Add info on namespaced-openvpn and firejail for basic network namespace operations
This commit is contained in:
parent
d871b55f54
commit
aee0076840
|
@ -0,0 +1,24 @@
|
||||||
|
# firejail
|
||||||
|
|
||||||
|
Isolation of commands / services
|
||||||
|
|
||||||
|
## Install
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
mkdir /opt/firejail
|
||||||
|
cd /opt/firejail
|
||||||
|
apt install git build-essential jq
|
||||||
|
git clone https://github.com/netblue30/firejail.git .
|
||||||
|
git checkout 0.9.58.2
|
||||||
|
./configure && make && make install-strip
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Run
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
/usr/local/bin/firejail --noprofile --netns=protected-%i bash
|
||||||
|
|
||||||
|
```
|
|
@ -0,0 +1,89 @@
|
||||||
|
# namespaced-openvpn setup
|
||||||
|
|
||||||
|
Network namespace isolated VPN
|
||||||
|
|
||||||
|
## Install
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
cd /opt
|
||||||
|
git clone https://github.com/slingamn/namespaced-openvpn.git
|
||||||
|
cd namespaced-openvpn
|
||||||
|
make install
|
||||||
|
|
||||||
|
/usr/local/sbin/namespaced-openvpn --config /etc/openvpn/chicago.conf --auth-user-pass /etc/openvpn/auth_pia.txt
|
||||||
|
|
||||||
|
ip netns list
|
||||||
|
|
||||||
|
ip netns exec protected links http://ifconfig.co
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## namespaced-openvpn systemd services
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
cat > /etc/systemd/system/namespaced-openvpn.service <<EOF
|
||||||
|
# This service is actually a systemd target,
|
||||||
|
# but we are using a service since targets cannot be reloaded.
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=OpenVPN service in netns
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/bin/true
|
||||||
|
ExecReload=/bin/true
|
||||||
|
WorkingDirectory=/etc/openvpn
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
EOF
|
||||||
|
|
||||||
|
|
||||||
|
cat > /etc/systemd/system/namespaced-openvpn@.service <<EOF
|
||||||
|
[Unit]
|
||||||
|
Description=OpenVPN connection to %i in netns=protected-%i
|
||||||
|
PartOf=namespaced-openvpn.service
|
||||||
|
ReloadPropagatedFrom=openvpn.service
|
||||||
|
Before=systemd-user-sessions.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
PrivateTmp=true
|
||||||
|
KillMode=mixed
|
||||||
|
Type=simple
|
||||||
|
Restart=always
|
||||||
|
ExecStart=/usr/local/sbin/namespaced-openvpn --config %i.conf --namespace protected-%i
|
||||||
|
PIDFile=/run/namespaced-openvpn/%i.pid
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
WorkingDirectory=/etc/openvpn
|
||||||
|
# Likely need CAP_SYS_ADMIN -- disable bounding for now
|
||||||
|
#ProtectSystem=yes
|
||||||
|
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
|
||||||
|
#LimitNPROC=10
|
||||||
|
#DeviceAllow=/dev/null rw
|
||||||
|
#DeviceAllow=/dev/net/tun rw
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
EOF
|
||||||
|
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable namespaced-openvpn@toronto
|
||||||
|
systemctl restart namespaced-openvpn@toronto
|
||||||
|
journalctl -fu namespaced-openvpn@toronto
|
||||||
|
|
||||||
|
ip netns list # Should see protected-toronto
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Service bridging
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
|
||||||
|
/usr/bin/socat tcp-listen:8000,fork,reuseaddr \
|
||||||
|
exec:'ip netns exec protected-%i socat STDIO tcp-connect\:127.0.0.1\:8000',nofork
|
||||||
|
|
||||||
|
```
|
Reference in New Issue