blob: 054dc2a815b9203f4ccb144462d2d8a55fcc8613 (
about) (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
#!/bin/sh
# adapted from
# https://unix.stackexchange.com/questions/149293/feed-all-traffic-through-openvpn-for-a-specific-network-namespace-only
# vpn_wrapper.sh passes the following variables through openvpn's
# --setenv option:
# NAMESPACE_NAME
# WRAPPER_PID
# VETH_HOST0
# VETH_HOST1
# ROUTE_THROUGH_VETH
# PHYSICAL_IP
# tag veth names so that they are uniqie between instances of this script
VETH0=v0tdns${WRAPPER_PID}_0
VETH1=v0tdns${WRAPPER_PID}_1
case $script_type in
up)
ip netns add $NAMESPACE_NAME
ip netns exec $NAMESPACE_NAME ip link set dev lo up
ip link set dev "$1" up netns $NAMESPACE_NAME mtu "$2"
ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \
"$4/${ifconfig_netmask:-30}" \
${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
if [ -n "$ifconfig_ipv6_local" ]; then
ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \
"$ifconfig_ipv6_local"/112
fi
# the following is done to enable some connections to bypass vpn
VETH0=v0tdns${WRAPPER_PID}_0
VETH1=v0tdns${WRAPPER_PID}_1
ip link add $VETH0 type veth peer name $VETH1
ip link set $VETH1 netns $NAMESPACE_NAME
ip addr add $VETH_HOST0/30 dev $VETH0
ip netns exec $NAMESPACE_NAME ip addr add $VETH_HOST1/30 dev $VETH1
ip link set $VETH0 up
ip netns exec $NAMESPACE_NAME ip link set $VETH1 up
;;
route-up)
# user is responsible for enabling routing from physical
# interface to veth devices, we're enabling the reverse way
echo 1 > /proc/sys/net/ipv4/conf/$VETH0/forwarding
ip netns exec $NAMESPACE_NAME ip route add default \
via "$ifconfig_remote"
if [ -n "$ifconfig_ipv6_remote" ]; then
ip netns exec $NAMESPACE_NAME ip route add default via \
"$ifconfig_ipv6_remote"
fi
# here go routes for bypassing vpn
for ADDRESS in $ROUTE_THROUGH_VETH; do
ip netns exec $NAMESPACE_NAME ip route add $ADDRESS via $VETH_HOST0
iptables -t nat -A POSTROUTING -s $VETH_HOST1/32 \
-j SNAT --to-source $PHYSICAL_IP
done
# notify our sh process, that openvpn finished initializing
kill -usr1 $WRAPPER_PID
;;
down)
for ADDRESS in $ROUTE_THROUGH_VETH; do
iptables -t nat -D POSTROUTING -s $VETH_HOST1/32 \
-j SNAT --to-source $PHYSICAL_IP
done
ip netns delete $NAMESPACE_NAME
;;
esac
|