Using a Wireguard VPN for only select processes on Linux

December 4, 2019

This guide will help you setup a network namespace which connects over a wireguard connection and give you a shell in that namespace where you can run anything you need. It is great for when you want to run something through a VPN, but don't want to send all of your internet traffic through the VPN. Keep in mind that this is not a container and whatever you run in your network namespace has access to your filesystem just like anything else would and needs to be run with appropriate permissions. I am assuming you already installed wireguard for this tutorial.

Simple setup:

Add a line to your wireguard config (usually /etc/wireguard/wg0.cfg) that says AllowedIPs = 0.0.0.0/0, ::/0 under the [Peer] section if it is not already there. If you are using this for a VPN service, they probably provided you with a wireguard config file to use here.
Run the networked namespace creation script available here as root. Enter the name of your primary network interface at the prompt (you can list your system's network interfaces with ip a on most Linux machines, use one with a LAN IP address).
Start a shell in the namespace using the recommended command from the output of the above script.
Run sudo wg-quick up wg0 in the namespace where wg0 is the name of your wireguard config file you are using.
Your namespace is now connected to the internet over a wireguard connection while your main system is not! In addition, you can access your namespace and your namespace can access your main system over the veth interface that was created with the IPs 10.200.1.1 and 10.200.1.2 respectively, try pinging between them!

Make a Wireguard Network Namespace systemd service unit for startup and shutdown

Download these two scripts for startup and shutdown.
Edit the top of both of the scripts and change the values at the top to match your current network interface with internet access and the name of your wireguard config file in /etc/wireguard/. If you are using a VPN provider they should have provided a file to place there or made you run a script which added configs there to choose from.
Make a service file called wg-namespace.service in /etc/systemd/system/.
Copy the startup and shutdown scripts to /usr/bin and mark each of them as executable using chmod a+x scriptname.sh.
(OPTIONAL, avoid if using a VPN config) Run mkdir -p /etc/netns/ns1/ and then echo 'nameserver 51.15.98.97' > /etc/netns/ns1/resolv.conf to use a custom DNS server for your wireguard namespace rather than whatever DNS service the rest of your system uses. Replace 51.15.98/87 with a DNS server of your choosing, but I would point you to the ones here.
Edit wg-namespace.service and add the following:

   [Unit]
   Description=Start and stop wireguard namespace
   
   [Service]
   Type=oneshot
   ExecStart=/usr/bin/wgns-start
   ExecStop=/usr/bin/wgns-stop
   RemainAfterExit=yes
   
   [Install]
   WantedBy=multi-user.target

To start the service and enable it to run on startup run systemctl enable --now wg-namespace.service.

Now you have a namespace setup like above which preserves itself across reboots. To run commands in that namespace which has all traffic going through wireguard, run ip netns exec ns1 YOUR-COMMAND-HERE. You can run /bin/bash -i to get an interactive bash shell there, too. Keep in mind that some wireguard VPN configs have finicky DNS resolution setups and so if it doesn't resolve domain names but can ping outside IP addresses try restarting the service.

An Example Application: VPN seedbox

Now that all of this is setup I'm going to outline a use-case that some people might find familiar. Say you are running a seedbox for fully gratis GNU/Linux distro torrents in a country where that might be frowned upon on a system which already hosts content directly on the public internet. Once the ns1 namespace is setup you can make a new user called torrentrunner to isolate their configuration files and avoid issues. Then install deluge and deluge-web, a torrent daemon with a webui for controlling it. Then once that is done you can enable the service for the webui so it runs in the default namespace with sudo systemctl enable deluge-web. Before running the daemon though, you should probably use ip netns exec ns1 links press “g” and browse to a site which confirms you are on a VPN (what is my ip address or whatever), otherwise restart the namespace systemd service unit and try again because sometimes it can be finicky. Once you are ready, run the daemon and kill it once with the new user to ensure the config files exist sudo -u torrentrunner deluged and sudo -u torrentrunner killall deluged. Find the deluge core config file in /home/torrentrunner/.config/deluge/ and set allow remote connections to true. Then you are ready! Start the deluge daemon with the new user in the wireguard namespace by running ip netns exec ns1 sudo -u torrentrunner deluged. Connect to the webui (defaults to port 8112) and then go to “Connection Manager > Add” and for the host enter 10.200.1.2 and leave the port as the default port, 10.200.1.2 is the ip address for your main system's wireguard namespace running the daemon and only shows up on your machine and won't be directly on the LAN. Connect to it, and you are all set.

Other use cases could be for running a browser or any other networked application through a VPN from the terminal on a desktop Linux machine ip netns exec ns1 $Application but keep in mind that VPNs don't offer privacy no matter what they say and these won't be running in a container so they can still fingerprint you. You could also setup a testing client-server setup locally for development purposes with connections going between 10.200.1.1 (regular namespace) and 10.200.1.2 (wireguard namespace).