#!/bin/sh OPENVPN_CONFIG="$1" # rest of args is the command to run in network namespace shift # just in case something causes more instances of this script # to run simultaneously, we timestamp some names SECONDS=`date '+%s'` HELPER_SCRIPT=/var/lib/0tdns/helper_script$SECONDS.sh NAMESPACE_NAME=0tdns$SECONDS # we create another script as a way of passing variables # to netns-script cat > $HELPER_SCRIPT < /etc/netns/$NAMESPACE_NAME/resolv.conf # starts openvpn with our just-created helper script, which calls # the netns-script, which creates tun inside network namespace # of name $NAMESPACE_NAME # we could consider using --daemon option instead of & openvpn --ifconfig-noexec --route-noexec --up $HELPER_SCRIPT \ --route-up $HELPER_SCRIPT --down $HELPER_SCRIPT \ --config "$OPENVPN_CONFIG" --script-security 2 & OPENVPN_PID=$! # waiting for signal from our netns script # https://stackoverflow.com/questions/9052847/implementing-infinite-wait-in-shell-scripting trap true usr1 # wait on openvpn process; # if we get a signal - wait will terminate; # if openvpn process dies - wait will also terminate wait $OPENVPN_PID # TODO check which of 2 above mention situations occured and # return from script with error code if openvpn process died # run the provided command inside newly created namespace # under '0tdns' user; sudo ip netns exec $NAMESPACE_NAME sudo -u 0tdns "$@" # close the connection kill $OPENVPN_PID wait $OPENVPN_PID # we no longer need those rm -r $HELPER_SCRIPT /etc/netns/$NAMESPACE_NAME/