From 2f55027b9b69dc21c59d7d1fe90c5e56eea7908b Mon Sep 17 00:00:00 2001
From: Wojciech Kosior <kwojtus@protonmail.com>
Date: Thu, 28 May 2020 20:28:03 +0200
Subject: timestamp namespaces to avoid conflicts with other instances of
 script

---
 netns-script   | 29 +++++++++++++++--------------
 vpn_wrapper.sh | 51 ++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 55 insertions(+), 25 deletions(-)

diff --git a/netns-script b/netns-script
index 36cbda9..ba2d226 100755
--- a/netns-script
+++ b/netns-script
@@ -3,35 +3,36 @@
 # adapted from
 # https://unix.stackexchange.com/questions/149293/feed-all-traffic-through-openvpn-for-a-specific-network-namespace-only
 
+# vpn_wrapper.sh creates another script of name helper_script<timestamp>.sh,
+# which gets called by openvpn process, exports NAMESPACE_NAME and WRAPPER_PID
+# variables and then runs this script
+
 case $script_type in
-        up)
-                ip netns add 0tdns
-                ip netns exec 0tdns ip link set dev lo up
-                ip link set dev "$1" up netns 0tdns mtu "$2"
-                ip netns exec 0tdns ip addr add dev "$1" \
+    up)
+	env
+	        ip netns add $NAMESPACE_NAME
+                ip netns exec $NAMESPACE_NAME ip link set dev lo up
+                ip link set dev "$1" up netns $NAMESPACE_NAME mtu "$2"
+                ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \
                         "$4/${ifconfig_netmask:-30}" \
                         ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
                 if [ -n "$ifconfig_ipv6_local" ]; then
-                        ip netns exec 0tdns ip addr add dev "$1" \
+                        ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \
                                 "$ifconfig_ipv6_local"/112
                 fi
                 ;;
         route-up)
-                ip netns exec 0tdns ip route add default via "$ifconfig_remote"
+                ip netns exec $NAMESPACE_NAME ip route add default via "$ifconfig_remote"
 		
                 if [ -n "$ifconfig_ipv6_remote" ]; then
-                        ip netns exec 0tdns ip route add default via \
+                        ip netns exec $NAMESPACE_NAME ip route add default via \
                                 "$ifconfig_ipv6_remote"
                 fi
 
 		# notify our sh process, that openvpn finished initializing
-		kill -usr1 `cat /var/lib/0tdns/shell_pid`
-
-		# we no longer need this connection
-		#kill $OPENVPN_PID
-
+		kill -usr1 $WRAPPER_PID
                 ;;
         down)
-                ip netns delete 0tdns
+                ip netns delete $NAMESPACE_NAME
                 ;;
 esac
diff --git a/vpn_wrapper.sh b/vpn_wrapper.sh
index 1fa3fe8..b4b9350 100755
--- a/vpn_wrapper.sh
+++ b/vpn_wrapper.sh
@@ -4,18 +4,47 @@ OPENVPN_CONFIG="$1"
 # rest of args is the command to run in network namespace
 shift
 
-echo -n $$ > /var/lib/0tdns/shell_pid
+# just in case something causes more instances of this script
+# to run simultaneously, we timestamp some names
+SECONDS=`date '+%s'`
 
-# starts openvpn with the netns-script,
-# that creates tun inside network namespace 0tdns;
+HELPER_SCRIPT=/var/lib/0tdns/helper_script$SECONDS.sh
+NAMESPACE_NAME=0tdns$SECONDS
+
+# we create another script as a way of passing variables
+# to netns-script
+cat > $HELPER_SCRIPT <<EOF
+#!/bin/sh
+
+export NAMESPACE_NAME=$NAMESPACE_NAME
+export WRAPPER_PID=$$
+
+/var/lib/0tdns/netns-script "\$@"
+EOF
+
+chmod u+x $HELPER_SCRIPT
+
+# in case we want some process in the namespace to be able
+# to resolve domain names via libc we put some random public
+# dns in namespace sepcific's resolv.conf;
+# note, that while libunbound we're using will probably have
+# dns addresses provided by us, it is still possible to pass
+# a domain name as forwarder address to unbound, in which case
+# it will try to resolve it first using libc
+mkdir -p /etc/netns/$NAMESPACE_NAME/
+echo nameserver 23.253.163.53 > /etc/netns/$NAMESPACE_NAME/resolv.conf
+
+# starts openvpn with our just-created helper script, which calls
+# the netns-script, which creates tun inside network namespace
+# of name $NAMESPACE_NAME
 # we could consider using --daemon option instead of &
-openvpn --ifconfig-noexec --route-noexec --up netns-script \
-	--route-up netns-script --down netns-script \
+openvpn --ifconfig-noexec --route-noexec --up $HELPER_SCRIPT \
+	--route-up $HELPER_SCRIPT --down $HELPER_SCRIPT \
 	--config "$OPENVPN_CONFIG" --script-security 2 &
 
 OPENVPN_PID=$!
 
-# waitin for signal from our netns script
+# waiting for signal from our netns script
 # https://stackoverflow.com/questions/9052847/implementing-infinite-wait-in-shell-scripting
 trap true usr1
 
@@ -27,13 +56,13 @@ wait $OPENVPN_PID
 # TODO check which of 2 above mention situations occured and
 # return from script with error code if openvpn process died
 
-# we no longer need this file
-rm /var/lib/0tdns/shell_pid
-    
-# run the provided command inside '0tdns' namespace
+# run the provided command inside newly created namespace
 # under '0tdns' user;
-sudo ip netns exec 0tdns sudo -u 0tdns "$@"
+sudo ip netns exec $NAMESPACE_NAME sudo -u 0tdns "$@"
 
 # close the connection
 kill $OPENVPN_PID
 wait $OPENVPN_PID
+
+# we no longer need those
+rm -r $HELPER_SCRIPT /etc/netns/$NAMESPACE_NAME/
-- 
cgit v1.2.3