Skip to content

Instantly share code, notes, and snippets.

@pellaeon

pellaeon/README.md

Last active January 20, 2018 09:47
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pellaeon/cafb137d51f460de5489 to your computer and use it in GitHub Desktop.
Save pellaeon/cafb137d51f460de5489 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

OpenVPN in Linux network namespace

This script creates a network namespace, in that namespace your OpenVPN tunnel is the default interface.

  1. Change your OpenVPN server settings in yourvpn.ovpn, modify the paths to passwd and crl files accordingly
  2. Put in your username and password in passwd file
  3. ./piavpn.zsh up
  4. ./piavpn.zsh start_vpn

Switch to that network namespace with: sudo ip netns exec piavpn bash

Raw
passwd
username
password
Raw
piavpn.zsh
#!/usr/bin/env zsh
if [[ $UID != 0 ]]; then
echo "This must be run as root."
exit 1
fi
function iface_up() {
ip netns add piavpn
ip netns exec piavpn ip addr add 127.0.0.1/8 dev lo
ip netns exec piavpn ip link set lo up
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns piavpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec piavpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec piavpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/piavpn
echo 'nameserver 8.8.8.8' > /etc/netns/piavpn/resolv.conf
}
function iface_down() {
rm -rf /etc/netns/piavpn
sysctl -q net.ipv4.ip_forward=0
iptables -D INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE
iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -i vpn0 -o eth0 -j ACCEPT
ip netns delete piavpn
}
function run() {
shift
exec sudo ip netns exec piavpn "$@"
}
function start_vpn() {
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vpn0 -o eth0 -j ACCEPT
ip netns exec piavpn openvpn --config "/home/ubuntu/openvpn/yourvpn.ovpn" &
while ! sudo ip netns exec piavpn ip a show dev tun0 up; do
sleep 1
done
}
case "$1" in
up)
iface_up ;;
down)
iface_down ;;
run)
run "$@" ;;
start_vpn)
start_vpn ;;
*)
echo "Syntax: $0 up|down|run|start_vpn"
exit 1
;;
esac
Raw
yourvpn.ovpn
client
dev tun
proto udp
remote us-seattle.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /home/ubuntu/openvpn/passwd
comp-lzo
verb 1
reneg-sec 0
crl-verify /home/ubuntu/openvpn/crl.rsa.2048.pem
ca /home/ubuntu/openvpn/ca.rsa.2048.crt
disable-occ
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment