src/netns-script

   1 #!/bin/sh
   2
   3 # adapted from
   4 # https://unix.stackexchange.com/questions/149293/feed-all-traffic-through-openvpn-for-a-specific-network-namespace-only
   5
   6 # vpn_wrapper.sh passes the following variables through openvpn's
   7 # --setenv option:
   8 #    NAMESPACE_NAME
   9 #    WRAPPER_PID
  10 #    VETH_HOST0
  11 #    VETH_HOST1
  12 #    ROUTE_THROUGH_VETH
  13 #    PHYSICAL_IP
  14
  15 case $script_type in
  16     up)
  17                 ip netns add $NAMESPACE_NAME
  18                 ip netns exec $NAMESPACE_NAME ip link set dev lo up
  19                 ip link set dev "$1" up netns $NAMESPACE_NAME mtu "$2"
  20                 ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \
  21                         "$4/${ifconfig_netmask:-30}" \
  22                         ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
  23                 if [ -n "$ifconfig_ipv6_local" ]; then
  24                         ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \
  25                                 "$ifconfig_ipv6_local"/112
  26                 fi
  27
  28                 # the following is done to enable some connections to bypass vpn
  29                 VETH0=v0tdns${WRAPPER_PID}_0
  30                 VETH1=v0tdns${WRAPPER_PID}_1
  31                 ip link add $VETH0 type veth peer name $VETH1
  32                 ip link set $VETH1 netns $NAMESPACE_NAME
  33                 ip addr add $VETH_HOST0/30 dev $VETH0
  34                 ip netns exec $NAMESPACE_NAME ip addr add $VETH_HOST1/30 dev $VETH1
  35                 ip link set $VETH0 up
  36                 ip netns exec $NAMESPACE_NAME ip link set $VETH1 up
  37                 ;;
  38         route-up)
  39                 # TODO change to only forward from necessary interfaces
  40                 echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
  41
  42                 ip netns exec $NAMESPACE_NAME ip route add default via "$ifconfig_remote"
  43
  44                 if [ -n "$ifconfig_ipv6_remote" ]; then
  45                         ip netns exec $NAMESPACE_NAME ip route add default via \
  46                                 "$ifconfig_ipv6_remote"
  47                 fi
  48
  49                 # here go routes for bypassing vpn
  50                 for ADDRESS in $ROUTE_THROUGH_VETH; do
  51                     ip netns exec $NAMESPACE_NAME ip route add $ADDRESS via $VETH_HOST0
  52                     iptables -t nat -A POSTROUTING -s $VETH_HOST1/32 \
  53                              -j SNAT --to-source $PHYSICAL_IP
  54                 done
  55
  56
  57                 # notify our sh process, that openvpn finished initializing
  58                 kill -usr1 $WRAPPER_PID
  59                 ;;
  60         down)
  61                 for ADDRESS in $ROUTE_THROUGH_VETH; do
  62                     iptables -t nat -D POSTROUTING -s $VETH_HOST1/32 \
  63                              -j SNAT --to-source $PHYSICAL_IP
  64                 done
  65
  66                 ip netns delete $NAMESPACE_NAME
  67                 ;;
  68 esac