I have three Ethernet interfaces, namely eth[0…2]. eth0 is connected to my VPN router and eth1 and eth2 are connected to my public facing router. eth0 is the standard interface that I normally let my Linux instance use. I now want to set up a container that hijacks (makes unavailable to the host) eth1 or eth2 in order to run various services that need to be reachable from WAN through a Wireguard tunnel.

I am aware that the man pages for systemd-nspawn say that it is primarily meant to be a test environment and not a secure container. Does anybody have experience with and/or opinions on this? Should I just learn how to use Docker?

For now, I am only asking about any potential security implications, since I don’t understand how container security works “under the hood”. The network portion of the setup would be something like:

Enabling forwarding kernel parameters on the host

Booting the container with systemd-nspawn -b -D [wherever/I/put/the/container] --network-interface=[eth1 or 2]

Then, managing the container’s network with networkd config files, including enabling IPForward and IPMasquerade

Then, configuring wireguard according their official guides or, for instance, the Arch wiki.

Any and all input would be appreciated! 😊

  • emotional_soup_88@programming.devOPEnglish
    1·
    2 hours ago

    Well, now I just have to try it!

    I have no idea how to tell specific processes or shells to use a specific interface, while also forbidding others to use the same interface… Which is why I thought, “but I can force a container to use a specific interface! Gotcha!”

    I’m almost there, I think. I managed to get my phone and my nspawn-ed wireguard interface to shake hands. I just need to tweak the forwarding and nat-ing rules in my firewall. After I touch grass. Oh, my back…

    • doodoo_wizard@lemmy.ml
      1·
      48 minutes ago

      The usual way to force a program or process to use a specific interface is called binding. It used to be something you really had to know your stuff to use correctly but nowadays there are a million tutorials out there.

      With systemd you can use a pretty well tested and reliable section of the namespace implementation for just establishing a namespace and binding both the target interface and program to it, but you can also just use iptables with a user and mangling.

      Nowadays you have nftables, but it does the same thing.