You can use network namespaces too. As a reference, here is my torrent setup:
ip netns add torrent
ip link add wg1 type wireguard
ip link set wg1 netns torrent
ip -n torrent addr add 10.67.124.111/32 dev wg1
ip netns exec torrent wg setconf wg1 /etc/wireguard/wg1.conf
ip -n torrent link set wg1 up
ip -n torrent route add default dev wg1
ip netns exec torrent ip link set dev lo up
ip netns exec torrent transmission-daemon -f 2>&1
AFAIK it's pretty bulletproof. But for good measure I also have transmission configured to only listen on the wireguard address.
Network namespaces are amazingly powerful but every guide I can find seems to include a whole bunch of manual IP address management (either through virtual ethernet pairs or through VPNs). The guides also seem to skip over IPv6 in many cases, which is another downside I've noticed.
Is there a tool out there to manage these namespaces automatically? I'd like to isolate applications from each other or put them in groups together, but I really don't want to deal with writing scripts for every single application.
I have read that some use NetworkManager by running a whole separate instance of it in their netns, along with a a D-Bus broker running in there too for clients to communicate with NM.
I use systemd-nspawn to create test containers so I can muck with the internals without dealing with docker cp and exec commands. The containers themselves are just directories sitting in a filesystem.
I ended up writing a shell script to handle setting up a bridge, launching the container with systemd-nspawn and kick off commands to bring up the virtual ethernet interfaces inside the container and handle some other housekeeping
systemd-nspawn with systemd-network/resolve/etc can automatically manage the IP addresses for you. I'm using it as a wrapper around cgroup/netns commands.
One of these days, I will remove the dependency on systemd-nspawn so that I can use it on Linux systems without systemd or docker.
I haven't been able to find a solution for this either. Most people seem to just use docker for this and just deal with all the baggage that comes with it.
I agree that namespaces are pretty awesome functionality for this, but I've been burnt too many times by bespoke on-host configurations to put much stock in them. Plus they only work for the single host, and do nothing about the myriad of Internet of Trash devices.
I keep all my routing complexity contained to one (virtual) machine with extensive nftables rules, that functions as the house router. It has a table with each host and the network horizon it can see. Then I create a virtual machine for each activity that needs a separate horizon.
The one thing I'm missing is some way of securing the binding of hosts to addresses. Most switches/devices don't support ethernet authentication. I could do something like fine grained VLANs and keeping track of what is connected to what, but that seems like a huge pain in the ass.
