Created
February 17, 2020 22:54
-
-
Save luminoso/63dd14df957b058fbbaca3173627a448 to your computer and use it in GitHub Desktop.
running an OpenVPN tunnel inside a network namespace
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Linux network namespaces can be used to control which processes should be tunneled by OpenVPN. | |
| http://www.naju.se/articles/openvpn-netns.html | |
| Example | |
| First create an --up and --down script for OpenVPN. This script will create the VPN tunnel interface inside a network namespace called vpn, instead of the default namespace. | |
| cat > netns-script << 'EOF' | |
| #!/bin/sh | |
| case $script_type in | |
| up) | |
| ip netns add vpn | |
| ip netns exec vpn ip link set dev lo up | |
| ip link set dev "$1" up netns vpn mtu "$2" | |
| ip netns exec vpn ip addr add dev "$1" \ | |
| "$4/${ifconfig_netmask:-30}" \ | |
| ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} | |
| if [ -n "$ifconfig_ipv6_local" ]; then | |
| ip netns exec vpn ip addr add dev "$1" \ | |
| "$ifconfig_ipv6_local"/112 | |
| fi | |
| ;; | |
| route-up) | |
| ip netns exec vpn ip route add default via "$route_vpn_gateway" | |
| if [ -n "$ifconfig_ipv6_remote" ]; then | |
| ip netns exec vpn ip route add default via \ | |
| "$ifconfig_ipv6_remote" | |
| fi | |
| ;; | |
| down) | |
| ip netns delete vpn | |
| ;; | |
| esac | |
| EOF | |
| Then start OpenVPN and tell it to use our --up and --down script instead of executing ifconfig and route. | |
| openvpn --ifconfig-noexec --route-noexec --up netns-script --route-up netns-script --down netns-script | |
| Now you can start programs to be tunneled like this: | |
| ip netns exec vpn command |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment