search

pekman / openvpn-netns

Start OpenVPN connection inside Linux network namespace
The Unlicense
66 stars 12 forks source link

Can't make it work via systemd service #3

Open GentleHoneyLover opened 6 years ago

GentleHoneyLover commented 6 years ago

Thx for the great script! One question: what is the correct way to run this script via a systemd service (I'm running Ubuntu 16.04)?

When I issue the following command in terminal everything works as expected: a name space is created and openvpn tunnel is successfully running within it.

openvpn --ifconfig-noexec --route-noexec --setenv NETNS "vpn-ns" --up /opt/openvpn-netns/openvpn-scripts/netns --route-up /opt/openvpn-netns/openvpn-scripts/netns --down /opt/openvpn-netns/openvpn-scripts/netns --daemon ovpn-de9 –status /run/openvpn/de9.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/de9.conf --writepid /run/openvpn/de9.pid

However, when I try to run the same via a systemd service at boot, the service starts and runs, but when I try to run anything in the name space I get the following:

RTNETLINK answers: Invalid argument setting the network namespace "vpn-ns" failed: Invalid argument

When I do sudo ip netns list I get this:

RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument vpn-ns

Here's the systemd service file I'm using (which is a modification of a standard servis file that comes with openvpn package on Ubuntu 16.04):

[Unit] Description=OpenVPN connection to %i Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=network.target

[Service] RuntimeDirectory=openvpn PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --ifconfig-noexec --route-noexec --setenv NETNS "vpn-ns" --up /opt/openvpn-netns/openvpn-scripts/netns --route-up /opt/openvpn-netns/openvpn-scripts/netns --down /opt/openvpn-netns/openvpn-scripts/netns --daemon ovpn-%i –status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn Restart=on-failure RestartSec=3 ProtectSystem=yes LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw

[Install] WantedBy=multi-user.target

What am I doing wrong? Your help would be greatly appreciated!

GentleHoneyLover commented 6 years ago

I finally got it to work with the following service file (in my case, netns script was symlinked to /usr/local/sbin/).

[Unit] Description=OpenVPN inside network namespace to %i Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO After=syslog.target network.target

[Service] Type=forking PIDFile=/var/run/openvpn/%i.pid WorkingDirectory=/etc/openvpn/ ExecStart=/usr/sbin/openvpn --ifconfig-noexec --route-noexec --setenv NETNS vpn-ns --up /usr/local/sbin/netns --route-up /usr/local/sbin/netns --down /usr/loca$ Restart=on-failure RestartSec=3

[Install] WantedBy=multi-user.target

Now, vpn starts within a network namespace automatically at boot. Then I start deluge daemon in the namespace (under user "deluge") the following way:

/sbin/ip netns exec vpn-ns sudo -u deluge /usr/bin/deluged -d

My problem is that now I cannot figure out how to connect to the daemon from deluge webui (previously the daemon was reachable under 127.0.0.1:58846)

lebomb44 commented 5 years ago

Hi, see may script: https://github.com/lebomb44/osmc/blob/develop/osmc.txt

I use nginx to route the port to the VPN namespace using a point to point internal network

zackherbert commented 1 month ago

I made a fork with a systemd service with optional failover to other backends.