{"id":13929142,"url":"https://github.com/jcarrano/wg-podman","last_synced_at":"2025-10-14T16:59:40.116Z","repository":{"id":49815574,"uuid":"366865495","full_name":"jcarrano/wg-podman","owner":"jcarrano","description":"Example init scripts for Rootless Podman and Wireguard","archived":false,"fork":false,"pushed_at":"2023-02-16T21:34:51.000Z","size":17,"stargazers_count":19,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-08-02T10:53:19.749Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"wtfpl","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jcarrano.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-05-12T22:06:43.000Z","updated_at":"2025-06-04T16:01:41.000Z","dependencies_parsed_at":"2024-01-14T18:09:14.112Z","dependency_job_id":null,"html_url":"https://github.com/jcarrano/wg-podman","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jcarrano/wg-podman","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcarrano%2Fwg-podman","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcarrano%2Fwg-podman/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcarrano%2Fwg-podman/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcarrano%2Fwg-podman/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jcarrano","download_url":"https://codeload.github.com/jcarrano/wg-podman/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcarrano%2Fwg-podman/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279019610,"owners_count":26086760,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-07T18:02:08.879Z","updated_at":"2025-10-14T16:59:40.098Z","avatar_url":"https://github.com/jcarrano.png","language":"Shell","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"# Example init-scripts for Podman and Wireguard\n\nThis is a simple example of how to set up a rootless Podman container with\nWireguard-only connectivity, without user-space networking (i.e. without\n`slirp`).\n\nIt is implemented as a pair of OpenRC init scripts.\n\n## Requirements\n\n- OpenRC\n- Podman\n- iproute2\n- Wireguard\n- jq\n\nOptionally, `su-exec` can replace su.\n\n## Quickstart\n\nThe scripts use OpenRC Multi-service functionality. Configuration is in /etc/config.d.\n\nFirst you should create a podman pod as a normal user. The pod networking must be\nset to `none`. You must tell podman to create a pidfile at\n`/home/\u003cpodusr\u003e/\u003cpodname\u003e.pid`. Example:\n\n```sh\npodman pod create --network=none --infra-conmon-pidfile=/home/\u003cpodusr\u003e/\u003cpodname\u003e.pid --name \u003cpodname\u003e\n```\n\nReplace `\u003cpodusr\u003e` and `\u003cpodname\u003e` with the real user and pod names. Populate\nthe pod with containers (this can be done at any time).\n\nThen create two services by symlinking to the base init scripts:\n\n```sh\ncd /etc/init.d\nln -s userpodman userpodman.myservice\nln -s podwg podwg.myservice\n```\n\nThe service name `\u003cmyservice\u003e` is arbitrary but must match for both services.\n\nThose scripts will take the configuration variables from `/etc/conf.d/{userpodman.myservice, podwg.myservice}`\nrespectively but since those have some variables in common, it is better to have only one\nactual file and symlink the other:\n\n```sh\ncd /etc/conf.d\nnano userpodman.myservice # fill in the variables, see example\nln -s userpodman.myservice podwg.myservice\n```\n\nFinally, add `podwg.myservice` to the default runlevel.\n\n## How it works\n\n### 1 Create pod\n\nUnfortunately, the choices of networking setups when creating a rootless container\nare limited. We can work around it by creating the a pod first and then\nsetting up the networking as root.\n\nThe first init script (`userpodman`) starts a pod (as a regular user) which has\n`--network=none`. Podman will create an empty network namespace (with only a\nloopback interface).\n\n### 2 Attach namespace\n\nThe namespace is accessible using the PID of the pod's \"infra\" process. This is\nwhy we use a pod, so that the infra keeps the namespace associated with the pod\nwhile we add or remove containers.\n\nThe NS is attached (i.e. given a name) using `ip netns attach`.\n\n### 3 Create WG interface\n\nThe second init script (`podwg`) creates a wireguard interface, moves it to the namespace,\nand configures it.\n\nNow processes running in the Pod can only communicate through the Wireguard tunnel.\nThey can also bind to privileged ports on this interface.\n\n## Shared mounts and rootless podman.\n\nIf you are using Alpine Linux or any other distros that do not mount root as a\nshared mount by default, you will experience problems when trying to run a rootless\npodman instance. See the following issues:\n\n- https://gitlab.alpinelinux.org/alpine/tsc/-/issues/42\n- https://github.com/OpenRC/openrc/issues/525\n\nThe workaround provided here is an additional init script `mount-rshared` which shares\nthe mount and is depended on by the userpodman script.\n\n## Other\n\nAlso included is a couple of scripts to automate creating WG configs and new users/peers. Modify\nthe scripts as you see fit.\n\n### wg_server_init\n\n```\nwg_server_init \u003cwgconf\u003e \u003cserver_ip\u003e \u003cserver_fqdn\u003e\n```\n\nCreate a new server configuration file. The IP refers to the IP on the VPN. The FQDN and IP are not\nused by wireguard itself but are needed for the other scripts.\n\n### wg_newuser\n\n```\nwg_newuser \u003cwgconf\u003e \u003cclient_conf\u003e\n```\n\nCreates a new user, Adds the user to the server config file and creates a client configuration with\na PRIVATE key that must be PRIVATELY sent to the user. See the \"note regarding security\" below.\n\n### wg_importuser\n\n```\nwg_importuser \u003cwgconf\u003e \u003cclient_frag\u003e [\u003cclient_name\u003e]\n```\n\nImport a client fragment created with the [Wireguard Key Generator](https://github.com/jcarrano/wg-keygen-notrust)\ntool. This is a safer alternative to wg_newuser, since only the PUBLIC key needs to be transmitted.\n\n### wg_getlink\n\n```\nwg_getlink \u003cwgconf\u003e [\u003cclient_name\u003e]\n```\n\nGenerate a hyperlink for use with the [Wireguard Key Generator](https://github.com/jcarrano/wg-keygen-notrust). Upon\nopening the link, the fields will be populated with the right parameters.\n\n### Important note regarding security\n\nThe user-add script will create a public/private key pair. The private key is bundled with the server's\npublic key in a wireguard config file which you are supposed to send to the user. This is sub-optimal from\na security point of view and the best thing would be if the user's private key never leaves their computer.\n\nIf the user generates their own key pair they only send the public key to the server admin over an\nauthenticated (not necessarily private) channel. This is not easy to do for non tech-savy users using the\ncommand line but the [Wireguard Key Generator](https://github.com/jcarrano/wg-keygen-notrust) was created to\nsolve that issue.\n\n## To do\n\n- The WG config-creation scripts leave much to be desired.\n- The init script should probably use `su-exec` instead of `su`.\n- Add administrator email field so that wg_getlink can populate that field.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjcarrano%2Fwg-podman","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjcarrano%2Fwg-podman","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjcarrano%2Fwg-podman/lists"}