Skip to content

W
web
Commit 7c777d7b authored by Murukesh Mohanan's avatar Murukesh Mohanan
Browse files
Options

typo in ip

parent 1a62fa0e
Show whitespace changes
Inline Side-by-side
Showing with 40 additions and 2 deletions
_posts/2020-12-03-poking-pi-ii.md
View file @ 7c777d7b
......@@ -44,6 +44,8 @@ By keeping each interface of a veth pair in different namespaces, we can have ea
we'll have the default namespace, which is where we normally operate, and we will have a new namespace where the VPN
(and any applications that need the VPN) will operate.
<!-- section -->
The arcane incantations required are:
```
......@@ -56,8 +58,8 @@ ip link set dev veth2 netns default
ip addr add dev veth1 10.0.0.1/24
ip link set veth1 up
ip netns exec default ip link set veth2 up
ip route add 192.168.0.7/32 dev veth1
ip route add default via 192.168.0.7
ip route add 192.168.1.2/32 dev veth1
ip route add default via 192.168.1.2
ip netns exec default ip route add 10.0.0.0/24 dev veth2
ip netns exec default iptables -A FORWARD -i veth2 -o eth0 -j ACCEPT
ip netns exec default iptables -A FORWARD -o veth2 -i eth0 -j ACCEPT
......@@ -108,5 +110,41 @@ What do these commands do? Let's examine them block by block.
Then run OpenVPN in this network namespace (for example, by running the `openvpn` command itself here, or by using
systemd to link it to this namespace).
<!-- section -->
I personally use systemd to set the whole thing up at boot. First, there's the one-shot service to set up the
namespace:
```
% cat /etc/systemd/system/netns-vpn.service
[Unit]
Description=VPN network namespace
StopWhenUnneeded=true
[Service]
Type=oneshot
RemainAfterExit=yes
# Ask systemd to create a network namespace
PrivateNetwork=yes
ExecStartPre=-/usr/sbin/ip netns delete vpn
ExecStartPre=/usr/sbin/ip netns add vpn
ExecStartPre=-/usr/bin/ln -s /proc/1/ns/net /var/run/netns/default
ExecStartPre=/usr/bin/umount /var/run/netns/vpn
ExecStartPre=/usr/bin/mount --bind /proc/self/ns/net /var/run/netns/vpn
ExecStartPre=/usr/sbin/ip link add dev veth1 mtu 1500 type veth peer name veth2 mtu 1500
ExecStartPre=/usr/sbin/ip link set dev veth2 netns default
ExecStartPre=/usr/sbin/ip addr add dev veth1 10.0.0.1/24
ExecStartPre=/usr/sbin/ip link set veth1 up
ExecStartPre=/usr/sbin/ip netns exec default ip link set veth2 up
ExecStartPre=/usr/sbin/ip route add 192.168.1.2/32 dev veth1
ExecStartPre=/usr/sbin/ip route add default via 192.168.1.2
ExecStartPre=/usr/sbin/ip netns exec default ip route add 10.0.0.0/24 dev veth2
ExecStartPre=/usr/sbin/ip netns exec default /usr/sbin/iptables -A FORWARD -i veth2 -o eth0 -j ACCEPT
ExecStartPre=/usr/sbin/ip netns exec default /usr/sbin/iptables -A FORWARD -o veth2 -i eth0 -j ACCEPT
ExecStart=/usr/sbin/ip netns exec default /usr/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
```
[tb-linux]: https://www.tunnelbear.com/blog/linux_support/
[`veth`]: https://man7.org/linux/man-pages/man4/veth.4.html
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment