diff options
author | Wojciech Kosior <kwojtus@protonmail.com> | 2020-05-22 03:44:38 +0200 |
---|---|---|
committer | Wojciech Kosior <kwojtus@protonmail.com> | 2020-05-22 03:44:38 +0200 |
commit | 25a70a8882bb6f466b06b7e8f1c496267532ba34 (patch) | |
tree | 8180d111bab8d0f7b632c62c5360b6939d2cd53e | |
parent | 22ed117607f89e9fba4894e4dce18bb78e51b3ee (diff) | |
download | 0tdns-25a70a8882bb6f466b06b7e8f1c496267532ba34.tar.gz 0tdns-25a70a8882bb6f466b06b7e8f1c496267532ba34.zip |
add script that runs given command inside a vpn "sandbox"
-rwxr-xr-x | vpn_wrapper.sh | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/vpn_wrapper.sh b/vpn_wrapper.sh new file mode 100755 index 0000000..1fa3fe8 --- /dev/null +++ b/vpn_wrapper.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +OPENVPN_CONFIG="$1" +# rest of args is the command to run in network namespace +shift + +echo -n $$ > /var/lib/0tdns/shell_pid + +# starts openvpn with the netns-script, +# that creates tun inside network namespace 0tdns; +# we could consider using --daemon option instead of & +openvpn --ifconfig-noexec --route-noexec --up netns-script \ + --route-up netns-script --down netns-script \ + --config "$OPENVPN_CONFIG" --script-security 2 & + +OPENVPN_PID=$! + +# waitin for signal from our netns script +# https://stackoverflow.com/questions/9052847/implementing-infinite-wait-in-shell-scripting +trap true usr1 + +# wait on openvpn process; +# if we get a signal - wait will terminate; +# if openvpn process dies - wait will also terminate +wait $OPENVPN_PID + +# TODO check which of 2 above mention situations occured and +# return from script with error code if openvpn process died + +# we no longer need this file +rm /var/lib/0tdns/shell_pid + +# run the provided command inside '0tdns' namespace +# under '0tdns' user; +sudo ip netns exec 0tdns sudo -u 0tdns "$@" + +# close the connection +kill $OPENVPN_PID +wait $OPENVPN_PID |