fi
}
-psvpn() {
- # show all processes in the vpn network namespace.
- # blank entries appear to be subprocesses/threads of transmission daemon
+psnetns() {
+ # show all processes in the network namespace $1.
+ # blank entries appear to be subprocesses/threads
+ local x netns
+ netns=$1
ps -w | head -n 1
- s find -L /proc/[1-9]*/task/*/ns/net -samefile /run/netns/vpn | cut -d/ -f5 | \
+ s find -L /proc/[1-9]*/task/*/ns/net -samefile /run/netns/$netns | cut -d/ -f5 | \
while read l; do
x=$(ps -w --no-headers -p $l);
if [[ $x ]]; then echo "$x"; else echo $l; fi;
vpnbash() {
m s nsenter -t $(pgrep openvpn) -n -m bash
-}
-
-netnsvpn() {
- # todo, make a function to kill all processes in the network namespace.
-
- # manually run vpn so it stays within a network namespace,
- # until I get it all wired up with systemd.
- if ! s ip netns list | awk '{print $1}' | grep -Fx vpn &>/dev/null; then
- newns vpn start || return 1
- fi
-
- s iptables-restore <<'EOF'
-# some traffic leaked, so I recreated the rules here being
-# a little more specific. We could also do the reverse rules
-# for input, but meh.
-# todo: try out rules for process owner. reject all
-# packes by transmission-daemon, which are not from brvpn
-*filter
-:INPUT ACCEPT
-:FORWARD ACCEPT
-:OUTPUT ACCEPT
-# -i = interface
-# -d = destination
-# -p = protocol
-# -m = (match, aka extended match module), enabling the next rule
--A FORWARD -i brvpn -d 192.168.1.1 -p udp -m udp --dport 53 -j ACCEPT
--A FORWARD -i brvpn -d 192.168.1.1 -p tcp -m tcp --dport 53 -j ACCEPT
--A FORWARD -i brvpn -d 192.168.1.0/24 -p tcp -m tcp --dport 9091 -j ACCEPT
--A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
--A FORWARD -i brvpn -j REJECT
-# prevent transmission daemon from doing anything outside it's
-# network namespace.
--A OUTPUT -m owner --uid-owner debian-transmission -j REJECT
-COMMIT
-EOF
- local pid
- pid=$(< /run/openvpn/client.pid)
- local vpn_on=false
- if [[ $pid ]]; then
- if [[ -e /proc/$pid ]]; then
- vpn_on=true
- else
- vpn_on=false
- s rm -f /run/openvpn/client.pid
- fi
- fi
- # for testing of disabled firewall rules, run this:
- #s ip netns exec vpn iptables -P OUTPUT ACCEPT
- s ip netns exec vpn iptables-restore <<'EOF'
-# format from iptables-save. [0:0] are comments of packet-count/byte-count
-# which I removed
-*filter
-:INPUT DROP
-:FORWARD ACCEPT
-:OUTPUT DROP
-# from ip route, we can deduce that traffic goes to the
-# local 10.8.0.x tun0, then to the normal interface.
-# For the normal interface, we allow only some ports:
-# dns, vpn, transmission-remote.
-# dns is only used to resolve the vpn server ip on initial
-# connection.
-# rules are mirror on input and output, just for extra safety,
-# although just having output should do fine.
-
-# We could also firewall from outside the nat, for example like this,
-# but I'm thinking this is simpler.
-#-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT
-#-A FORWARD -i brvpn -j REJECT
-
-# help prevent dns leaks, openvpn runs as root
--A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
--A INPUT -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT
-
--A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
--A INPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-
--A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-
-# 1195 is used for the secondary vpn server
--A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
--A INPUT -p udp -m udp --dport 1194:1195 -j ACCEPT
-
--A OUTPUT -o tun0 -j ACCEPT
--A INPUT -i tun0 -j ACCEPT
-COMMIT
-EOF
- $vpn_on || s ip netns exec vpn /usr/sbin/openvpn --daemon ovpn --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid
-}
-
-
-
-vc() {
- [[ $1 ]] || { e "$0: error, expected cmd to run"; return 1; }
- gksudo -- ip netns exec vpn gksudo -u ${SUDO_USER:-$USER} "$@"
-}
-
-transmission-stop() {
- local pid=$(cat /var/lib/transmission-daemon/transmission-daemon.pid)
- if [[ $pid ]]; then
- sudo kill $pid
- else
- psg transmission-daemon
- fi
+ # note, if we wanted to run a graphical program,
+ # instead of bash, we could use
+ # gksudo -u ${SUDO_USER:-$USER} "$@"
}
iankelling.org / git / distro-setup / commitdiff