Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
OpenVPN for a single application using network namespaces -- helper scripts
#!/usr/bin/env zsh
# Initialize VPN
sudo vpnns up
sudo vpnns start_vpn
# Popcorn time!
sudo ip netns exec frootvpn sudo -u $USER popcorntime
# Cleanup
sudo ip netns pids frootvpn | xargs -rd'\n' sudo kill
sudo vpnns down
#!/usr/bin/env zsh
if [[ $UID != 0 ]]; then
echo "This must be run as root."
exit 1
fi
function iface_up() {
ip netns add frootvpn
ip netns exec frootvpn ip addr add 127.0.0.1/8 dev lo
ip netns exec frootvpn ip link set lo up
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns frootvpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec frootvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec frootvpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/frootvpn
echo 'nameserver 8.8.8.8' > /etc/netns/frootvpn/resolv.conf
ip netns exec frootvpn fping -q www.google.fr
}
function iface_down() {
rm -rf /etc/netns/frootvpn
sysctl -q net.ipv4.ip_forward=0
iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
ip netns delete frootvpn
}
function run() {
shift
exec sudo ip netns exec frootvpn "$@"
}
function start_vpn() {
sudo ip netns exec frootvpn openvpn --config /etc/openvpn/frootvpn.conf &
while ! sudo ip netns exec frootvpn ip a show dev tun0 up; do
sleep .5
done
}
case "$1" in
up)
iface_up ;;
down)
iface_down ;;
run)
run "$@" ;;
start_vpn)
start_vpn ;;
*)
echo "Syntax: $0 up|down|run|start_vpn"
exit 1
;;
esac

thanks for the script, but i have an question.
how can i set the tun0?

crasm commented Aug 14, 2016

I wrote a script based on this that just wraps a command (could be your shell if left empty): vpnshift.sh

openvpn and a network namespace/veths are set up before the command. openvpn is terminated (or killed if necessary) and the network namespace/veths are torn down after the command exits.

$ vpnshift -c myopenvpn.conf popcorntime
starting openvpn....................................
<snip>
stopping openvpn...
$

Being able to exit cleanly is the main reason I extended it, since I didn't want to keep the namespace / iptables / ip_forward configuration active longer than necessary.

shaik7abdul7khallik commented Aug 16, 2016

Thanks for your code :)
Here,
I am able to open 'google-chrome' with the vpn
but when i try to run a torrent application like
ktorrent or deluge i get some dbus session error

deluge:
`(deluge:6925): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-r2khLwNbU3: Connection refused

(deluge:6925): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-p0CCQmuJyW: Connection refused
Traceback (most recent call last):
File "/usr/bin/deluge", line 9, in
load_entry_point('deluge==1.3.13', 'gui_scripts', 'deluge')()
File "/usr/lib/python2.7/dist-packages/deluge/main.py", line 135, in start_ui
UI(options, args, options.args)
File "/usr/lib/python2.7/dist-packages/deluge/ui/ui.py", line 153, in init
ui = GtkUI(args)
File "/usr/lib/python2.7/dist-packages/deluge/ui/gtkui/gtkui.py", line 233, in init
common.associate_magnet_links(False)
File "/usr/lib/python2.7/dist-packages/deluge/ui/gtkui/common.py", line 255, in associate_magnet_links
if (gconf_client.get(key) and overwrite) or not gconf_client.get(key):
glib.GError: No D-BUS daemon running

`

ktorrent

`QDBusConnection: session D-Bus connection created before QCoreApplication. Application may misbehave.
unnamed app(7142): KUniqueApplication: Cannot find the D-Bus session server: "Failed to connect to socket /tmp/dbus-78fnqxoZAF: Connection refused"

unnamed app(7141): KUniqueApplication: Pipe closed unexpectedly. `

shaik7abdul7khallik commented Aug 17, 2016

yeah

sudo -i
export $(dbus-launch)
exit
doing this helped me

At the start you check that root runs this script so you can omit all sudo calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment