diff options
| author | Wojciech Kosior <kwojtus@protonmail.com> | 2020-05-28 20:28:03 +0200 |
|---|---|---|
| committer | Wojciech Kosior <kwojtus@protonmail.com> | 2020-05-28 20:28:03 +0200 |
| commit | 2f55027b9b69dc21c59d7d1fe90c5e56eea7908b (patch) | |
| tree | efb3f14a2c71ea19240826768949341a318a30b7 /vpn_wrapper.sh | |
| parent | c96321d576e79834f262486f44ab772f33053f7b (diff) | |
| download | 0tdns-2f55027b9b69dc21c59d7d1fe90c5e56eea7908b.tar.gz 0tdns-2f55027b9b69dc21c59d7d1fe90c5e56eea7908b.zip | |
timestamp namespaces to avoid conflicts with other instances of script
Diffstat (limited to 'vpn_wrapper.sh')
| -rwxr-xr-x | vpn_wrapper.sh | 51 |
1 files changed, 40 insertions, 11 deletions
diff --git a/vpn_wrapper.sh b/vpn_wrapper.sh index 1fa3fe8..b4b9350 100755 --- a/vpn_wrapper.sh +++ b/vpn_wrapper.sh @@ -4,18 +4,47 @@ OPENVPN_CONFIG="$1" # rest of args is the command to run in network namespace shift -echo -n $$ > /var/lib/0tdns/shell_pid +# just in case something causes more instances of this script +# to run simultaneously, we timestamp some names +SECONDS=`date '+%s'` -# starts openvpn with the netns-script, -# that creates tun inside network namespace 0tdns; +HELPER_SCRIPT=/var/lib/0tdns/helper_script$SECONDS.sh +NAMESPACE_NAME=0tdns$SECONDS + +# we create another script as a way of passing variables +# to netns-script +cat > $HELPER_SCRIPT <<EOF +#!/bin/sh + +export NAMESPACE_NAME=$NAMESPACE_NAME +export WRAPPER_PID=$$ + +/var/lib/0tdns/netns-script "\$@" +EOF + +chmod u+x $HELPER_SCRIPT + +# in case we want some process in the namespace to be able +# to resolve domain names via libc we put some random public +# dns in namespace sepcific's resolv.conf; +# note, that while libunbound we're using will probably have +# dns addresses provided by us, it is still possible to pass +# a domain name as forwarder address to unbound, in which case +# it will try to resolve it first using libc +mkdir -p /etc/netns/$NAMESPACE_NAME/ +echo nameserver 23.253.163.53 > /etc/netns/$NAMESPACE_NAME/resolv.conf + +# starts openvpn with our just-created helper script, which calls +# the netns-script, which creates tun inside network namespace +# of name $NAMESPACE_NAME # we could consider using --daemon option instead of & -openvpn --ifconfig-noexec --route-noexec --up netns-script \ - --route-up netns-script --down netns-script \ +openvpn --ifconfig-noexec --route-noexec --up $HELPER_SCRIPT \ + --route-up $HELPER_SCRIPT --down $HELPER_SCRIPT \ --config "$OPENVPN_CONFIG" --script-security 2 & OPENVPN_PID=$! -# waitin for signal from our netns script +# waiting for signal from our netns script # https://stackoverflow.com/questions/9052847/implementing-infinite-wait-in-shell-scripting trap true usr1 @@ -27,13 +56,13 @@ wait $OPENVPN_PID # TODO check which of 2 above mention situations occured and # return from script with error code if openvpn process died -# we no longer need this file -rm /var/lib/0tdns/shell_pid - -# run the provided command inside '0tdns' namespace +# run the provided command inside newly created namespace # under '0tdns' user; -sudo ip netns exec 0tdns sudo -u 0tdns "$@" +sudo ip netns exec $NAMESPACE_NAME sudo -u 0tdns "$@" # close the connection kill $OPENVPN_PID wait $OPENVPN_PID + +# we no longer need those +rm -r $HELPER_SCRIPT /etc/netns/$NAMESPACE_NAME/ |