Add support for DNS caching in network namespace

[chros73]

Add support for dns-caching in network namespace:

• use dnsmasq if it's available
  • no need for command line switches for this, set it up automatically if it's installed
• add nameserver 127.0.0.1 as the first entry in resolv.conf of network namespace
• run dnsmasq in network namespace if everything is set up with the following arguments:

  ip netns exec protected /usr/sbin/dnsmasq --bind-interfaces --listen-address=127.0.1.1 --cache-size=500 --proxy-dnssec --pid-file=/var/run/netns/dnsmasq.pid

Notes:

• I couldn't try the script itself out yet (only manually applied the above changes), but you get the idea what it's all about :)

PS: I'd like to thank You for this repo and your detailed write up about the possible issues. I have spent the last couple of weeks to read and experiment about these. I came across lot of possible solutions (old user based + ipfilter solution, chgroups + ipfilter, namespace + ipfilter, etc.), but none of them was so clean and straightforward as yours. Thank You!

[slingamn]

Thank you very much for the kind words and the contribution!

Unfortunately, I don't think this change fits well with the project goals. Some notes:

1. The intent is for namespaced-openvpn to be as close as possible to a drop-in replacement for openvpn. This doesn't really align with that.
2. Varying the behavior at runtime depending on whether dnsmasq is present doesn't seem explicit enough.
3. This functionality doesn't require code support, since it can be achieved by adding the dnsmasq command line as an up or route-up scripting directive (either on the namespaced-openvpn command line, or in the config file). (The PID file path should probably include the name of the network namespace; otherwise, it won't be possible to enable dnsmasq in multiple namespaces.)

[chros73]

Sorry for the late reply, I've been busy, e.g. with FastPath implementation for Lede :)

Unfortunately, I don't think this change fits well with the project goals.

:) No worries, feel free to close this pull request. We can still talk about it.

The intent is for namespaced-openvpn to be as close as possible to a drop-in replacement for openvpn.

I understand this. What about creating a "plugin" system for these, e.g. in the form of external scripts in a plugin forlder? I don't like the idea of modifying the ovpn config.

Only these popped in my mind for now:

• dns cache
• firewall script

Varying the behavior at runtime depending on whether dnsmasq is present doesn't seem explicit enough.

Agreed, I just wanted to let you know what I want to achieve.

The PID file path should probably include the name of the network namespace; otherwise, it won't be possible to enable dnsmasq in multiple namespaces.

Good point.

PS: I saw that you also forked rtorrent/libtorrent projects. If you are still interested, you can take a look at my rtorrent-ps fork.

[slingamn]

I do like the idea of a "plugins" or "recipes" directory. Would the invocation look something like this?

sudo namespaced-openvpn --config ./config --route-up /path/to/manage-dnsmasq --down /path/to/manage-dnsmasq

A couple of implementation notes:

1. ip netns identify can be used to get the name of the current network namespace
2. openvpn sets the script_type environment variable when spawning user scripts (e.g., to route_up or down), which helps when using the same script to perform multiple actions

[chros73]

Sorry for the late reply (again), I'm still struggling with other issues.

I do like the idea of a "plugins" or "recipes" directory

:) I'm glad to hear it!

Would the invocation look something like this?

Well, can be, but it would be more generic if a directory could be set for up and an other one for down that include all the scripts that the user want to fire up. As I mentioned, currently I have 2 in my mind:

• dnsmasq (just for simple dns cache)
• iptlables script (block any incoming connection by default, and allow to set ports to be opened)

On second thought:

• since your way is to create a network namespace that it's there all the time (it doesn't depend on up/down state of vpn):
  • then the plugin scripts have to be run upon creation/removal of the namespace (this suppose that multiple vpn connections have their own namespaces)