Hi, I tried to follow the example here https://www.wireguard.com/netns/#ordinary-containerization but I found out that the DNS endpoint resolution through
ip netns exec container wg setconf wg0 /etc/wireguard/wg0.conf won't work, because it is run in the new container namespace not yet capable of DNS resolution. Looking at the source code here https://git.zx2c4.com/wireguard-tools/tree/src/config.c#n242 confirmed my suspicion that the DNS resolution is done by the wg tool in the container namespace rather than in the original namespace. In an ideal world the DNS resolution should IMHO happen in the original namespace capable of DNS resolution where the world-facing UDP socket using that endpoint IP is anyway. Often one could use just a hard-coded IP (that's indeed what I resorted to in the end, or perform DNS resolution at container provisioning time as suggested by mrngm in IRC) for the wg0.conf in the container, but with DynDNS and similar setups this may not be possible. But since that might require significant changes (e.g. requesting DNS resolution in the original namespace through the kernel?), perhaps at least in the short term I would recommend that this caveat is mentioned on the webpage and/or perhaps in the example the `wg setconf` step would be run in the original namespace (unless there is some repercussion to that I did not consider). Best wishes and thanks for all your work making wireguard what it is today, Ondrej G.