search

slingamn / namespaced-openvpn

Wrapper for OpenVPN on Linux solving various privacy issues
MIT License
317 stars 45 forks source link

Normal behavior that the created tun0 interface is not visible with ifconfig? #17

Closed Denio888 closed 5 years ago

Denio888 commented 5 years ago

I am trying to set firewall protection for unauthorized incoming traffic to tun0, but the tun0 Interface doesn`t appear in the normal system environment. Is it necessary to set up the firewall specially for the namespace to get it working? I have no real clue how to get this done yet.

mgaulton commented 5 years ago

do you mean traffic to tun0 from unauthorized machines on your network or do you mean inbound to the tun0 interface? In that case, what would be unauthorized?

slingamn commented 5 years ago

Sorry I missed this. The new namespace has a completely separate iptables/nftables from the root namespace, so yeah, the behavior you're seeing is expected:

  1. The tunnel interface will not be visible in ip link and ip addr output in the root namespace, only in, e.g., ip netns exec protected ip addr
  2. Any firewall rules for the protected namespace must be set up independently. You can do this with a --up script, as discussed here: https://github.com/slingamn/namespaced-openvpn/issues/12#issuecomment-454880205 (Note that the --up script will run in the root namespace; if you want commands to affect the protected namespace, you'll have to prepend them with ip netns exec protected or the like.)
mgaulton commented 5 years ago

Hmm, i think i have tunX in root and netspace :( i'll have to verify.

Denio888 commented 5 years ago

Sorry I missed this. The new namespace has a completely separate iptables/nftables from the root namespace, so yeah, the behavior you're seeing is expected:

1. The tunnel interface will not be visible in `ip link` and `ip addr` output in the root namespace, only in, e.g., `ip netns exec protected ip addr`

2. Any firewall rules for the protected namespace must be set up independently. You can do this with a `--up` script, as discussed here: [#12 (comment)](https://github.com/slingamn/namespaced-openvpn/issues/12#issuecomment-454880205) (Note that the `--up` script will run in the root namespace; if you want commands to affect the protected namespace, you'll have to prepend them with `ip netns exec protected` or the like.)

Thanks a lot, it is working this way. Blocked all unauthorized incoming traffic to tun0. Now it is a real secure vpn solution, even when you don`t trust the vpn network you are connected to completely.

slingamn commented 5 years ago

This concern came up before, so I added a note about firewalling with --up to the readme. Thanks!