search

pekman / openvpn-netns

Start OpenVPN connection inside Linux network namespace
The Unlicense
65 stars 12 forks source link

Is there a possibility to add a local ip range? #2

Open DeadSix27 opened 6 years ago

DeadSix27 commented 6 years ago

I've been using a similar script to this before: https://gist.github.com/Ernillew/aa0a13e738d2165878111801c5144d18

And that had a another local ip range, e.g 10.10.10.1/12, is it possible to have this with this script as well?

To allow intercommunication from the main network to the vpn network.

Unless there is a better way, any help is appreciated

EDIT: I got as far as this, this would add the virtual network I want, but i cant add it to "default" because that's where openvpn adds itself, so i don't know what to do now.

ip link add veth0 type veth peer name veth1
ip link set veth0 up
ip link set veth1 netns vpn up
ip addr add 10.200.200.1/24 dev veth0

ip netns exec vpn ip addr add >>>default<<< dev veth1
Nomeji commented 5 years ago

I was encountering the same problem, cannot contact netns from host. Thanks to what you post I was able to fix my problem. I used exactly what you posted. Except the last line, I used this:

ip netns exec vpn ip addr add 10.200.200.2/24 dev veth1

So just changing the default to a valid ip and that's it. I can now contact the netns and any software behind it using 10.200.200.2, from host:

ping 10.200.200.2

works as expected

Adding those 5 lines at the end of the script is probably enough. I will make a PR if I do it for myself. It just works as it is for now.

DeadSix27 commented 5 years ago

Been long time now and I went through many iterations of scripts and I use something like this now:

    ip netns add myvpn
    ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
    ip netns exec myvpn ip link set lo up
    ip link add vpn0 type veth peer name vpn1
    ip link set vpn0 up
    ip link set vpn1 netns myvpn up
    ip addr add 10.200.200.1/24 dev vpn0
    ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
    ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1

    iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
    iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o e+ -j MASQUERADE
    sysctl -q net.ipv4.ip_forward=1

    mkdir -p /etc/netns/myvpn
    echo "nameserver 8.8.8.8" > /etc/netns/myvpn/resolv.conf
    echo "nameserver 8.8.4.4" >> /etc/netns/myvpn/resolv.conf

I don't remember if this actively blocks outgoing data once openvpn is stopped.. but I have a seperate script to check for that anyway.... I have a few other versions tho that work different

EDIT: For example this one: https://gist.github.com/DeadSix27/a8db80fc271f0abe250a5d3adbe977ce Which works via openvpn itself