slingamn / namespaced-openvpn Goto Github PK

@slingamn @chros73
I start sudo $HOME/git/namespaced-openvpn/namespaced-openvpn --config $HOME/Documents/vpn/ccrypto-fr-udp.ovpn

My openvpn .conf file:

verb 4
client
tls-client
script-security 2
remote-cert-tls server
dev tun
nobind
persist-key
persist-tun
comp-lzo yes

remote gw.fr.204vpn.net 1196 udp

auth-user-pass

redirect-gateway def1
tun-ipv6
route-ipv6 2000::/3

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Thanks for this great script. Sometimes one of my VPN servers become non-connectable. It would be great if the script allowed a series of OVPNs to be input so if the first fails after several reconnect attempts, it falls back to the second, and so on. Could even repeat in a round robin fashion.

script works awesome. But i cannot add authentification to the .ovpn file.
auth-user-pass auth.txt --> auth.txt is in the same directory as namespaced-openvpn.

root@DietPi:~# /root/OpenVPN/namespaced-openvpn --config /root/OpenVPN/frankfurt_-_1_udp.ovpn
Wed Apr 25 21:30:53 2018 WARNING: cannot stat file 'auth.txt': No such file or directory (errno=2)

got it to work - included full path to 'auth.txt' in the .ovpn file

Hello @slingamn

Thanks for your script with the namespace vpn it's really helpfull.

I wanted your thought about a security point of view of my idea that is working but it's not really easy to setup right now.
The idea is to have an wifi interface as access point in the namespace so that all the connected device would directly benefit from a secure vpn setup.

1. Moving the wifi interface in the namespace
2. Forward all the paquets on the wifi interface to the vpn interface

I think it's stay pretty "safe" because the access point can only be used for connecting on the wifi and not going on internet but I want your thought about it.

Cheers.

Fedora 33 released and now uses systemd-resolved for its DNS lookups from glibc's level. This means that the resolv.conf approach is not as useful anymore. I have modified /etc/nsswitch.conf to avoid nss-resolve for now, but this is not a long-term solution. I've started a discussion on Ask Fedora, but would like to let developers here be aware of it in case there's something that can be done here too.

I suspect we'll need something from systemd to support network namespaces better, but I don't know.

https://serverfault.com/questions/961504/cannot-create-nested-network-namespace

suggests that you cannot create a namespace from inside another namespace, you should pre-create both namespaces. This is worth investigating.

Hey, I've run into something interesting where I have a tool that needs to access to both the service inside and a different service on the outside of the namespace. I've exposed the namespace service ports IN the root namespace, so I need to be launching the processes external to the namespace, from inside.

App launches external process that checks files and communicates status of download to both the App and the App in the root namespace. Currently, App in the root namespace is invisible. I"ve attempted to find a socat config to expose just that one port, but not having luck.

I'm using a socat config to expose the namespace ports to the root namespace for the control interfaces.

I can't find if there's a way to launch an external process in a different namespace from inside the namespace. ip netns only lists the vpn namespace as available.

ip netns exec - where - is a reference to the root namespace.

any thoughts?

Is it possible to pass other command-line openvpn args with the namespaced-openvpn script?
I see namespaced-openvpn takes these argument --config.

Is it possible to pass other openvpn arguments from the client.ovpn file directly to namespaced-openvpn?
Like this: namespaced-openvpn --config vpn.ovpn --(other openvpn argument like –proto udp)
So i don`t have to edit each .ovpn file and change these values.

Hey, there! When I'm using namespaced-openvpn, it seems like it breaks my DNS configuration outside of the protected namespace. ping 8.8.8.8 works fine, but nslookup google.com hangs (so does dig and curl when a hostname is specified). All networking inside of the protected namespace appears to work as I expect, and is correctly routed through my VPN. I'm running Arch Linux, kernel 5.17.5-arch1-1.

Is this an unfortunate side effect of namespaced-openvpn, or a bug? Thank you for taking the time to look at this!

When the openvpn process reconnects, it successfully restarts and reruns the --up command (which requires root), then it forces the user to retype the sudo password to execute the --up script and complete the reconnect. The goal ist to avoid the retyping of the sudo password.

This problem could be reproduced with this simple upscript command for ufw or iptables:
ufw command: (just enables the firewall in the namespace with default rules)
sudo ip netns exec protected sudo -u [USER] sudo ufw enable
iptables command: (just shows the firewall rules in the namespace)
sudo ip netns exec protected sudo -u [USER] sudo iptables -L

I am not exactly sure which of the 3x sudo commands in the line forces the user to retype the password.

Continued from #14. We should have an example of a systemd unit file that can be used in a dependency chain. My guess is that Type=forking together with openvpn's --daemon argument is the best strategy.

Bittorrent applications (tried Deluge and qBitTorrent), when ran inside the protected namespace, won't be able to connect to trackers, with the error: no route to host.

Interestingly they can still connect to DHT, and find peers and download (slowly), but just can't connect to tracker.

I "fixed" it by changing the default route to go via the vpn gateway.

> ip route show
default via 10.8.2.1 dev tun0 
10.8.2.1 dev tun0 proto kernel scope link src 10.8.2.11 

So far it seems to work, but there probably is a reason this was not the default, and I don't know enough about networking to know what protections this change will break (or maybe this change is fine?).

Any help with properly fixing bittorrent tracker issue would be greatly appreciated :)

So I mentioned this before about hosting http/s and ssh on the host machine while running the tunnel inside the namespace.
I am still getting martians when I attempt this, so my router is forwarding the traffic but the kernel isn't handling it.
What should the routes look like in the root namespace when the tunnel is established.

I think the 0.0.0.0/1 and 128.0.0.0/1 routes are the problem.

I run

sudo ./namespaced-openvpn --config ~/config.ovpn

default namespace, nothing special.

pings in default namespace now time out, outside connection cannot connect.
pings in private namespace do work, and curl-ing an ip checker shows vpn ip.
outside of namespaced', internet and openvpn work as expected.

The readme says that that namespaced-openvpn can be used for "running some processes inside a VPN and some outside it".

My personal goal would be to only run the vpn in said namespace and not have a vpn connection otherwise. I wish to have a publicly facing server, and occasionally run e.g. curl/wget etc through a vpn.

I kind of expected my root namespace to remain accessible - is it supposed to be? Can I achieve what I wish through this, or is namespaced-openvpn maybe not the right tool for my usecase?

I seem to be experiencing the oppposite as the issue #7 . In my case, when the VPN is not active, the contents of /etc/resolv.conf are:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53

However, whenever I start the VPN ( namespaced-openvpn --namespace vpn --writepid foo.pid --log bar.log --daemon --config foobar.ovpn --daemon), the server pushes its DNS server and somehow it ends up prepended to /etc/resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 1.2.3.4
nameserver 127.0.0.53

The line nameserver 1.2.3.4 is the only contents of /etc/netns/vpn/resolv.conf. When I kill the OpenVPN process, /etc/resolv.conf reverts to its original contents. What am I doing wrong?

Solved the problem already

After waking up my system from either hibernation or standby, all processes started using sudo ip netns exec protected sudo -u $USER <command> lose their connection. Restarting them inside the namespaced shell doesn't work, however, after closing and re-opening the shell everything works just fine.

Steps to reproduce

1. Start namespaced-openvpn
2. Start a bash shell in the protected namespace: sudo ip netns exec protected sudo -u $USER bash
3. Run any command that requires an internet connection in the bash shell (e.g. a webbrowser). It should work just fine and route through the vpn.
4. Put the system in standby or hibernation. Do not exit the shell from (2).
5. Wake up, try any command that requires internet again. No connection.
6. Exit the namespaced bash shell and reopen it using the command in (2)
7. Connection in that shell works just fine now...

Steps to mitigate this

None I found so far, any help is appreciated.

Additional info

My system log shows that the VPN reconnects successfully after waking up, although on a different device number (e.g. in ip addr inside the namespace I get 4: tun0 ... after waking up while its 3: tun0 ... before). Maybe that's related?

I run Manjaro linux (arch-based) on Kernel 5.10

Hi, I'm loving namespaced-openvpn. It's ridiculously easy to set up and use.

However, I've noticed that traffic to the local network is being routed through the VPN. Is there a way to avoid the VPN for IPs on my local network (e.g. 192.168.1.x), and just use the direct connection instead?

I've noticed that using openvpn appears to automatically do this on my system. i.e. the first command will skip the VPN for local addresses, but the second will not.

# openvpn --config foo.conf
# namespaced-openvpn  --config foo.conf

I have successfully used namespaced-openvpn for a year or two, but now after having upgraded to the latest testing version of Debian I am experiencing problems running unprivileged applications with it.

I have installed namespaced-openvpn in /usr/local/sbin (-rwxr-xr-x root).

Once the namespace is set up (sudo namespaced-openvpn --config ./my_openvpn_config_file
), if I run ping in the protected namespace as root:
sudo ip netns exec protected ping -w 3 www.google.com
then all is fine.

But, if I run ping in the protected namespace as user:
sudo ip netns exec protected sudo -u $USER ping -w 3 www.google.com
then I have no connection and get 'ping: www.google.com: Name or service not known'.

I have no connectivity running all other applications in the protected namespace unprivileged - apart from, for some reason, Tor.

Unfortunately, I don't have a great deal of expertise in this area and haven't been able to find the cause, and so any pointers would be gratefully received.

Hi

Thanks for writing this and for all the notes. I've integrated it into my script to connect to my VPN provider. It works really well.

Is there some way to automate the loading of my custom firewall script and overwrite the default one the protected name-space inherits?

At the moment I pull the ethernet cable out while openvpn is trying to connect, check the iptables rules... sometimes they have reverted to the wide-open default, other times they haven't... and if necessary flush the rules, and read my custom rules back in. After that it's fine. It only seems to happen when I open the first namespace. From then on it's fine.

But otherwise this works very well. As far as I am able to tell.

Since some time i try to reduce the amount of open console windows.
But only sudo -E in console seems to work. So each GUI app has an additional console window open.

My plan is to start GUI apps without additional console window.
With lots of started GUI apps you have as much open console windows and you loose count of it.

Sadly gksu did not work although there is an option to preserve environment variables like sudo -E.

I tried pkexec together with sudo -E, but it is only working with rudimental GUI apps which work without preserving enviroment variables.

Has anyone other approaches to get a double sudo -E working with graphical authentification without a console window?

I thought about hiding annoying console windows, but it seems even that is not possible in an easy practical way.

Hi,
i love 'namespaced-openvpn' - it works like a charm. I can run any daemon or programm inside the protected namespace and it tunnels through vpn. I switched to using docker containers lately and want to run a docker container in the protected namespace. Can you point me in the right direction?

Thanks in advance.

I'm trying to figure this out, and wondering what your thoughts are.
I have apps that search web indexes, i want to isolate the search to the vpn tunnel, but they need to live in the default namespace to talk to fileservers and other resources.

https://superuser.com/questions/1165656/binding-squid-proxy-with-vpn-in-network-namespace

Every hour or two namespaced-openvpn drops it's connection without any clear reason. Normally it will automatically reconnect declaring Initialization Sequence Completed, but in these cases it never completes the reconnect. I have to manually kill the openvpn process and relaunch the script in order to reconnect every few hours.

I'd like to run transmission-daemon in the openvpn protected namespace, and be able to access its web UI (on port 9091) directly from my LAN. I thought I should be able to access it over the loopback device on localhost, and use ssh port forwarding to access it from other machines. It's not working though. The connection is always refused, even if I try from localhost. I also tried running a simple python http server in the protected namespace, and that port is refused too, so the problem seems to be that the namespace's lo is isolated from the rest of the system. Any ideas?

Hey, does anyone know a solution how to run snap-apps inside the namespaced-openvpns namespace?
Would be great to find a solution for that.
These are the first kind of apps i found which are not running with this script by default.

Hi there,

I'am using Ubuntu 19.10, Python 3.7.5

$ sudo ./namespaced-openvpn --config ../vpn-config/openvpn.ovpn
setting the network namespace "protected" failed: Invalid argument
Traceback (most recent call last):
  File "./namespaced-openvpn", line 398, in <module>
    sys.exit(main())
  File "./namespaced-openvpn", line 377, in main
    setup_namespace(args.namespace)
  File "./namespaced-openvpn", line 66, in setup_namespace
    adapters = _adapter_names(namespace)
  File "./namespaced-openvpn", line 56, in _adapter_names
    output = subprocess.check_output(cmd)
  File "/usr/lib/python3.7/subprocess.py", line 411, in check_output
    **kwargs).stdout
  File "/usr/lib/python3.7/subprocess.py", line 512, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['/sbin/ip', 'netns', 'exec', 'protected', '/sbin/ip', 'link', 'show']' returned non-zero exit status 255.

Tell me if you want any specific command outputs!

I encounter a problem when trying to run namespace-OpenVPN in dev tap

When I run dev tun, It works just fine. Can you add support for tap mode ?

Traceback (most recent call last):                                                                                                                    
  File "/root/namespaced-openvpn/namespaced-openvpn", line 399, in <module>                                                                           
    sys.exit(main())                                                                                                                                  
  File "/root/namespaced-openvpn/namespaced-openvpn", line 370, in main                                                                               
    return route_up(sys.argv[1:])                                                                                                                     
  File "/root/namespaced-openvpn/namespaced-openvpn", line 186, in route_up                                  
    have_ipv4 = assert_all_or_none(                                                                                                                   
  File "/root/namespaced-openvpn/namespaced-openvpn", line 163, in assert_all_or_none              
    raise ValueError(message, *variables)                                                                                                             
ValueError: ('Bad ipv4 options pushed from server', '10.0.1.1', None)  

Long time lover of this script but for work, i want to be able do the same idea with openconnect, which supports anyconnect protocols.
Any suggestions on where to mod / perhaps you've considered this?

I'm running sudo ~/git/namespaced-openvpn/namespaced-openvpn --config my.conf

It goes through all the expected startup actions, gets to "Initialization Sequence Completed" and then.... nothing! I left it for a couple of minutes, but nothing happened.

Is there any way to debug this?

Sat Aug 22 15:12:20 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 27 2020
Sat Aug 22 15:12:20 2020 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Sat Aug 22 15:12:20 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Aug 22 15:12:20 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]123.456.789.000:1198
Sat Aug 22 15:12:20 2020 UDP link local: (not bound)
Sat Aug 22 15:12:20 2020 UDP link remote: [AF_INET]123.456.789.000:1198
Sat Aug 22 15:13:20 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Aug 22 15:13:20 2020 TLS Error: TLS handshake failed
Sat Aug 22 15:13:20 2020 SIGUSR1[soft,tls-error] received, process restarting
Sat Aug 22 15:13:25 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Aug 22 15:13:25 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]123.456.789.000:1198
Sat Aug 22 15:13:25 2020 UDP link local: (not bound)
Sat Aug 22 15:13:25 2020 UDP link remote: [AF_INET]123.456.789.000:1198
Sat Aug 22 15:13:25 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Aug 22 15:13:25 2020 [abc123] Peer Connection Initiated with [AF_INET]123.456.789.000:1198
Sat Aug 22 15:13:26 2020 TUN/TAP device tun0 opened
Sat Aug 22 15:13:26 2020 /etc/openvpn/update-resolv-conf tun0 1500 1558 10.62.15.6 10.62.15.5 init
dhcp-option DNS 9.9.9.9
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
Sat Aug 22 15:13:26 2020 Initialization Sequence Completed

(Redacted for privacy)

Hey There,
I'm using a different method and looking at switching to your project, as I was hoping it would skip the need for bridged interfaces that my current method uses.
I'm hoping that if I put the tun interface into the namespace, that the reset of the system can not live with the restrictions of not being able to host services, is this the case?
I'm trying to set it up so that this MUST be running as a service before other services (ie torrent) are launched.
This is the current method i'm using
https://gist.github.com/JimboMonkey1234/1dfed632f6a45bb5f06bbb1c7eef770d

For some instances, I need to tor so I was reading this wiki and wonder if this could be adapted.

https://github.com/ambrop72/badvpn/wiki/Tun2socks

Hi, it seems there is a little bug inside the namespaced-openvpn script.
It concerns this section:

namespaced-openvpn can also be used to "stack" VPN tunnels, e.g.,
sudo namespaced-openvpn --namespace level1 --config ./config1
sudo ip netns exec level1 namespaced-openvpn --namespace level2 --config ./config2

I get this error:
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: config (2.4.4)
Use --help for more information.

I think the script tries to pass the --namespace argument to openvpn, instead of using it in the namespaced-openvpn script.
2.4.4 is my openvpn version.

When I use Firejail to route sandboxed applications to the protected VPN namespace, I can manually restart namespaced-openvpn to reconnect the VPN without terminating any of the sandboxed applications. When applications are launched with the sudo ip netns exec protected sudo -u $USER -i argument, namespaced-openvpn fails to manually restart after the original instance disconnects with error code such as:

ERROR:root:Namespace protected already has adapters [b'in-ns1@if26', b'in-ns2@if26'], exiting.
Closing all the applications with their unique namespaces allows namespaced-openvpn to be manually restarted and connect normally. Is there a simple method to restart namespaced-openvpn without first closing all the child namespace processes?

I am trying to set firewall protection for unauthorized incoming traffic to tun0, but the tun0 Interface doesn`t appear in the normal system environment. Is it necessary to set up the firewall specially for the namespace to get it working? I have no real clue how to get this done yet.