From aee00768402030c88b7e24cf0ca6c01ce612c12a Mon Sep 17 00:00:00 2001
From: KemoNine <kemonine@lollipopcloud.solutions>
Date: Fri, 12 Apr 2019 00:48:18 +0100
Subject: [PATCH] Add info on namespaced-openvpn and firejail for basic network
 namespace operations

---
 advanced/firejail.md           | 24 +++++++++
 advanced/namespaced-openvpn.md | 89 ++++++++++++++++++++++++++++++++++
 2 files changed, 113 insertions(+)
 create mode 100644 advanced/firejail.md
 create mode 100644 advanced/namespaced-openvpn.md

diff --git a/advanced/firejail.md b/advanced/firejail.md
new file mode 100644
index 0000000..bee9976
--- /dev/null
+++ b/advanced/firejail.md
@@ -0,0 +1,24 @@
+# firejail 
+
+Isolation of commands / services
+
+## Install
+
+``` bash
+
+mkdir /opt/firejail
+cd /opt/firejail
+apt install git build-essential jq
+git clone https://github.com/netblue30/firejail.git .
+git checkout 0.9.58.2
+./configure && make && make install-strip
+
+```
+
+## Run
+
+``` bash
+
+/usr/local/bin/firejail --noprofile --netns=protected-%i bash
+
+```
diff --git a/advanced/namespaced-openvpn.md b/advanced/namespaced-openvpn.md
new file mode 100644
index 0000000..5a96f16
--- /dev/null
+++ b/advanced/namespaced-openvpn.md
@@ -0,0 +1,89 @@
+# namespaced-openvpn setup
+
+Network namespace isolated VPN
+
+## Install
+
+``` bash
+
+cd /opt
+git clone https://github.com/slingamn/namespaced-openvpn.git
+cd namespaced-openvpn
+make install
+
+/usr/local/sbin/namespaced-openvpn --config /etc/openvpn/chicago.conf --auth-user-pass /etc/openvpn/auth_pia.txt
+
+ip netns list
+
+ip netns exec protected links http://ifconfig.co
+
+```
+
+## namespaced-openvpn systemd services
+
+``` bash
+
+cat > /etc/systemd/system/namespaced-openvpn.service <<EOF
+# This service is actually a systemd target,
+# but we are using a service since targets cannot be reloaded.
+
+[Unit]
+Description=OpenVPN service in netns
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+ExecReload=/bin/true
+WorkingDirectory=/etc/openvpn
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+
+cat > /etc/systemd/system/namespaced-openvpn@.service <<EOF
+[Unit]
+Description=OpenVPN connection to %i in netns=protected-%i
+PartOf=namespaced-openvpn.service
+ReloadPropagatedFrom=openvpn.service
+Before=systemd-user-sessions.service
+
+[Service]
+PrivateTmp=true
+KillMode=mixed
+Type=simple
+Restart=always
+ExecStart=/usr/local/sbin/namespaced-openvpn --config %i.conf --namespace protected-%i
+PIDFile=/run/namespaced-openvpn/%i.pid
+ExecReload=/bin/kill -HUP $MAINPID
+WorkingDirectory=/etc/openvpn
+# Likely need CAP_SYS_ADMIN -- disable bounding for now
+#ProtectSystem=yes
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
+#LimitNPROC=10
+#DeviceAllow=/dev/null rw
+#DeviceAllow=/dev/net/tun rw
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable namespaced-openvpn@toronto
+systemctl restart namespaced-openvpn@toronto
+journalctl -fu namespaced-openvpn@toronto
+
+ip netns list # Should see protected-toronto
+
+```
+
+## Service bridging
+
+``` bash
+
+/usr/bin/socat tcp-listen:8000,fork,reuseaddr \
+  exec:'ip netns exec protected-%i socat STDIO tcp-connect\:127.0.0.1\:8000',nofork
+
+```