https://austinjadams.com/blog/running-s ... h-openvpn/
And the NSDO tool he created:
https://github.com/ausbin/nsdo
His blog guide, if correctly interpreted, makes it extremely easy to run only specific applications through OpenVPN. After some configuring (explained in his blog and step by step below), you can simply execute any application via nsdo to make it run via OpenVPN!
I have had this working in the past but now I have a clean Debian STRETCH install and need some assistance from experts.
The steps according to his blog:
- Create '/etc/systemd/system/openvpn@.service.d/netns.conf':
Code: Select all
[Unit] Requires=netns@%i.service After=netns@%i.service [Service] # Needed to call setns() as ip netns does CapabilityBoundingSet=CAP_SYS_ADMIN
- Create '/etc/systemd/system/netns@.service':
Code: Select all
[Unit] Description=network namespace %I [Service] Type=oneshot ExecStart=/bin/ip netns add %I ExecStop=/bin/ip netns del %I RemainAfterExit=yes
- Make sure this part is in your openvpn.conf file (for example '/etc/openvpn/abc.conf'):
Code: Select all
# ... # (my other configuration) # ... # script should run `ip`, not openvpn route-noexec ifconfig-noexec up "/usr/local/bin/vpn-ns" route-up "/usr/local/bin/vpn-ns" script-security 2
- Create the "magic" file '/usr/local/bin/vpn-ns' and make it executable via chmod +x vpn-ns:
Code: Select all
#!/bin/bash # based heavily on http://naju.se/articles/openvpn-netns [[ $EUID -ne 0 ]] && { echo "$0: this program requires root privileges. try again with 'sudo'?" >&2 exit 1 } # convert a dot-decimal mask (e.g., 255.255.255.0) to a bit-count mask # (like /24) for iproute2. this probably isn't the most beautiful way. tobitmask() { bits=0 while read -rd . octet; do (( col = 2**7 )) while (( col > 0 )); do (( octet & col )) || break 2 (( bits++ )) (( col >>= 1 )) done done <<<"$1" echo $bits } # guess name of network namespace from name of config file basename="$(basename "$config")" ns="${basename%.conf}" netmask="$(tobitmask "$route_netmask_1")" case $script_type in up) ip -netns "$ns" link set dev lo up ip link set dev $dev up netns "$ns" mtu "$tun_mtu" ip -netns "$ns" addr add "$ifconfig_local/$netmask" dev "$dev" ;; route-up) ip -netns "$ns" route add default via "$route_vpn_gateway" ;; *) echo "$0: unknown \$script_type: '$script_type'" >&2 exit 2; ;; esac
Code: Select all
sudo systemctl daemon-reload
Code: Select all
sudo systemctl start openvpn@abc.conf
--> Now here comes my problem:
on Debian Stretch, OpenVPN runs but there is an error with the 'vpn-ns' file created in step 4:
Failed running command (--route-up): external program exited with error status: 2
I have no clue how to even read that file so I hope there are true experts in this forum who can help out.
My full output:
Code: Select all
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY EKU OK
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: [se65.nordvpn.com] Peer Connection Initiated with [AF_INET]196.196.244.12:1194
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: SENT CONTROL [se65.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route-related options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: peer-id set
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: data channel crypto options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=wlan0 HWADDR=cc:b8:a8:11:64:48
Jan 21 01:49:47 Vero connmand[388]: tun0 {create} index 4 type 65534 <NONE>
Jan 21 01:49:47 Vero connmand[388]: tun0 {update} flags 4240 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 address 00:00:00:00:00:00 mtu 1500
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP device tun0 opened
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP TX queue length set to 100
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 21 01:49:47 Vero connmand[388]: tun0 {dellink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: (null) {remove} index 4
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: Initialization Sequence Completed
Jan 21 01:49:55 Vero sudo[4963]: osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/systemctl status openvpn@nsnordvpn
Jan 21 01:49:55 Vero sudo[4963]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)
Jan 21 01:50:35 Vero sudo[4963]: pam_unix(sudo:session): session closed for user root
Jan 21 01:50:52 Vero sudo[5038]: osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/journalctl -xe
Jan 21 01:50:52 Vero sudo[5038]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)