How to route traffic from specific interface via netns?

Installing and Using OpenWrt
1

I need to isolate a certain transparent proxy and other programs (traffic shapers and analysers) in a namespace so that they don't see the real network, but traffic from VPN clients (WireGuard) can pass through it.

Currently, I have a veth pair set up as follows:

ip netns add myns
ip netns exec myns ip link set lo up

ip link add veth0 type veth peer name veth1
ip link set veth0 up

ip link set veth1 netns myns
ip netns exec myns ip addr add 10.200.1.2/24 dev veth1
ip netns exec myns ip link set veth1 up

ip netns exec myns ip route add default via 10.200.1.1

In /etc/config/network:

config interface 'veth0'`
   option proto 'static'
   option ipaddr '10.200.1.1'
   option netmask '255.255.255.0'
   option device 'veth0'

In /etc/config/firewall:

config zone 'vpn'
    option name 'vpn'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    list network 'wg'

config forwarding 'vpn_forwarding_lan_in'
    option src 'vpn'
    option dest 'lan'

config forwarding 'vpn_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn'

config zone 'myns'
    option name 'myns'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    list network 'veth0'

config forwarding 'myns_forwarding_wan'
    option src 'myns'
    option dest 'wan'

It looks like there is an internet access from the netns (though DNS doesn't work, but it might not be needed), but I don't know how to route traffic from WireGuard VPN clients into the namespace. Should I create another veth pair/adjust routing tables/redirection/masquerade/etc? I’m out of ideas, please help.

VPN clients have access to local network devices, and their DNS works, which should remain as is. Only external traffic should be routed through the namespace.

2

You must add network route back from main system to netns subnet via main system's veth interface.
check
ip -4 ro sh

3 
# ip -4 ro sh
default via <ISP IP> dev wan proto static src <MY IP>
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.204.0/24 dev wg proto kernel scope link src 192.168.XXX.1 
<ISP IP>/28 dev wan proto kernel scope link src <MY IP>

$ ip netns exec myns ip -4 ro sh
default via 10.200.1.1 dev veth1 
10.200.1.0/24 dev veth1 proto kernel scope link src 10.200.1.2

But at the first place I need to route traffic from wg (not the entire main system) to netns somehow...

4

Sad it is poorly instrumrnted, would be nice to have vpns and other tunnels stowed off main namespace.

ip ro add <ip/mask inside netns> via <veth system side>

5

Sorry, not sure if I understand the purpose of this route correctly, what is it supposed to do? Currently wg is not inside ns. Main system should not see ip/mask inside the ns, I presume.