Network namespace has no DNS resolution

prodego · 12-02-2023, 06:34 PM

I have a post-up script for my NIC that creates a network namespace with internet access but I can't resolve domains from inside the namespace. Here is the configuration.

Code:

ego@ubuntu:~$ cat /usr/local/bin/wrgrd.sh
#!/bin/bash

#Create VPN namespace
ip netns add wireguard

#Create vswitch and veth
ip l add vsw0 type bridge
ip l add veth0 type veth peer name veth1

#Attach veth to vswitch and namespace
ip l set veth0 master vsw0
ip l set veth1 netns wireguard

#Assign IPs and raise interfaces
ip a add 192.168.1.1/24 dev vsw0
ip l set dev vsw0 up
ip l set dev veth0 up
ip netns exec wireguard ip l set dev lo up
ip netns exec wireguard ip a add 192.168.1.2/24 dev veth1
ip netns exec wireguard ip l set dev veth1 up

#Add local network route to namespace
ip netns exec wireguard ip r add 192.168.0.0/24 via 192.168.1.1

#Add IP table rule
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

#Add default route to namespace
ip netns exec wireguard ip r add default via 192.168.1.1

ego@ubuntu:~$ sudo ip netns exec wireguard ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=26.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=20.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=17.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=13.0 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=55 time=11.3 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 11.267/17.665/26.098/5.363 ms

ego@ubuntu:~$ sudo ip netns exec wireguard ping google.com
ping: google.com: Temporary failure in name resolution

GlennsPref · 12-15-2023, 04:53 PM

Hi, Welcome to LQ!

I saw this reference to nat and firewalling.

You may require "port forwarding".

I have these ipv4 and ipv6 forwarding lines in...
/etc/sysctl.conf

Code:

...
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1  # Enable forwarding (gateway)

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=0 #off for nordvpn
...

I'm no expert, just saw a common element, a firewall & a vpn.

elgrandeperro · 12-20-2023, 10:00 PM

What is your DNS in /etc/resolv.conf and how did it get there? What exactly is a namespace? We don't use that term in networking.

You can use 8.8.8.8 but it must be in /etc/resolv.conf. Most firewall will pass DNS traffic out and in without a problem.