core config file in
/home/torrentrunner/.config/deluge/ and set allow remote connections to
true. Then you are ready! Start the deluge daemon with the new user in the wireguard namespace by running
ip netns exec ns1 sudo -u torrentrunner deluged. Connect to the webui (defaults to port 8112) and then go to “Connection Manager > Add” and for the host enter
10.200.1.2 and leave the port as the default port,
10.200.1.2 is the ip address for your main system's wireguard namespace running the daemon and only shows up on your machine and won't be directly on the LAN. Connect to it, and you are all set.
Other use cases could be for running a browser or any other networked application through a VPN from the terminal on a desktop Linux machine
ip netns exec ns1 $Application but keep in mind that VPNs don't offer privacy no matter what they say and these won't be running in a container so they can still fingerprint you. You could also setup a testing client-server setup locally for development purposes with connections going between
10.200.1.1 (regular namespace) and
10.200.1.2 (wireguard namespace).