typo in ip

7c777d7b · Murukesh Mohanan · 1a62fa0e · 7c777d7b
Commit 7c777d7b authored Dec 03, 2020 by Murukesh Mohanan
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 2 deletions

_posts/2020-12-03-poking-pi-ii.md _posts/2020-12-03-poking-pi-ii.md +40 -2

No files found.
--- a/_posts/2020-12-03-poking-pi-ii.md
+++ b/_posts/2020-12-03-poking-pi-ii.md
@@ -44,6 +44,8 @@ By keeping each interface of a veth pair in different namespaces, we can have ea
 we'll have the default namespace, which is where we normally operate, and we will have a new namespace where the VPN
 (and any applications that need the VPN) will operate.
+<!-- section -->
 The arcane incantations required are:
 ```
@@ -56,8 +58,8 @@ ip link set dev veth2 netns default
 ip addr add dev veth1 10.0.0.1/24
 ip link set veth1 up
 ip netns exec default ip link set veth2 up
-ip route add 192.168.0.7/32 dev veth1
+ip route add 192.168.1.2/32 dev veth1
-ip route add default via 192.168.0.7
+ip route add default via 192.168.1.2
 ip netns exec default ip route add 10.0.0.0/24 dev veth2
 ip netns exec default iptables -A FORWARD -i veth2 -o eth0 -j ACCEPT
 ip netns exec default iptables -A FORWARD -o veth2 -i eth0 -j ACCEPT
@@ -108,5 +110,41 @@ What do these commands do? Let's examine them block by block.
 Then run OpenVPN in this network namespace (for example, by running the `openvpn` command itself here, or by using
 systemd to link it to this namespace).
+<!-- section -->
+I personally use systemd to set the whole thing up at boot. First, there's the one-shot service to set up the
+namespace:
+```
+% cat /etc/systemd/system/netns-vpn.service
+[Unit]
+Description=VPN network namespace
+StopWhenUnneeded=true
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# Ask systemd to create a network namespace
+PrivateNetwork=yes
+ExecStartPre=-/usr/sbin/ip netns delete vpn
+ExecStartPre=/usr/sbin/ip netns add vpn
+ExecStartPre=-/usr/bin/ln -s /proc/1/ns/net /var/run/netns/default
+ExecStartPre=/usr/bin/umount /var/run/netns/vpn
+ExecStartPre=/usr/bin/mount --bind /proc/self/ns/net /var/run/netns/vpn
+ExecStartPre=/usr/sbin/ip link add dev veth1 mtu 1500 type veth peer name veth2 mtu 1500
+ExecStartPre=/usr/sbin/ip link set dev veth2 netns default
+ExecStartPre=/usr/sbin/ip addr add dev veth1 10.0.0.1/24
+ExecStartPre=/usr/sbin/ip link set veth1 up
+ExecStartPre=/usr/sbin/ip netns exec default ip link set veth2 up
+ExecStartPre=/usr/sbin/ip route add 192.168.1.2/32 dev veth1
+ExecStartPre=/usr/sbin/ip route add default via 192.168.1.2
+ExecStartPre=/usr/sbin/ip netns exec default ip route add 10.0.0.0/24 dev veth2
+ExecStartPre=/usr/sbin/ip netns exec default /usr/sbin/iptables -A FORWARD -i veth2 -o eth0 -j ACCEPT
+ExecStartPre=/usr/sbin/ip netns exec default /usr/sbin/iptables -A FORWARD -o veth2 -i eth0 -j ACCEPT
+ExecStart=/usr/sbin/ip netns exec default /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
+```
 [tb-linux]: https://www.tunnelbear.com/blog/linux_support/
 [`veth`]: https://man7.org/linux/man-pages/man4/veth.4.html