u /b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/$host <<EOF
ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
EOF
- u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service <<EOF
+ u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/wg-quick-tr-pre@.service <<EOF
[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
+Description=Initial setup of netns for wg-quick-tr %I
[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ # note: git history has an openvpn version
+ u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/wg-quick-tr@.service <<EOF
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
fi
done
done <<'EOF'
-/a/bin/ds/machine_specific filesystem/etc/systemd/system/openvpn-client-tr@.service
+/p/c/machine_specific filesystem/etc/systemd/system/wg-quick-tr@.service
/p/c/machine_specific filesystem/etc/wireguard/wghole.conf
EOF
if $stray_found; then
vpncmd() {
- sdncmd openvpn-client-tr@client.service "$@"
+ sdncmd wg-quick-tr@client.service "$@"
}
vpncmdroot() {
- sdncmdroot openvpn-client-tr@client.service "$@"
+ sdncmdroot wg-quick-tr@client.service "$@"
}
vpni() {
- sdncmd openvpn-client-tr@client.service bash
+ # m sudo nsenter --net=/var/run/netns/client sudo -u iank -i bash # for just the netns
+ sdncmd wg-quick-tr@client.service bash
}
vpnbash() {
- sdncmdroot openvpn-client-tr@client.service bash
+ #m sudm nsenter --net=/var/run/netns/client bash # only gets netns
+ sdncmdroot wg-quick-tr@client.service bash
}
-vpn() {
+ovpn() {
if [[ -e /lib/systemd/system/openvpn-client@.service ]]; then
local vpn_service=openvpn-client
else
ls -lad /run/user/1000
stats=$(stat -c%a-%g-%u /run/user/1000)
if [[ $stats != 700-1000-1000 ]]; then
- m s chmod 700 /run/user/1000; m s chown iank.iank /run/user/1000
+ m s chmod 700 /run/user/1000; m s chown iank:iank /run/user/1000
fi
}
s busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager SetLinkDNSOverTLS is $link no
}
-vpnoff() {
+ovpnoff() {
[[ $1 ]] || { echo need arg; return 1; }
if [[ -e /lib/systemd/system/openvpn-client@.service ]]; then
local vpn_service=openvpn-client
sudo systemctl stop $vpn_service@$1
}
vpnoffc() { # vpn off client
- ser stop openvpn-client-tr@client
+ ser stop wg-quick-tr@client
}
vpnc() {
local unit
- unit=openvpn-client-tr@client
+ unit=wg-quick-tr@client
sudo -v
if [[ $(systemctl is-active $unit) != active ]]; then
s systemctl start $unit
[Unit]
Description=Transmission BitTorrent Daemon netns
After=network.target
-Requires=openvpn-client-tr@client.service
-After=openvpn-client-tr@client.service
-JoinsNamespaceOf=openvpn-client-tr@client.service
+Requires=wg-quick-tr@client.service
+After=wg-quick-tr@client.service
+NetworkNamespacePath=/var/run/netns/client
[Service]
User=debian-transmission
# https://github.com/transmission/transmission/issues/6991
#Type=notify
Type=simple
-ExecStartPre=+/usr/local/bin/joins-namespace-of-check -p system-openvpn\\x2dclient\\x2dtr.slice openvpn-client-tr@client
ExecStart=/usr/bin/transmission-daemon -f --log-level=error
# for debugging.
#ExecStart=/usr/bin/transmission-daemon -f --log-level=debug
ExecReload=/bin/kill -s HUP $MAINPID
-PrivateNetwork=true
Nice=19
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
fi
}
+# Like perl die. code is self-explanatory.
+die() {
+ err "$*"
+ exit 1
+}
+
# usage: u1 [COMMAND...]
#
# Disable debug-setx printing just for the next command.
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.29 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.29.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.29 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.29 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.29.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.29.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.34.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.34.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.34.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.2 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.2.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.2 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.2 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.2.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.2.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.97 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.97.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.97 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.97 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.97.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.97.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.99 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.99.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.99 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.99 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.99.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.99.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.3.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.3.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.3.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.7.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.28.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.28.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.28.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.8 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.8.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Initial setup of netns for wg-quick-tr %I
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.8 start %i
+# no need to stop
+#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=WireGuard via wg-quick(8) for %I
+After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
+PartOf=wg-quick.target
+Documentation=man:wg-quick(8)
+Documentation=man:wg(8)
+
+[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
+#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.8 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.8.1 dev veth1-client
+# normal wg-quick has these as ExecStart and ExecStop
+ExecStartPre=/usr/bin/wg-quick up %i
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down %i
+ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.8.1 dev veth1-client
+#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+#PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/client
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
# prevent dns leaks. note: if we needed openvpn to do initial dns, we could
# add -m owner --uid-owner root to the output rules, but we just connect to
# ip addresses.
--A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
--A INPUT -p udp -m udp --sport 53 -j ACCEPT
+#-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+#-A INPUT -p udp -m udp --sport 53 -j ACCEPT
+#-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
+#-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
--A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
--A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
+-A OUTPUT -o client -j ACCEPT
+-A INPUT -i client -j ACCEPT
-# transmission-remote
--A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-
-# archivebox
--A OUTPUT -d 10.174.34.1 -p tcp -m tcp --dport 8000 -j ACCEPT
--A INPUT -s 10.174.34.1 -p tcp -m tcp --sport 8000 -j ACCEPT
-
-
-# 1196 is used by mullvad
--A OUTPUT -p udp -m udp --dport 1196 -j ACCEPT
--A INPUT -p udp -m udp --sport 1196 -j ACCEPT
-
--A OUTPUT -o tun0 -j ACCEPT
--A INPUT -i tun0 -j ACCEPT
+# from /etc/wireguard/client.conf
+-A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
+-A INPUT -p udp -m udp --sport 51820 -j ACCEPT
# makes debugging things easier
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
+# transmission-remote
+-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
+
# allow us to run servers on localhost
-A INPUT -d 127.0.0.0/8 -j ACCEPT
-A OUTPUT -s 127.0.0.0/8 -j ACCEPT
iankelling.org / git / distro-setup / commitdiff