0

I am trying to make a VPN router while keeping the host itself accessing Internet without VPN. The host has only one NIC which is wireless. So I have added two virtual interfaces via iw phy phy0 interface add xxxxx. One (wlan0_sta) as station to connect wireless to Internet. The other (wlan0_ap) as AP to connect clients. Also a wireguard device (wg0) as VPN endpoint. hostapd and iptables were involved.

Now every part worked, except data from clients were routed to wlan0_sta, instead of wg0. So I planned to have wlan0_ap and wg0 in a separated network namespace to make the routing work. But I found that iw cannot put virtual interface into network namespace. Only a "phy" can be put into network namespace.

So what should I do?

Improve this question
4
  • 1
    In order to achieve what you desire, you do not need a network namespace, but you need to learn what policy routing is. Try this, unix.stackexchange.com/a/22794/49626, then ask again. Commented Oct 16, 2018 at 12:14
  • I think Wireguard's pages have a clever use of built-in mark and ip rule add table main suppress_prefixlength 0 to force traffic into the tunnel (which is anyway policy routing as MariusMatutiae tells): Wireguard Routing & Network Namespaces - Improved Rule-based Routing. Other solutions might be available in that page, like having a dedicated network namespace for all physical interfaces thus compatible with your wifi setup. Commented Nov 9, 2018 at 12:27
  • @MariusMatutiae, thanks. That is harder than I thought. I have not succeeded yet.... Commented Nov 11, 2018 at 1:28
  • @A.B, yes, that was read. I have not got rule based routing working. So I tried the namespace solution, which falled into this question. Commented Nov 11, 2018 at 1:29

1 Answer 1

Reset to default
1

Probably no, at least as in Linux kernel version 4.9 for nl80211-based drivers.

Update: now you can usually reassign wlans to other network namespace, but in a somewhat roundabout way: you need to move a phy first, using a other tool.

iw phy phy0 set netns 16747

/sys needs to be mounted in the source network namespace.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.