Skip to content

Instantly share code, notes, and snippets.

@Schnouki
Last active November 12, 2024 00:33
Show Gist options
  • Save Schnouki/fd171bcb2d8c556e8fdf to your computer and use it in GitHub Desktop.
Save Schnouki/fd171bcb2d8c556e8fdf to your computer and use it in GitHub Desktop.
OpenVPN for a single application using network namespaces -- helper scripts
#!/usr/bin/env zsh
# Initialize VPN
sudo vpnns up
sudo vpnns start_vpn
# Popcorn time!
sudo ip netns exec frootvpn sudo -u $USER popcorntime
# Cleanup
sudo ip netns pids frootvpn | xargs -rd'\n' sudo kill
sudo vpnns down
#!/usr/bin/env zsh
if [[ $UID != 0 ]]; then
echo "This must be run as root."
exit 1
fi
function iface_up() {
ip netns add frootvpn
ip netns exec frootvpn ip addr add 127.0.0.1/8 dev lo
ip netns exec frootvpn ip link set lo up
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns frootvpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec frootvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec frootvpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/frootvpn
echo 'nameserver 8.8.8.8' > /etc/netns/frootvpn/resolv.conf
ip netns exec frootvpn fping -q www.google.fr
}
function iface_down() {
rm -rf /etc/netns/frootvpn
sysctl -q net.ipv4.ip_forward=0
iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
ip netns delete frootvpn
}
function run() {
shift
exec sudo ip netns exec frootvpn "$@"
}
function start_vpn() {
sudo ip netns exec frootvpn openvpn --config /etc/openvpn/frootvpn.conf &
while ! sudo ip netns exec frootvpn ip a show dev tun0 up; do
sleep .5
done
}
case "$1" in
up)
iface_up ;;
down)
iface_down ;;
run)
run "$@" ;;
start_vpn)
start_vpn ;;
*)
echo "Syntax: $0 up|down|run|start_vpn"
exit 1
;;
esac
@sebastianst
Copy link

At the start you check that root runs this script so you can omit all sudo calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment