Created
June 1, 2020 13:38
-
-
Save tpetazzoni/f7010ab974f44f53bb8a1d32fec327dd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Mon merveilleux script | |
| thomas@readynas:~$ cat setup-ns.sh | |
| #!/bin/bash | |
| ip netns add vpn | |
| # lo in namespace | |
| ip netns exec vpn ip addr add 127.0.0.1/8 dev lo | |
| ip netns exec vpn ip link set lo up | |
| # setup veth | |
| ip link add vpn0 type veth peer name vpn1 | |
| ip link set vpn0 up | |
| ip link set vpn1 netns vpn up | |
| ip addr add 10.200.200.1/24 dev vpn0 | |
| ip netns exec vpn ip addr add 10.200.200.2/24 dev vpn1 | |
| ip netns exec vpn ip route add default via 10.200.200.1 dev vpn1 | |
| # bridge | |
| ip link add name br0 type bridge | |
| ip link set br0 up | |
| ip link set vpn0 master br0 | |
| ip link set tap0 master br0 | |
| ## Et zou, c'est parti | |
| thomas@readynas:~$ sudo ./setup-ns.sh | |
| ## Les interfaces hors du NS | |
| thomas@readynas:~$ sudo ip a | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1024 | |
| link/ether 28:c6:8e:37:0e:dc brd ff:ff:ff:ff:ff:ff | |
| inet 192.168.1.12/24 brd 192.168.1.255 scope global dynamic eth0 | |
| valid_lft 86107sec preferred_lft 86107sec | |
| inet6 2a01:cb19:8acf:5600:2ac6:8eff:fe37:edc/64 scope global dynamic mngtmpaddr | |
| valid_lft 1795sec preferred_lft 595sec | |
| inet6 fe80::2ac6:8eff:fe37:edc/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1024 | |
| link/ether 28:c6:8e:37:0e:dd brd ff:ff:ff:ff:ff:ff | |
| 4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 | |
| link/ipip 0.0.0.0 brd 0.0.0.0 | |
| 5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 | |
| link/sit 0.0.0.0 brd 0.0.0.0 | |
| 6: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000 | |
| link/tunnel6 :: brd :: | |
| 7: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 100 | |
| link/ether 36:c8:96:91:64:7a brd ff:ff:ff:ff:ff:ff | |
| inet 10.3.0.4/16 brd 10.3.255.255 scope global tap0 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::34c8:96ff:fe91:647a/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 14: vpn0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000 | |
| link/ether e6:e6:79:cf:b3:23 brd ff:ff:ff:ff:ff:ff link-netns vpn | |
| inet 10.200.200.1/24 scope global vpn0 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::e4e6:79ff:fecf:b323/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 15: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 | |
| link/ether 36:c8:96:91:64:7a brd ff:ff:ff:ff:ff:ff | |
| inet6 fe80::2c67:49ff:feb5:1b53/64 scope link | |
| valid_lft forever preferred_lft forever | |
| ## Les routes hors du NS. Note bien que tap0 n'est *pas* ma route par défaut, | |
| # je ne veux pas que tout le traffic de la machine passe dans le VPN | |
| thomas@readynas:~$ sudo ip route show | |
| default via 192.168.1.1 dev eth0 | |
| 10.3.0.0/16 dev tap0 proto kernel scope link src 10.3.0.4 | |
| 10.200.200.0/24 dev vpn0 proto kernel scope link src 10.200.200.1 | |
| 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.12 | |
| ## Les interfaces dans le NS | |
| thomas@readynas:~$ sudo ip netns exec vpn ip a | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 | |
| link/ipip 0.0.0.0 brd 0.0.0.0 | |
| 3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000 | |
| link/sit 0.0.0.0 brd 0.0.0.0 | |
| 4: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000 | |
| link/tunnel6 :: brd :: | |
| 13: vpn1@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 | |
| link/ether fe:9e:e5:75:20:9b brd ff:ff:ff:ff:ff:ff link-netnsid 0 | |
| inet 10.200.200.2/24 scope global vpn1 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::fc9e:e5ff:fe75:209b/64 scope link | |
| valid_lft forever preferred_lft forever | |
| ## Les routes dans le NS | |
| thomas@readynas:~$ sudo ip netns exec vpn ip route show | |
| default via 10.200.200.1 dev vpn1 | |
| 10.200.200.0/24 dev vpn1 proto kernel scope link src 10.200.200.2 | |
| ## Depuis le NS, j'essaie de pinguer l'IP de l'interface veth qui est | |
| ## en dehors du NS -> marche po | |
| thomas@readynas:~$ sudo ip netns exec vpn ping 10.200.200.1 | |
| PING 10.200.200.1 (10.200.200.1) 56(84) bytes of data. | |
| ^C | |
| --- 10.200.200.1 ping statistics --- | |
| 3 packets transmitted, 0 received, 100% packet loss, time 54ms | |
| ## J'essaie de pinguer une IP publique -> marche po | |
| thomas@readynas:~$ sudo ip netns exec vpn ping 8.8.8.8 | |
| PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. | |
| ^C | |
| --- 8.8.8.8 ping statistics --- | |
| 2 packets transmitted, 0 received, 100% packet loss, time 66ms | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment