0

I am trying to make a VPN router while keeping the host itself accessing Internet without VPN. The host has only one NIC which is wireless. So I have added two virtual interfaces via iw phy phy0 interface add xxxxx. One (wlan0_sta) as station to connect wireless to Internet. The other (wlan0_ap) as AP to connect clients. Also a wireguard device (wg0) as VPN endpoint. hostapd and iptables were involved.

Now every part worked, except data from clients were routed to wlan0_sta, instead of wg0. So I planned to have wlan0_ap and wg0 in a separated network namespace to make the routing work. But I found that iw cannot put virtual interface into network namespace. Only a "phy" can be put into network namespace.

So what should I do?

Magicloud
  • 753
  • 1
    In order to achieve what you desire, you do not need a network namespace, but you need to learn what policy routing is. Try this, https://unix.stackexchange.com/a/22794/49626, then ask again. – MariusMatutiae Oct 16 '18 at 12:14
  • I think Wireguard's pages have a clever use of built-in mark and ip rule add table main suppress_prefixlength 0 to force traffic into the tunnel (which is anyway policy routing as MariusMatutiae tells): Wireguard Routing & Network Namespaces - Improved Rule-based Routing. Other solutions might be available in that page, like having a dedicated network namespace for all physical interfaces thus compatible with your wifi setup. – A.B Nov 09 '18 at 12:27
  • @MariusMatutiae, thanks. That is harder than I thought. I have not succeeded yet.... – Magicloud Nov 11 '18 at 01:28
  • @A.B, yes, that was read. I have not got rule based routing working. So I tried the namespace solution, which falled into this question. – Magicloud Nov 11 '18 at 01:29

1 Answers1

1

Probably no, at least as in Linux kernel version 4.9 for nl80211-based drivers.

Update: now you can usually reassign wlans to other network namespace, but in a somewhat roundabout way: you need to move a phy first, using a other tool.

iw phy phy0 set netns 16747

/sys needs to be mounted in the source network namespace.

Vi.
  • 5,688