From 25a70a8882bb6f466b06b7e8f1c496267532ba34 Mon Sep 17 00:00:00 2001
From: Wojciech Kosior <kwojtus@protonmail.com>
Date: Fri, 22 May 2020 03:44:38 +0200
Subject: add script that runs given command inside a vpn "sandbox"

---
 vpn_wrapper.sh | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100755 vpn_wrapper.sh

(limited to 'vpn_wrapper.sh')

diff --git a/vpn_wrapper.sh b/vpn_wrapper.sh
new file mode 100755
index 0000000..1fa3fe8
--- /dev/null
+++ b/vpn_wrapper.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+OPENVPN_CONFIG="$1"
+# rest of args is the command to run in network namespace
+shift
+
+echo -n $$ > /var/lib/0tdns/shell_pid
+
+# starts openvpn with the netns-script,
+# that creates tun inside network namespace 0tdns;
+# we could consider using --daemon option instead of &
+openvpn --ifconfig-noexec --route-noexec --up netns-script \
+	--route-up netns-script --down netns-script \
+	--config "$OPENVPN_CONFIG" --script-security 2 &
+
+OPENVPN_PID=$!
+
+# waitin for signal from our netns script
+# https://stackoverflow.com/questions/9052847/implementing-infinite-wait-in-shell-scripting
+trap true usr1
+
+# wait on openvpn process;
+# if we get a signal - wait will terminate;
+# if openvpn process dies - wait will also terminate
+wait $OPENVPN_PID
+
+# TODO check which of 2 above mention situations occured and
+# return from script with error code if openvpn process died
+
+# we no longer need this file
+rm /var/lib/0tdns/shell_pid
+    
+# run the provided command inside '0tdns' namespace
+# under '0tdns' user;
+sudo ip netns exec 0tdns sudo -u 0tdns "$@"
+
+# close the connection
+kill $OPENVPN_PID
+wait $OPENVPN_PID
-- 
cgit v1.2.3