Segment your network with WireGuard — per-app VPN isolation on Linux.
Segwire (segmented + wireguard) lets you run applications inside isolated network namespaces, each with its own WireGuard tunnel, routing table, and DNS. Traffic from one namespace never leaks into another or onto the host's default route.
On a standard Linux desktop, every application shares the same network stack. If you connect to a VPN, everything goes through it. If the VPN drops, traffic silently falls back to your ISP. Segwire solves this by giving each network environment its own namespace:
- Privacy VPN — run a browser inside a namespace tunneled through a VPN provider. The browser on your host is completely unaffected, and if the tunnel drops, the namespaced browser has no route out — zero leakage.
- Multi-provider routing — connect to different VPN endpoints simultaneously: one namespace for work, another for personal browsing, a third for a specific region.
- Application isolation — confine an application's network access to a specific interface or subnet without firewall rules.
- Development & testing — spin up network environments with controlled routing and DNS for integration testing, without touching the host network.
You declare namespaces in TOML config files. The segwire daemon manages their lifecycle — creating the namespace, setting up veth pairs or moving interfaces, assigning addresses, configuring routes and DNS. You then run commands inside any namespace with segwire exec, which works without sudo (even for GUI apps like Firefox) thanks to a minimal setuid helper.
# Run Firefox through your privacy VPN
segwire exec privacy-vpn -- firefox
# Check your exit IP from inside the namespace
segwire exec privacy-vpn -- curl ifconfig.me
# Meanwhile, the host is unaffected
curl ifconfig.me # shows your real IP- Declarative configuration — define namespaces, interfaces, routes, and DNS in TOML files
- Hot-reload — inotify-based config monitoring; add or remove a
.tomlfile and the daemon reacts automatically - Unprivileged
exec— run commands (including GUI apps) inside namespaces withoutsudo, via a minimal setuid helper - D-Bus API — all operations go through a well-defined D-Bus interface with PolicyKit authorization
- Dual-stack — full IPv4 and IPv6 support for addresses, routes, and DNS
- Virtual interfaces — veth pairs, bridges, dummy, macvlan, and ipvlan
- Interface migration — move physical interfaces into namespaces and restore them on shutdown
- Graceful lifecycle — optional cleanup-on-shutdown returns interfaces and deletes namespaces
# Build
cargo build --release --workspace
# Install (see docs/installation.md for full setup including setuid helper)
sudo cp target/release/segwire-daemon /usr/bin/
sudo cp target/release/segwire /usr/bin/
# Create config directory
sudo mkdir -p /etc/segwire/namespaces
# Write a daemon config
sudo tee /etc/segwire/daemon.toml << 'EOF'
[daemon]
namespace_prefix = "sw"
config_dir = "/etc/segwire/namespaces"
[dbus]
EOF
# Write a namespace config
sudo tee /etc/segwire/namespaces/vpn.toml << 'EOF'
[namespace]
name = "vpn"
description = "VPN isolation namespace"
[interfaces]
move_interfaces = []
[[interfaces.virtual_interfaces]]
name = "veth-vpn"
interface_type = "veth"
peer = "veth-host"
addresses = ["10.200.0.2/24"]
[routing]
default_gateway = "10.200.0.1"
[dns]
servers = ["1.1.1.1", "9.9.9.9"]
EOF
# Start the daemon, then use the CLI
sudo systemctl start segwire-daemon # or run directly: sudo segwire-daemon
segwire list
segwire status vpn
segwire exec vpn -- curl ifconfig.me| Command | Description |
|---|---|
segwire list |
List all managed namespaces |
segwire status <name> |
Show detailed status for a namespace |
segwire reload |
Reload configuration files and sync state |
segwire restart <name> |
Delete and recreate a namespace from its config |
segwire validate [path] |
Validate configuration files without applying |
segwire exec <name> -- <cmd> |
Run a command inside a namespace (no sudo needed) |
┌──────────────────────────────────┐
│ User Session │
│ ┌──────────┐ ┌──────────────┐ │
│ │ segwire │ │ segwire-ns- │ │
│ │ (CLI) │ │ enter (suid) │ │
│ └────┬─────┘ └──────┬───────┘ │
│ │ D-Bus │ execvp │
│ │ ▼ │
│ │ ┌──────────┐ │
│ │ │ command │ │
│ │ │ (as user)│ │
│ │ └──────────┘ │
└───────┼──────────────────────────┘
│ System D-Bus
┌───────▼──────────────────────────┐
│ segwire-daemon (root) │
│ ├── PolicyKit authorization │
│ ├── Namespace lifecycle │
│ └── Configuration management │
└──────────────────────────────────┘
| Document | Description |
|---|---|
| Architecture | Crate layout, event loop, D-Bus interface, namespace lifecycle |
| Configuration | Daemon and namespace TOML reference with examples |
| Installation | Build, permissions, systemd, PolicyKit setup |
| Development | Building, testing, environment variables, contributing |
| Security | Security model, setuid helper, threat model, attack surface |
This project is licensed under the GNU General Public License v3.0 (GPL-3.0-only). See the LICENSE file for details.