OpenVPN for specific applications via Network Namespace - almost working

How to customize and extend your OpenVPN installation.
Post Reply
jazco
OpenVpn Newbie
Posts: 4
Joined: Sun Jan 21, 2018 12:55 pm

OpenVPN for specific applications via Network Namespace - almost working

Post by jazco » Sun Jan 21, 2018 10:07 pm

Inspired by Austin Adams blog:
https://austinjadams.com/blog/running-s ... h-openvpn/

And the NSDO tool he created:
https://github.com/ausbin/nsdo

His blog guide, if correctly interpreted, makes it extremely easy to run only specific applications through OpenVPN. After some configuring (explained in his blog and step by step below), you can simply execute any application via nsdo to make it run via OpenVPN! :D
I have had this working in the past but now I have a clean Debian STRETCH install and need some assistance from experts.
The steps according to his blog:
  1. Create '/etc/systemd/system/openvpn@.service.d/netns.conf':

    Code: Select all

    [Unit]
    Requires=netns@%i.service
    After=netns@%i.service
    
    [Service]
    # Needed to call setns() as ip netns does
    CapabilityBoundingSet=CAP_SYS_ADMIN
  2. Create '/etc/systemd/system/netns@.service':

    Code: Select all

    [Unit]
    Description=network namespace %I
    
    [Service]
    Type=oneshot
    ExecStart=/bin/ip netns add %I
    ExecStop=/bin/ip netns del %I
    RemainAfterExit=yes
  3. Make sure this part is in your openvpn.conf file (for example '/etc/openvpn/abc.conf'):

    Code: Select all

    # ...
    # (my other configuration)
    # ...
    
    # script should run `ip`, not openvpn
    route-noexec
    ifconfig-noexec
    up "/usr/local/bin/vpn-ns"
    route-up "/usr/local/bin/vpn-ns"
    script-security 2
  4. Create the "magic" file '/usr/local/bin/vpn-ns' and make it executable via chmod +x vpn-ns:

    Code: Select all

    #!/bin/bash
    # based heavily on http://naju.se/articles/openvpn-netns
    
    [[ $EUID -ne 0 ]] && {
        echo "$0: this program requires root privileges. try again with 'sudo'?" >&2
        exit 1
    }
    
    # convert a dot-decimal mask (e.g., 255.255.255.0) to a bit-count mask
    # (like /24) for iproute2. this probably isn't the most beautiful way.
    tobitmask() {
        bits=0
        while read -rd . octet; do
            (( col = 2**7 ))
            while (( col > 0 )); do
                (( octet & col )) || break 2
                (( bits++ ))
                (( col >>= 1 ))
            done
        done <<<"$1"
        echo $bits
    }
    
    # guess name of network namespace from name of config file
    basename="$(basename "$config")"
    ns="${basename%.conf}"
    netmask="$(tobitmask "$route_netmask_1")"
    
    case $script_type in
        up)
            ip -netns "$ns" link set dev lo up
            ip link set dev $dev up netns "$ns" mtu "$tun_mtu"
            ip -netns "$ns" addr add "$ifconfig_local/$netmask" dev "$dev"
        ;;
        route-up)
            ip -netns "$ns" route add default via "$route_vpn_gateway"
        ;;
        *)
            echo "$0: unknown \$script_type: '$script_type'" >&2
            exit 2;
        ;;
    esac
Now test if you can run Openvpn, assuming your .conf file is /etc/openvpn/abc.conf:

Code: Select all

sudo systemctl daemon-reload

Code: Select all

sudo systemctl start openvpn@abc.conf
It should run succesfully, asking for your OpenVPN credentials first. You can check if all went well by running "sudo systemctl status openvpn@abc.conf" or check the full output via "sudo journalctl -xe".

--> Now here comes my problem:
on Debian Stretch, OpenVPN runs but there is an error with the 'vpn-ns' file created in step 4:
Failed running command (--route-up): external program exited with error status: 2
I have no clue how to even read that file so I hope there are true experts in this forum who can help out.

My full output:

Code: Select all

Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY EKU OK
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: [se65.nordvpn.com] Peer Connection Initiated with [AF_INET]196.196.244.12:1194
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: SENT CONTROL [se65.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route-related options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: peer-id set
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: data channel crypto options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=wlan0 HWADDR=cc:b8:a8:11:64:48
Jan 21 01:49:47 Vero connmand[388]: tun0 {create} index 4 type 65534 <NONE>
Jan 21 01:49:47 Vero connmand[388]: tun0 {update} flags 4240 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 address 00:00:00:00:00:00 mtu 1500
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP device tun0 opened
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP TX queue length set to 100
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 21 01:49:47 Vero connmand[388]: tun0 {dellink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: (null) {remove} index 4
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: Initialization Sequence Completed
Jan 21 01:49:55 Vero sudo[4963]:     osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/systemctl status openvpn@nsnordvpn
Jan 21 01:49:55 Vero sudo[4963]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)
Jan 21 01:50:35 Vero sudo[4963]: pam_unix(sudo:session): session closed for user root
Jan 21 01:50:52 Vero sudo[5038]:     osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/journalctl -xe
Jan 21 01:50:52 Vero sudo[5038]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7164
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN for specific applications via Network Namespace - almost working

Post by TinCanTech » Mon Jan 22, 2018 1:32 pm

Openvpn does not provide env for spawned process. (eg. PATH)

jazco
OpenVpn Newbie
Posts: 4
Joined: Sun Jan 21, 2018 12:55 pm

Re: OpenVPN for specific applications via Network Namespace - almost working

Post by jazco » Mon Jan 22, 2018 2:22 pm

Ok I know what environment variables are, but don't know how it applies to this situation.

Do you mean the variables in this part need to be fully written out? for example "/etc/systemd/system/openvpn@.service.d/netns.conf'" instead of basename%.conf in this part:

Code: Select all

# guess name of network namespace from name of config file
basename="$(basename "$config")"
ns="${basename%.conf}"
netmask="$(tobitmask "$route_netmask_1")"
? My apologies for the dumb question..

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7164
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN for specific applications via Network Namespace - almost working

Post by TinCanTech » Mon Jan 22, 2018 2:34 pm

Code: Select all

WARNING: Failed running command (--route-up): external program exited with error status: 2
Probably due to no $PATH

I don't know about your systemd settings and I cannot support these:
jazco wrote:
Sun Jan 21, 2018 10:07 pm
Inspired by Austin Adams blog:
https://austinjadams.com/blog/running-s ... h-openvpn/

And the NSDO tool he created:
https://github.com/ausbin/nsdo
Try asking the author ..

jazco
OpenVpn Newbie
Posts: 4
Joined: Sun Jan 21, 2018 12:55 pm

Re: OpenVPN for specific applications via Network Namespace - almost working

Post by jazco » Mon Jan 22, 2018 7:27 pm

I did, he helped me a lot figuring out some differences between his Linux distro and Debian Stretch but doesn't know how to solve this either.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7164
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN for specific applications via Network Namespace - almost working

Post by TinCanTech » Mon Jan 22, 2018 8:49 pm

Your server log:
TinCanTech wrote:
Mon Jan 22, 2018 2:34 pm

Code: Select all

WARNING: Failed running command (--route-up): external program exited with error status: 2
Probably due to no $PATH
Does the script run outside of openvpn with acceptable errors?

For example: Within openvpn ip will require path to /bin

jazco
OpenVpn Newbie
Posts: 4
Joined: Sun Jan 21, 2018 12:55 pm

Re: OpenVPN for specific applications via Network Namespace - almost working

Post by jazco » Mon Jan 22, 2018 9:29 pm

Pff can't believe I didn't try that yet.

Code: Select all

osmc@osmc:~$ sudo bash /usr/local/bin/vpn-ns
/usr/local/bin/vpn-ns: unknown $script_type: ''
I guess I have to figure out what the value of each of these variables should be, like eth0 or tun0 etc..

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7164
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN for specific applications via Network Namespace - almost working

Post by TinCanTech » Mon Jan 22, 2018 10:43 pm


Post Reply