Configure VPN to use a separate namespace (Linux)

[Guest voila]

I'd like to share the configuration which I use with VPN in order discuss and for others to use.

The idea is to launch apps which should use VPN inside a separate network namespace.

Other apps will run inside the default network namespace and use the default direct connection without VPN.

 

Linux network namespaces enable you to configure a container with separate set of network interfaces with separate routing table, separate firewall rules and separate resolv.conf. Only processes which are inside the namespace will be able to access and use all that.

 

You should compile network namespace support in your kernel and the support the "veth" network device.

veth is a pair of virtual devices. They operate this way: data that comes into one, comes out from another and vice versa. We use them to link namespaces together because your eth0 can only exist in one namespace.

 

I am running:

OS: Gentoo

init system: systemd

network managent tool: netctl (from Arch Linux, available in Gentoo)

 

You would have to adapt your configuration if you're using anything else. It should be easy.

 

GENERAL OVERVIEW.

 

Default namespace contains these interface: lo lan0 veth1 br0

Additional namespace contains: lo veth0 tun0

 

lan0 is my physical net interface (you could think of that as eth0).

Kernel links veth0 to veth1.

br0 bridges lan0 and veth1 together.

tun0 is the VPN tunnel through veth0.

I called my additional namespace "vpn".

 

This way processes from both namespaces can communicate with my LAN.

Processes from the default namespace communicate this way: (br0) -> lan0.

 

Processes from "vpn" namespace communicate this way.

In case of a LAN connection: veth0 -> veth1 -> (br0) -> lan0

In general case: tun0 -> veth0 -> veth1 -> (br0) -> lan0

 

STEP 1. Startup script.

 

Create a startup script which takes care of creating veth0/veth1 pair for you.

It also creates the vpn namespace.

In my case it is a systemd unit which runs before netctl:

 

[unit]

Description=Custom network namespace

Before=netctl@bridge.service network.target

Wants=network.target

 

[service]

Type=oneshot

RemainAfterExit=1

ExecStart=/bin/ip netns add vpn

ExecStart=/bin/ip link add type veth

ExecStart=/bin/ip link set veth0 address 16:7c:e1:06:53:dd

ExecStart=/bin/ip link set veth1 address f6:7c:e1:06:53:dd

ExecStart=/bin/ip link set veth0 netns vpn

ExecStart=/bin/ip link set veth1 up

 

ExecStop=/bin/ip netns delete vpn

 

[install]

WantedBy=multi-user.target

 

You can see that I am assigning MAC addresses here manually. The point is how br0 gets its MAC address. I want lan0's MAC higher than veth1's MAC in order for br0 to use lan0's MAC and for MAC-based DHCP server not to misbehave on my router.

If br0 gets veth1's MAC, the machine will get a different IP address in comparison to what it gets without a bridge.

 

STEP 2. resolv.conf

 

After you run the script or reboot, you have to setup resolv.conf for the namespace.

Look for it in /etc/netns/vpn/resolv.conf.

For airvpn it should contain "nameserver 10.4.0.1" line.

For a shell running in "vpn" namespace, /etc/netns/vpn/resolv.conf will be automatically bound to /etc/resolv.conf.

 

STEP 3. Bridge interface.

 

Setup the bridge interface.

In my case it is a netctl profile in /etc/netctl/bridge:

 

Description="bridge connection"

Interface=br0

Connection=bridge

BindsToInterfaces=(lan0 veth1)

IP=dhcp

TimeoutDHCP=15

 

STEP 4. Running openvpn in the namespace.

 

Reboot and check that br0 is up.

 

Create a helper script /usr/local/bin/ns_enter:

#!/bin/bash

ifconfig lo up

ifconfig veth0 up

ip route flush table main

ip add flush dev veth0

ip add add 192.168.1.100/24 dev veth0

ip route add default via 192.168.1.1 metric 10

iptables -F OUTPUT

iptables -A OUTPUT -d 95.211.138.7 -j ACCEPT

iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT

iptables -A OUTPUT -o tun0 -j ACCEPT

iptables -P OUTPUT DROP

 

Note that you have to specify the IP address and gateway for your LAN.

 

Now you enter the namespace this way:

 

sudo ip netns exec vpn /usr/local/bin/ns_enter

sudo ip netns exec vpn su - <your_username>

 

95.211.138.7 is the VPN server.

This rules allow all local traffic (192.168.1.0/24) and all traffic through VPN.

Note that you cannot put hostname instead of 95.211.138.7 in your .ovpn file because openvpn wouldn't be able to resolve it.

 

Check that the shell has access to exactly 2 interfaces: lo, veth0 (run ifconfig for that).

Now launch openvpn:

sudo openvpn --config /etc/openvpn/airvpn.ovpn --daemon

 

You should see the 3rd interface (tun0) appear soon. Ready to roll. You can launch apps in background from the shell.

 

The only serious problem I've encountered is that you can't runs apps which need dbus connections this way. I haven't figured out how to fix that yet. Setting the envitonment variable didn't help. Does anyone know why?

[b49015 0]

hi ,

i have made all the set up . i am using virtualbox in i create a namespace blue

and configure a bridge br0 with an ip address. every thing is going well but,

when i do

ping google.com

 

its going well but

 

 

when i doing

ip netns exec netns blue ping google.com

 

unknown host error

but

ip netns exec netns blue ping 8.8.8.8

also working

 

help me to resolve it thanks

[mblue 4]

The Arch wiki also shows how to setup this in a more modern article: https://wiki.archlinux.org/index.php/Linux_Containers