OpenVPN for a single application using network namespaces -- helper scripts

popcorntime-vpn.sh

#!/usr/bin/env zsh

# Initialize VPN
sudo vpnns up
sudo vpnns start_vpn

# Popcorn time!
sudo ip netns exec frootvpn sudo -u $USER popcorntime

# Cleanup
sudo ip netns pids frootvpn | xargs -rd'\n' sudo kill
sudo vpnns down

vpnns.sh

#!/usr/bin/env zsh

if [[ $UID != 0 ]]; then
    echo "This must be run as root."
    exit 1
fi

function iface_up() {
    ip netns add frootvpn

    ip netns exec frootvpn ip addr add 127.0.0.1/8 dev lo
    ip netns exec frootvpn ip link set lo up

    ip link add vpn0 type veth peer name vpn1
    ip link set vpn0 up
    ip link set vpn1 netns frootvpn up

    ip addr add 10.200.200.1/24 dev vpn0
    ip netns exec frootvpn ip addr add 10.200.200.2/24 dev vpn1
    ip netns exec frootvpn ip route add default via 10.200.200.1 dev vpn1

    iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
    iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE

    sysctl -q net.ipv4.ip_forward=1

    mkdir -p /etc/netns/frootvpn
    echo 'nameserver 8.8.8.8' > /etc/netns/frootvpn/resolv.conf

    ip netns exec frootvpn fping -q www.google.fr
}

function iface_down() {
    rm -rf /etc/netns/frootvpn

    sysctl -q net.ipv4.ip_forward=0

    iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
    iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE

    ip netns delete frootvpn
}

function run() {
    shift
    exec sudo ip netns exec frootvpn "$@"
}

function start_vpn() {
    sudo ip netns exec frootvpn openvpn --config /etc/openvpn/frootvpn.conf &

    while ! sudo ip netns exec frootvpn ip a show dev tun0 up; do
        sleep .5
    done
}

case "$1" in
    up)
        iface_up ;;
    down)
        iface_down ;;
    run)
        run "$@" ;;
    start_vpn)
        start_vpn ;;
    *)
        echo "Syntax: $0 up|down|run|start_vpn"
        exit 1
        ;;
esac

thanks for the script, but i have an question.
how can i set the tun0?

@AugustoEMoreira, you can add a --dev <mytun> argument to: https://gist.github.com/Schnouki/fd171bcb2d8c556e8fdf#file-vpnns-sh-L50

I wrote a script based on this that just wraps a command (could be your shell if left empty): vpnshift.sh

openvpn and a network namespace/veths are set up before the command. openvpn is terminated (or killed if necessary) and the network namespace/veths are torn down after the command exits.

$ vpnshift -c myopenvpn.conf popcorntime
starting openvpn....................................
<snip>
stopping openvpn...
$

Being able to exit cleanly is the main reason I extended it, since I didn't want to keep the namespace / iptables / ip_forward configuration active longer than necessary.

Thanks for your code :)
Here,
I am able to open 'google-chrome' with the vpn
but when i try to run a torrent application like
ktorrent or deluge i get some dbus session error

deluge:
`(deluge:6925): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-r2khLwNbU3: Connection refused

(deluge:6925): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-p0CCQmuJyW: Connection refused
Traceback (most recent call last):
File "/usr/bin/deluge", line 9, in
load_entry_point('deluge==1.3.13', 'gui_scripts', 'deluge')()
File "/usr/lib/python2.7/dist-packages/deluge/main.py", line 135, in start_ui
UI(options, args, options.args)
File "/usr/lib/python2.7/dist-packages/deluge/ui/ui.py", line 153, in init
ui = GtkUI(args)
File "/usr/lib/python2.7/dist-packages/deluge/ui/gtkui/gtkui.py", line 233, in init
common.associate_magnet_links(False)
File "/usr/lib/python2.7/dist-packages/deluge/ui/gtkui/common.py", line 255, in associate_magnet_links
if (gconf_client.get(key) and overwrite) or not gconf_client.get(key):
glib.GError: No D-BUS daemon running

`

ktorrent

`QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
unnamed app(7142): KUniqueApplication: Cannot find the D-Bus session server: "Failed to connect to socket /tmp/dbus-78fnqxoZAF: Connection refused"

unnamed app(7141): KUniqueApplication: Pipe closed unexpectedly. `

yeah

sudo -i
export $(dbus-launch)
exit
doing this helped me

At the start you check that root runs this script so you can omit all sudo calls.