kemonine
/
lollipopcloud
Archived
1
0
Fork 0

Add info on namespaced-openvpn and firejail for basic network namespace operations

This commit is contained in:
KemoNine 2019-04-12 00:48:18 +01:00
parent d871b55f54
commit aee0076840
No known key found for this signature in database
GPG Key ID: 3BC2928798AE11AB
2 changed files with 113 additions and 0 deletions

24
advanced/firejail.md Normal file
View File

@ -0,0 +1,24 @@
# firejail
Isolation of commands / services
## Install
``` bash
mkdir /opt/firejail
cd /opt/firejail
apt install git build-essential jq
git clone https://github.com/netblue30/firejail.git .
git checkout 0.9.58.2
./configure && make && make install-strip
```
## Run
``` bash
/usr/local/bin/firejail --noprofile --netns=protected-%i bash
```

View File

@ -0,0 +1,89 @@
# namespaced-openvpn setup
Network namespace isolated VPN
## Install
``` bash
cd /opt
git clone https://github.com/slingamn/namespaced-openvpn.git
cd namespaced-openvpn
make install
/usr/local/sbin/namespaced-openvpn --config /etc/openvpn/chicago.conf --auth-user-pass /etc/openvpn/auth_pia.txt
ip netns list
ip netns exec protected links http://ifconfig.co
```
## namespaced-openvpn systemd services
``` bash
cat > /etc/systemd/system/namespaced-openvpn.service <<EOF
# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.
[Unit]
Description=OpenVPN service in netns
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn
[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/namespaced-openvpn@.service <<EOF
[Unit]
Description=OpenVPN connection to %i in netns=protected-%i
PartOf=namespaced-openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
[Service]
PrivateTmp=true
KillMode=mixed
Type=simple
Restart=always
ExecStart=/usr/local/sbin/namespaced-openvpn --config %i.conf --namespace protected-%i
PIDFile=/run/namespaced-openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
# Likely need CAP_SYS_ADMIN -- disable bounding for now
#ProtectSystem=yes
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
#LimitNPROC=10
#DeviceAllow=/dev/null rw
#DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable namespaced-openvpn@toronto
systemctl restart namespaced-openvpn@toronto
journalctl -fu namespaced-openvpn@toronto
ip netns list # Should see protected-toronto
```
## Service bridging
``` bash
/usr/bin/socat tcp-listen:8000,fork,reuseaddr \
exec:'ip netns exec protected-%i socat STDIO tcp-connect\:127.0.0.1\:8000',nofork
```